df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 05:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Size

118KB
MD5

8337ccbf0f07fe774fe402a2f04b8e18
SHA1

f9cc893f7ac72aa430567625ebeff6d7017203e7
SHA256

df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63
SHA512

57b985043ee39c88391ef04f7f7d3de7375ad9e4d8f917448ea317d0b8b74bc00de7cd264937e454d9a16a9b87f8650e251f6af7e1b1b9a2901d8f79ccf38956
SSDEEP

1536:fWwa6OYkIgzwOYFu/vWInvqTgiV6ZokAcgKwuT:+z6ODIn3u//vS4oE7tT

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 44 IoCs

pid	Process
2232	4k51k4.exe
1168	Shell.exe
2280	Shell.exe
1288	Shell.exe
264	Shell.exe
2976	Shell.exe
1364	Shell.exe
2416	IExplorer.exe
1940	Shell.exe
1984	Shell.exe
1328	4k51k4.exe
760	IExplorer.exe
2088	Shell.exe
1652	Shell.exe
2316	WINLOGON.EXE
1596	Shell.exe
2800	Shell.exe
1572	CSRSS.EXE
2116	Shell.exe
2608	Shell.exe
2616	SERVICES.EXE
3036	Shell.exe
1672	Shell.exe
2916	LSASS.EXE
2888	Shell.exe
1408	Shell.exe
1516	SMSS.EXE
2824	Shell.exe
1416	Shell.exe
536	WINLOGON.EXE
1064	Shell.exe
1940	Shell.exe
1608	CSRSS.EXE
2040	Shell.exe
1088	Shell.exe
1824	SERVICES.EXE
2396	Shell.exe
1728	Shell.exe
2324	LSASS.EXE
2484	Shell.exe
3008	Shell.exe
900	SMSS.EXE
580	Shell.exe
3064	Shell.exe

Loads dropped DLL 64 IoCs

pid	Process
2828	WerFault.exe
2828	WerFault.exe
600	WerFault.exe
600	WerFault.exe
600	WerFault.exe
600	WerFault.exe
600	WerFault.exe
600	WerFault.exe
600	WerFault.exe
600	WerFault.exe
600	WerFault.exe
2828	WerFault.exe
2828	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2812	WerFault.exe
2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
408	WerFault.exe
408	WerFault.exe
408	WerFault.exe
408	WerFault.exe
408	WerFault.exe
408	WerFault.exe
408	WerFault.exe
408	WerFault.exe
408	WerFault.exe
2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
1792	WerFault.exe
1792	WerFault.exe
1792	WerFault.exe
1792	WerFault.exe
1792	WerFault.exe
1792	WerFault.exe
1792	WerFault.exe
1792	WerFault.exe
1792	WerFault.exe
2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
2712	WerFault.exe
2712	WerFault.exe
2712	WerFault.exe
2712	WerFault.exe
2712	WerFault.exe
2712	WerFault.exe
2712	WerFault.exe
2712	WerFault.exe
2712	WerFault.exe
2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe
2576	WerFault.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SMSS.EXE

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File created	C:\desktop.ini	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened for modification	F:\desktop.ini	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File created	F:\desktop.ini	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\P:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\R:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\S:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\X:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\E:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\G:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\K:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\T:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\U:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\W:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\Z:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\B:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\I:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\J:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\L:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\V:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\H:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\M:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\O:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\Q:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened (read-only)	\??\Y:	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\MrHelloween.scr	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\shell.exe	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2644-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/files/0x0007000000016c89-8.dat	upx
behavioral1/memory/2232-116-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/files/0x0008000000016d22-113.dat	upx
behavioral1/files/0x00060000000175f1-119.dat	upx
behavioral1/memory/1168-122-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2280-133-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1288-143-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2644-145-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2232-148-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1168-149-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2976-158-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1364-171-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2976-161-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/files/0x000d000000018683-173.dat	upx
behavioral1/memory/2416-181-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1940-189-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/264-197-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1984-200-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2416-206-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/760-269-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/files/0x000d000000018683-267.dat	upx
behavioral1/memory/1328-266-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2088-277-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1652-287-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/760-290-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2316-303-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/files/0x0005000000018706-297.dat	upx
behavioral1/memory/2800-310-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2644-314-0x00000000030E0000-0x0000000003104000-memory.dmp	upx
behavioral1/memory/1572-319-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2116-324-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2608-327-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1572-329-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/3036-341-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2616-336-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2916-353-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2616-346-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2888-358-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1408-361-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2644-369-0x00000000030E0000-0x0000000003104000-memory.dmp	upx
behavioral1/memory/2916-364-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2824-374-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1416-377-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1516-378-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/536-412-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1064-415-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1940-418-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2040-431-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1088-434-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1608-437-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2396-446-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1728-449-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/1824-451-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2484-460-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/3008-463-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2324-464-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/900-471-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/3064-478-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/900-479-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2644-481-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\4k51k4.exe	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\4k51k4.exe	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 15 IoCs

