a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	SMSS.EXE

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	D3_08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	D3_08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	D3_08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	D3_08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	D3_08.exe

Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs

Hidden Files and Directories

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	D3_08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs

Hidden Files and Directories

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	D3_08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe

Disables RegEdit via registry modification 16 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	D3_08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	D3_08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 63 IoCs

pid	Process
2036	D3_08.exe
756	IExplorer.exe
764	WINLOGON.EXE
584	CSRSS.EXE
1520	SERVICES.EXE
1368	LSASS.EXE
948	SMSS.EXE
836	D3_08.exe
1956	IExplorer.exe
1464	D3_08.exe
996	WINLOGON.EXE
1788	D3_08.exe
1820	D3_08.exe
1808	D3_08.exe
1080	IExplorer.exe
1712	IExplorer.exe
1732	D3_08.exe
1932	D3_08.exe
1564	IExplorer.exe
1416	WINLOGON.EXE
1208	WINLOGON.EXE
1032	IExplorer.exe
860	IExplorer.exe
1612	IExplorer.exe
1952	D3_08.exe
1616	CSRSS.EXE
1972	CSRSS.EXE
1156	WINLOGON.EXE
828	IExplorer.exe
624	WINLOGON.EXE
1828	WINLOGON.EXE
1804	CSRSS.EXE
1388	SERVICES.EXE
1604	WINLOGON.EXE
1668	WINLOGON.EXE
1720	CSRSS.EXE
1336	SERVICES.EXE
2040	LSASS.EXE
1540	CSRSS.EXE
1524	CSRSS.EXE
1556	CSRSS.EXE
1324	SERVICES.EXE
1564	CSRSS.EXE
1504	SERVICES.EXE
676	SERVICES.EXE
1992	LSASS.EXE
1132	SERVICES.EXE
1624	SMSS.EXE
1968	SERVICES.EXE
1360	LSASS.EXE
1956	SERVICES.EXE
1880	LSASS.EXE
1572	LSASS.EXE
796	SMSS.EXE
1064	SMSS.EXE
112	LSASS.EXE
1152	LSASS.EXE
1788	LSASS.EXE
624	SMSS.EXE
552	SMSS.EXE
940	SMSS.EXE
1800	SMSS.EXE
1012	SMSS.EXE

Loads dropped DLL 64 IoCs

pid	Process
1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
756	IExplorer.exe
756	IExplorer.exe
2036	D3_08.exe
2036	D3_08.exe
584	CSRSS.EXE
584	CSRSS.EXE
756	IExplorer.exe
756	IExplorer.exe
584	CSRSS.EXE
584	CSRSS.EXE
764	WINLOGON.EXE
764	WINLOGON.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1368	LSASS.EXE
1368	LSASS.EXE
756	IExplorer.exe
756	IExplorer.exe
584	CSRSS.EXE
764	WINLOGON.EXE
948	SMSS.EXE
948	SMSS.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
1368	LSASS.EXE
1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
1368	LSASS.EXE
1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
584	CSRSS.EXE
584	CSRSS.EXE
2036	D3_08.exe
2036	D3_08.exe
948	SMSS.EXE
948	SMSS.EXE
756	IExplorer.exe
1368	LSASS.EXE
584	CSRSS.EXE
756	IExplorer.exe
1368	LSASS.EXE
584	CSRSS.EXE
948	SMSS.EXE
948	SMSS.EXE
1520	SERVICES.EXE
1520	SERVICES.EXE
2036	D3_08.exe
2036	D3_08.exe
1368	LSASS.EXE
1368	LSASS.EXE

Adds Run key to start application 2 TTPs 56 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	D3_08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\D3_08 = "C:\\Windows\\D3_08.exe"	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\D3_08 = "C:\\Windows\\D3_08.exe"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\D3_08 = "C:\\Windows\\D3_08.exe"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\D3_08 = "C:\\Windows\\D3_08.exe"	D3_08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\D3_08 = "C:\\Windows\\D3_08.exe"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	D3_08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\D3_08 = "C:\\Windows\\D3_08.exe"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\D3_08 = "C:\\Windows\\D3_08.exe"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	D3_08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\D3_08 = "C:\\Windows\\D3_08.exe"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	LSASS.EXE

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	D3_08.exe
File created	C:\desktop.ini	D3_08.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	IExplorer.exe
File opened (read-only)	\??\N:	IExplorer.exe
File opened (read-only)	\??\V:	IExplorer.exe
File opened (read-only)	\??\Q:	CSRSS.EXE
File opened (read-only)	\??\W:	CSRSS.EXE
File opened (read-only)	\??\X:	SMSS.EXE
File opened (read-only)	\??\Y:	SERVICES.EXE
File opened (read-only)	\??\K:	IExplorer.exe
File opened (read-only)	\??\Z:	SERVICES.EXE
File opened (read-only)	\??\Q:	LSASS.EXE
File opened (read-only)	\??\Y:	WINLOGON.EXE
File opened (read-only)	\??\I:	SMSS.EXE
File opened (read-only)	\??\B:	SERVICES.EXE
File opened (read-only)	\??\I:	SERVICES.EXE
File opened (read-only)	\??\B:	LSASS.EXE
File opened (read-only)	\??\F:	LSASS.EXE
File opened (read-only)	\??\M:	LSASS.EXE
File opened (read-only)	\??\X:	LSASS.EXE
File opened (read-only)	\??\K:	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
File opened (read-only)	\??\M:	IExplorer.exe
File opened (read-only)	\??\P:	IExplorer.exe
File opened (read-only)	\??\B:	SMSS.EXE
File opened (read-only)	\??\T:	SMSS.EXE
File opened (read-only)	\??\P:	SERVICES.EXE
File opened (read-only)	\??\S:	WINLOGON.EXE
File opened (read-only)	\??\L:	D3_08.exe
File opened (read-only)	\??\R:	IExplorer.exe
File opened (read-only)	\??\G:	SMSS.EXE
File opened (read-only)	\??\Q:	SMSS.EXE
File opened (read-only)	\??\E:	LSASS.EXE
File opened (read-only)	\??\Q:	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
File opened (read-only)	\??\K:	WINLOGON.EXE
File opened (read-only)	\??\X:	D3_08.exe
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\O:	CSRSS.EXE
File opened (read-only)	\??\K:	SERVICES.EXE
File opened (read-only)	\??\M:	SERVICES.EXE
File opened (read-only)	\??\N:	LSASS.EXE
File opened (read-only)	\??\M:	WINLOGON.EXE
File opened (read-only)	\??\N:	D3_08.exe
File opened (read-only)	\??\H:	CSRSS.EXE
File opened (read-only)	\??\S:	CSRSS.EXE
File opened (read-only)	\??\M:	SMSS.EXE
File opened (read-only)	\??\L:	SERVICES.EXE
File opened (read-only)	\??\R:	SERVICES.EXE
File opened (read-only)	\??\T:	SERVICES.EXE
File opened (read-only)	\??\F:	D3_08.exe
File opened (read-only)	\??\I:	LSASS.EXE
File opened (read-only)	\??\X:	CSRSS.EXE
File opened (read-only)	\??\W:	SERVICES.EXE
File opened (read-only)	\??\U:	IExplorer.exe
File opened (read-only)	\??\I:	CSRSS.EXE
File opened (read-only)	\??\E:	SERVICES.EXE
File opened (read-only)	\??\P:	LSASS.EXE
File opened (read-only)	\??\O:	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
File opened (read-only)	\??\X:	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
File opened (read-only)	\??\R:	WINLOGON.EXE
File opened (read-only)	\??\J:	D3_08.exe
File opened (read-only)	\??\Z:	D3_08.exe
File opened (read-only)	\??\W:	LSASS.EXE
File opened (read-only)	\??\H:	WINLOGON.EXE
File opened (read-only)	\??\O:	IExplorer.exe
File opened (read-only)	\??\X:	IExplorer.exe
File opened (read-only)	\??\S:	SMSS.EXE