pid	pid_target	Process	procid_target
2828	2232	WerFault.exe	30
600	1168	WerFault.exe	32
2812	264	WerFault.exe	36
408	2416	WerFault.exe	40
1792	760	WerFault.exe	45
2712	2316	WerFault.exe	49
2576	1572	WerFault.exe	53
848	2616	WerFault.exe	57
2368	2916	WerFault.exe	61
1288	1516	WerFault.exe	65
2236	536	WerFault.exe	69
2416	1608	WerFault.exe	73
1576	1824	WerFault.exe	77
2100	2324	WerFault.exe	81
2312	900	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4k51k4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4k51k4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE

Modifies Control Panel 64 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	LSASS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	LSASS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	4k51k4.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Control Panel\Desktop\	LSASS.EXE

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

Suspicious use of SetWindowsHookEx 45 IoCs

pid	Process
2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
2232	4k51k4.exe
1168	Shell.exe
2280	Shell.exe
1288	Shell.exe
264	Shell.exe
2976	Shell.exe
1364	Shell.exe
2416	IExplorer.exe
1940	Shell.exe
1984	Shell.exe
1328	4k51k4.exe
760	IExplorer.exe
2088	Shell.exe
1652	Shell.exe
2316	WINLOGON.EXE
1596	Shell.exe
2800	Shell.exe
1572	CSRSS.EXE
2116	Shell.exe
2608	Shell.exe
2616	SERVICES.EXE
3036	Shell.exe
1672	Shell.exe
2916	LSASS.EXE
2888	Shell.exe
1408	Shell.exe
1516	SMSS.EXE
2824	Shell.exe
1416	Shell.exe
536	WINLOGON.EXE
1064	Shell.exe
1940	Shell.exe
1608	CSRSS.EXE
2040	Shell.exe
1088	Shell.exe
1824	SERVICES.EXE
2396	Shell.exe
1728	Shell.exe
2324	LSASS.EXE
2484	Shell.exe
3008	Shell.exe
900	SMSS.EXE
580	Shell.exe
3064	Shell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2232	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	30
PID 2644 wrote to memory of 2232	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	30
PID 2644 wrote to memory of 2232	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	30
PID 2644 wrote to memory of 2232	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	30
PID 2232 wrote to memory of 2828	2232	4k51k4.exe	31
PID 2232 wrote to memory of 2828	2232	4k51k4.exe	31
PID 2232 wrote to memory of 2828	2232	4k51k4.exe	31
PID 2232 wrote to memory of 2828	2232	4k51k4.exe	31
PID 1168 wrote to memory of 600	1168	Shell.exe	33
PID 1168 wrote to memory of 600	1168	Shell.exe	33
PID 1168 wrote to memory of 600	1168	Shell.exe	33
PID 1168 wrote to memory of 600	1168	Shell.exe	33
PID 264 wrote to memory of 2812	264	Shell.exe	37
PID 264 wrote to memory of 2812	264	Shell.exe	37
PID 264 wrote to memory of 2812	264	Shell.exe	37
PID 264 wrote to memory of 2812	264	Shell.exe	37
PID 2644 wrote to memory of 2416	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	40
PID 2644 wrote to memory of 2416	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	40
PID 2644 wrote to memory of 2416	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	40
PID 2644 wrote to memory of 2416	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	40
PID 2416 wrote to memory of 408	2416	IExplorer.exe	41
PID 2416 wrote to memory of 408	2416	IExplorer.exe	41
PID 2416 wrote to memory of 408	2416	IExplorer.exe	41
PID 2416 wrote to memory of 408	2416	IExplorer.exe	41
PID 2644 wrote to memory of 1328	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	44
PID 2644 wrote to memory of 1328	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	44
PID 2644 wrote to memory of 1328	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	44
PID 2644 wrote to memory of 1328	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	44
PID 2644 wrote to memory of 760	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	45
PID 2644 wrote to memory of 760	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	45
PID 2644 wrote to memory of 760	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	45
PID 2644 wrote to memory of 760	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	45
PID 760 wrote to memory of 1792	760	IExplorer.exe	46
PID 760 wrote to memory of 1792	760	IExplorer.exe	46
PID 760 wrote to memory of 1792	760	IExplorer.exe	46
PID 760 wrote to memory of 1792	760	IExplorer.exe	46
PID 2644 wrote to memory of 2316	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	49
PID 2644 wrote to memory of 2316	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	49
PID 2644 wrote to memory of 2316	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	49
PID 2644 wrote to memory of 2316	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	49
PID 2316 wrote to memory of 2712	2316	WINLOGON.EXE	50
PID 2316 wrote to memory of 2712	2316	WINLOGON.EXE	50
PID 2316 wrote to memory of 2712	2316	WINLOGON.EXE	50
PID 2316 wrote to memory of 2712	2316	WINLOGON.EXE	50
PID 2644 wrote to memory of 1572	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	53
PID 2644 wrote to memory of 1572	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	53
PID 2644 wrote to memory of 1572	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	53
PID 2644 wrote to memory of 1572	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	53
PID 1572 wrote to memory of 2576	1572	CSRSS.EXE	54
PID 1572 wrote to memory of 2576	1572	CSRSS.EXE	54
PID 1572 wrote to memory of 2576	1572	CSRSS.EXE	54
PID 1572 wrote to memory of 2576	1572	CSRSS.EXE	54
PID 2644 wrote to memory of 2616	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	57
PID 2644 wrote to memory of 2616	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	57
PID 2644 wrote to memory of 2616	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	57
PID 2644 wrote to memory of 2616	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	57
PID 2616 wrote to memory of 848	2616	SERVICES.EXE	58
PID 2616 wrote to memory of 848	2616	SERVICES.EXE	58
PID 2616 wrote to memory of 848	2616	SERVICES.EXE	58
PID 2616 wrote to memory of 848	2616	SERVICES.EXE	58
PID 2644 wrote to memory of 2916	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	61
PID 2644 wrote to memory of 2916	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	61
PID 2644 wrote to memory of 2916	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	61
PID 2644 wrote to memory of 2916	2644	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe	61