Drops file in System32 directory 50 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	D3_08.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\MrD3_08.scr	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrD3_08.scr	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	SMSS.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrD3_08.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	SMSS.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	D3_08.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\MrD3_08.scr	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\MrD3_08.scr	SMSS.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
File opened for modification	C:\Windows\SysWOW64\MrD3_08.scr	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrD3_08.scr	WINLOGON.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\MrD3_08.scr	LSASS.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	D3_08.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	CSRSS.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrD3_08.scr	D3_08.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File created	C:\Windows\D3_08.exe	CSRSS.EXE
File opened for modification	C:\Windows\D3_08.exe	LSASS.EXE
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\D3_08.exe	CSRSS.EXE
File opened for modification	C:\Windows\D3_08.exe	WINLOGON.EXE
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\D3_08.exe	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
File created	C:\Windows\D3_08.exe	LSASS.EXE
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\D3_08.exe	WINLOGON.EXE
File opened for modification	C:\Windows\D3_08.exe	SMSS.EXE
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\D3_08.exe	D3_08.exe
File created	C:\Windows\D3_08.exe	D3_08.exe
File opened for modification	C:\Windows\D3_08.exe	IExplorer.exe
File created	C:\Windows\D3_08.exe	IExplorer.exe
File created	C:\Windows\D3_08.exe	SERVICES.EXE
File opened for modification	C:\Windows\D3_08.exe	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
File opened for modification	C:\Windows\D3_08.exe	SERVICES.EXE
File created	C:\Windows\D3_08.exe	SMSS.EXE
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 32 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	D3_08.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	D3_08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\	D3_08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	D3_08.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SMSS.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	D3_08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	D3_08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe

Suspicious behavior: GetForegroundWindowSpam 7 IoCs

pid	Process
2036	D3_08.exe
584	CSRSS.EXE
764	WINLOGON.EXE
948	SMSS.EXE
1520	SERVICES.EXE
756	IExplorer.exe
1368	LSASS.EXE

Suspicious use of SetWindowsHookEx 62 IoCs

pid	Process
1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
2036	D3_08.exe
756	IExplorer.exe
764	WINLOGON.EXE
584	CSRSS.EXE
1520	SERVICES.EXE
1368	LSASS.EXE
948	SMSS.EXE
836	D3_08.exe
1956	IExplorer.exe
1464	D3_08.exe
1788	D3_08.exe
1080	IExplorer.exe
1732	D3_08.exe
1820	D3_08.exe
1932	D3_08.exe
1564	IExplorer.exe
1416	WINLOGON.EXE
1208	WINLOGON.EXE
996	WINLOGON.EXE
1032	IExplorer.exe
860	IExplorer.exe
1612	IExplorer.exe
1952	D3_08.exe
1616	CSRSS.EXE
1972	CSRSS.EXE
624	WINLOGON.EXE
1828	WINLOGON.EXE
1388	SERVICES.EXE
828	IExplorer.exe
1668	WINLOGON.EXE
1604	WINLOGON.EXE
1720	CSRSS.EXE
2040	LSASS.EXE
1336	SERVICES.EXE
1540	CSRSS.EXE
1524	CSRSS.EXE
1324	SERVICES.EXE
1556	CSRSS.EXE
1504	SERVICES.EXE
1564	CSRSS.EXE
1804	CSRSS.EXE
676	SERVICES.EXE
1132	SERVICES.EXE
1992	LSASS.EXE
1968	SERVICES.EXE
1360	LSASS.EXE
1956	SERVICES.EXE
1624	SMSS.EXE
1572	LSASS.EXE
796	SMSS.EXE
1064	SMSS.EXE
1152	LSASS.EXE
1788	LSASS.EXE
1880	LSASS.EXE
112	LSASS.EXE
624	SMSS.EXE
940	SMSS.EXE
1012	SMSS.EXE
1800	SMSS.EXE
552	SMSS.EXE
1156	WINLOGON.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2036	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	27
PID 1304 wrote to memory of 2036	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	27
PID 1304 wrote to memory of 2036	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	27
PID 1304 wrote to memory of 2036	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	27
PID 1304 wrote to memory of 756	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	28
PID 1304 wrote to memory of 756	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	28
PID 1304 wrote to memory of 756	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	28
PID 1304 wrote to memory of 756	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	28
PID 1304 wrote to memory of 764	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	29
PID 1304 wrote to memory of 764	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	29
PID 1304 wrote to memory of 764	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	29
PID 1304 wrote to memory of 764	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	29
PID 1304 wrote to memory of 584	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	30
PID 1304 wrote to memory of 584	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	30
PID 1304 wrote to memory of 584	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	30
PID 1304 wrote to memory of 584	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	30
PID 1304 wrote to memory of 1520	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	31
PID 1304 wrote to memory of 1520	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	31
PID 1304 wrote to memory of 1520	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	31
PID 1304 wrote to memory of 1520	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	31
PID 1304 wrote to memory of 1368	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	32
PID 1304 wrote to memory of 1368	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	32
PID 1304 wrote to memory of 1368	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	32
PID 1304 wrote to memory of 1368	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	32
PID 1304 wrote to memory of 948	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	33
PID 1304 wrote to memory of 948	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	33
PID 1304 wrote to memory of 948	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	33
PID 1304 wrote to memory of 948	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	33
PID 1304 wrote to memory of 836	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	34
PID 1304 wrote to memory of 836	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	34
PID 1304 wrote to memory of 836	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	34
PID 1304 wrote to memory of 836	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	34
PID 1304 wrote to memory of 1956	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	35
PID 1304 wrote to memory of 1956	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	35
PID 1304 wrote to memory of 1956	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	35
PID 1304 wrote to memory of 1956	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	35
PID 2036 wrote to memory of 1464	2036	D3_08.exe	36
PID 2036 wrote to memory of 1464	2036	D3_08.exe	36
PID 2036 wrote to memory of 1464	2036	D3_08.exe	36
PID 2036 wrote to memory of 1464	2036	D3_08.exe	36
PID 1304 wrote to memory of 996	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	37
PID 1304 wrote to memory of 996	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	37
PID 1304 wrote to memory of 996	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	37
PID 1304 wrote to memory of 996	1304	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe	37
PID 756 wrote to memory of 1788	756	IExplorer.exe	38
PID 756 wrote to memory of 1788	756	IExplorer.exe	38
PID 756 wrote to memory of 1788	756	IExplorer.exe	38
PID 756 wrote to memory of 1788	756	IExplorer.exe	38
PID 764 wrote to memory of 1820	764	WINLOGON.EXE	39
PID 764 wrote to memory of 1820	764	WINLOGON.EXE	39
PID 764 wrote to memory of 1820	764	WINLOGON.EXE	39
PID 764 wrote to memory of 1820	764	WINLOGON.EXE	39
PID 584 wrote to memory of 1808	584	CSRSS.EXE	40
PID 584 wrote to memory of 1808	584	CSRSS.EXE	40
PID 584 wrote to memory of 1808	584	CSRSS.EXE	40
PID 584 wrote to memory of 1808	584	CSRSS.EXE	40
PID 756 wrote to memory of 1080	756	IExplorer.exe	41
PID 756 wrote to memory of 1080	756	IExplorer.exe	41
PID 756 wrote to memory of 1080	756	IExplorer.exe	41
PID 756 wrote to memory of 1080	756	IExplorer.exe	41
PID 1368 wrote to memory of 1732	1368	LSASS.EXE	45
PID 1368 wrote to memory of 1732	1368	LSASS.EXE	45
PID 1368 wrote to memory of 1732	1368	LSASS.EXE	45
PID 1368 wrote to memory of 1732	1368	LSASS.EXE	45