System policy modification 1 TTPs 5 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe

C:\Users\Admin\AppData\Local\Temp\df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe
"C:\Users\Admin\AppData\Local\Temp\df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2644
- C:\Windows\4k51k4.exe
  C:\Windows\4k51k4.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2232 -s 220
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2828
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1168
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1168 -s 244
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:600
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2280
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1288
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Control Panel
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:264
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 248
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2812
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2976
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1364
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 224
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:408
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1940
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1984
- C:\Windows\4k51k4.exe
  C:\Windows\4k51k4.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1328
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 224
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1792
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2088
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1652
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 204
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2712
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1596
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2800
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1572 -s 220
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2576
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2116
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2608
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2616 -s 204
    3⤵
    - Program crash
    PID:848
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3036
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1672
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:2916
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 204
    3⤵
    - Program crash
    PID:2368
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2888
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1408
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:1516
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 220
    3⤵
    - Program crash
    PID:1288
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2824
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1416
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:536
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 204
    3⤵
    - Program crash
    PID:2236
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1064
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1940
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:1608
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1608 -s 220
    3⤵
    - Program crash
    PID:2416
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2040
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1088
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:1824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 204
    3⤵
    - Program crash
    PID:1576
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2396
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1728
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:2324
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 204
    3⤵
    - Program crash
    PID:2100
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2484
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3008
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  PID:900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 220
    3⤵
    - Program crash
    PID:2312
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:580
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Puisi.txt

Filesize
442B

MD5
001424d7974b9a3995af292f6fcfe171

SHA1
f8201d49d594d712c8450679c856c2e8307d2337

SHA256
660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d

SHA512
66ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
118KB

MD5
69ec8221b1299ec99d6d52f2df0ff1a0

SHA1
02046af0d048fc195183c33ad75ca54cb1b38da3

SHA256
4cd696613efc5acf3ad168d2fc6b101f8597adf3c7cd7347ba82960c728968ab

SHA512
22d5a861fe82212f1c117c0aaa51489e7d1019b427d557d4d7b8ec38dcb929e80fa505c286d10aaa43b7befe139299c212639ad0e5a15c628858e8fe28dadae3

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
118KB

MD5
8337ccbf0f07fe774fe402a2f04b8e18

SHA1
f9cc893f7ac72aa430567625ebeff6d7017203e7

SHA256
df1c82380fc0dd53216c42fef5ff592c98801a5392e5fe43f6c398429db79a63

SHA512
57b985043ee39c88391ef04f7f7d3de7375ad9e4d8f917448ea317d0b8b74bc00de7cd264937e454d9a16a9b87f8650e251f6af7e1b1b9a2901d8f79ccf38956

Download Submit
C:\Windows\4k51k4.exe

Filesize
118KB

MD5
9ce5360968d3bccb6082bd0fec0ba72a

SHA1
45788fee4f30600936f20dd44862b66a4da66b79

SHA256
0201d906efd52634ad34305800408175fb2ed912bad58f592aac74621dc83f70

SHA512
02edeb114d135982da92d74950e2c83b6dae78d3669de5dac052824a68a3261e7d0e763070855781d641f4ba9b0326feb8219fc223b7857062ae7747d4cb8996

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
118KB

MD5
cbda54ff34af7b9472a1b6f6cde13220

SHA1
b8fffd02fc818ef488fcb0b8e65013b341b63f32

SHA256
60570e9c8917bdf1e89acbcbb485dd262cd23f06e3c26b75a4c1b474cb2cc4d1

SHA512
6910f11066e00b1b6c2ac50bcd9b86dadb0b94e751f9298de762af9e586dadc22c7f55ce437a876e21cc13a2927624f3d400f4b8387c297dd9051c16384e5d72

Download Submit
C:\Windows\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
118KB

MD5
8a0f62280bba9a949bb519e9b41c23d7

SHA1
ad2127b96c4cae048c29a62b808cf2b541168972

SHA256
3f4e604fa60fd0e961608c807dea2b2c1255154c1a83223aa4ce7292cd7471af

SHA512
53523ee0c9d7291d8bf21a9fdfa2d43ce682c25dd7971ccc6b24a8f9a137dc04f88dd8adbdd9671179c6c84fb3444cc38fed4f05fc776225599c62038cc375af

Download Submit
\Windows\SysWOW64\shell.exe

Filesize
118KB

MD5
262d959202e1f62dd720fb9e50f2db48

SHA1
3c2abac1d1049ef4a751b0b3e1c6031d794e3f15

SHA256
d1caaa5db6ebc6820f83622050b7240180b6a439671eaa293235646338fcd5b0

SHA512
3b9e46813ec73c03160072e7a6e014281752a3e7c9ea33ae26d230313b6df2fb4a2ed02eb2d8850f7b4efa51301966155cfea18d6faa9c155786c58b7c0125a3

Download Submit
memory/264-197-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/536-412-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/760-269-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/760-290-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/900-471-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/900-479-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1064-415-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1088-434-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1168-122-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1168-149-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1288-143-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1328-265-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1328-266-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1364-171-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1408-361-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1416-377-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1516-378-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1572-319-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1572-329-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1608-437-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1652-287-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1728-449-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1824-451-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1940-189-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1940-418-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1984-200-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2040-431-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2088-277-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2116-324-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2232-116-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2232-148-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2280-133-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2316-303-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2324-464-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2396-446-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2416-181-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2416-206-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2484-460-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2608-327-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2616-346-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2616-336-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2644-179-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-411-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-481-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2644-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2644-335-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-334-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-331-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-344-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-255-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-352-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-351-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-347-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-313-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-470-0x00000000005C0000-0x00000000005E4000-memory.dmp

Filesize
144KB

Download
memory/2644-268-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-362-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-365-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-369-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-115-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-289-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-302-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-114-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-314-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-318-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-410-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-147-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-312-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-426-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-425-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-424-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-301-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-146-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-435-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2644-145-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2644-300-0x00000000030E0000-0x0000000003104000-memory.dmp

Filesize
144KB

Download
memory/2800-310-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2824-374-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2888-358-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2916-364-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2916-353-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2976-158-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2976-161-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3008-463-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3036-341-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3064-478-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download