System policy modification 1 TTPs 24 IoCs

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	D3_08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	D3_08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	D3_08.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE

C:\Users\Admin\AppData\Local\Temp\a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe
"C:\Users\Admin\AppData\Local\Temp\a06cde0c4240c9cb0da4b2cd36b2e9c116cd19aab6724a088484f4dc95a87aaf.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1304
- C:\Windows\D3_08.exe
  C:\Windows\D3_08.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2036
- - C:\Windows\D3_08.exe
    C:\Windows\D3_08.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1464
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    PID:1712
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1604
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1556
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1504
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1360
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:796
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:756
- - C:\Windows\D3_08.exe
    C:\Windows\D3_08.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1788
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1080
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1416
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1616
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1336
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1992
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1064
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:764
- - C:\Windows\D3_08.exe
    C:\Windows\D3_08.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1820
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1032
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1156
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1564
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1956
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:112
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1800
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:584
- - C:\Windows\D3_08.exe
    C:\Windows\D3_08.exe
    3⤵
    - Executes dropped EXE
    PID:1808
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1564
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1208
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1972
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1388
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2040
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1624
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1520
- - C:\Windows\D3_08.exe
    C:\Windows\D3_08.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1932
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1612
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:624
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1524
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1968
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1788
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1012
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1368
- - C:\Windows\D3_08.exe
    C:\Windows\D3_08.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1732
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:860
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1828
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1720
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1324
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1880
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:940
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:948
- - C:\Windows\D3_08.exe
    C:\Windows\D3_08.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1952
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:828
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1668
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1540
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:676
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1152
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:624
- C:\Windows\D3_08.exe
  C:\Windows\D3_08.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:836
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1956
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:996
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1804
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1132
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1572
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry