Analysis
-
max time kernel
162s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 20:01
Static task
static1
Behavioral task
behavioral1
Sample
81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe
Resource
win7-20220812-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe
-
Size
65KB
-
MD5
a05cebf02245e0c0b3ec657685decd60
-
SHA1
1af0904a3344dd97c6506a296bde7a250b1f3846
-
SHA256
81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971
-
SHA512
e7f228f7a6962b8105c33fdafa332611572b49b81e7a05f845dd4507de906a82ca63cb916970b53f45f1f292242997549360adbf1c3adbe0b2005dada752e4bf
-
SSDEEP
768:hQAG+3HJPqwBcNpYje8KnUqWBGuwSG4lNKNeEbMbap2WUqi5nEwekfE9n:hRXJPQDZORb+ectRwwR
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WishfulThinking.exe" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\WishfulThinking.exe\"" SERVICES.EXE -
Modifies system executable filetype association 2 TTPs 62 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ SERVICES.EXE -
Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WishfulThinking.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" nEwb0Rn.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WishfulThinking.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SERVICES.EXE -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SERVICES.EXE -
Blocks application from running via registry modification 55 IoCs
Adds application to list of disallowed applications.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "rstrui.exe" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "mmc.exe" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "regedit.exe" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "rstrui.exe" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "msconfig.exe" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ntvdm.exe" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "regedit.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ntvdm.exe" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "rstrui.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "install.exe" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "mmc.exe" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "rstrui.exe" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "regedit.exe" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "rstrui.exe" WishfulThinking.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "regedit.exe" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "mmc.exe" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "notepad.exe" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "install.exe" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "msconfig.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "msconfig.exe" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "taskmgr.exe" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ntvdm.exe" nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\ WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "install.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "mmc.exe" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ntvdm.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "regedit.exe" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "install.exe" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "msconfig.exe" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "msconfig.exe" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "mmc.exe" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "install.exe" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ntvdm.exe" SERVICES.EXE -
Disables RegEdit via registry modification 10 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WishfulThinking.exe Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 24 IoCs
pid Process 828 nEwb0Rn.exe 3932 WishfulThinking.exe 4560 WINLOGON.EXE 1704 nEwb0Rn.exe 3656 WishfulThinking.exe 216 WINLOGON.EXE 4304 SERVICES.EXE 640 SERVICES.EXE 724 nEwb0Rn.exe 3704 WishfulThinking.exe 5044 nEwb0Rn.exe 2340 WishfulThinking.exe 2796 WINLOGON.EXE 3048 nEwb0Rn.exe 1268 SERVICES.EXE 4220 WINLOGON.EXE 3552 WishfulThinking.exe 3424 SERVICES.EXE 4992 WINLOGON.EXE 3416 SERVICES.EXE 5016 nEwb0Rn.exe 3324 WishfulThinking.exe 4228 WINLOGON.EXE 3592 SERVICES.EXE -
Sets file execution options in registry 2 TTPs 60 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\system32\\cmd.exe" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe -
Loads dropped DLL 5 IoCs
pid Process 1704 nEwb0Rn.exe 724 nEwb0Rn.exe 5044 nEwb0Rn.exe 3048 nEwb0Rn.exe 5016 nEwb0Rn.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\ WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WishfulThinking.exe -
Adds Run key to start application 2 TTPs 25 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n3wb012nAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\n210bw3n = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nEwb0Rn = "C:\\Windows\\nEwb0Rn.exe" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\desktop.ini 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File created C:\desktop.ini 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: nEwb0Rn.exe File opened (read-only) \??\O: WINLOGON.EXE File opened (read-only) \??\Z: WINLOGON.EXE File opened (read-only) \??\P: nEwb0Rn.exe File opened (read-only) \??\N: nEwb0Rn.exe File opened (read-only) \??\H: WishfulThinking.exe File opened (read-only) \??\H: WINLOGON.EXE File opened (read-only) \??\M: WINLOGON.EXE File opened (read-only) \??\Q: 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File opened (read-only) \??\J: WishfulThinking.exe File opened (read-only) \??\R: WINLOGON.EXE File opened (read-only) \??\Q: nEwb0Rn.exe File opened (read-only) \??\W: WINLOGON.EXE File opened (read-only) \??\V: 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File opened (read-only) \??\S: nEwb0Rn.exe File opened (read-only) \??\L: SERVICES.EXE File opened (read-only) \??\P: 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File opened (read-only) \??\E: WishfulThinking.exe File opened (read-only) \??\J: WINLOGON.EXE File opened (read-only) \??\Q: WINLOGON.EXE File opened (read-only) \??\M: 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File opened (read-only) \??\J: nEwb0Rn.exe File opened (read-only) \??\N: 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File opened (read-only) \??\E: SERVICES.EXE File opened (read-only) \??\F: nEwb0Rn.exe File opened (read-only) \??\S: WINLOGON.EXE File opened (read-only) \??\S: SERVICES.EXE File opened (read-only) \??\T: nEwb0Rn.exe File opened (read-only) \??\O: WishfulThinking.exe File opened (read-only) \??\W: nEwb0Rn.exe File opened (read-only) \??\U: WINLOGON.EXE File opened (read-only) \??\V: SERVICES.EXE File opened (read-only) \??\G: WishfulThinking.exe File opened (read-only) \??\K: WishfulThinking.exe File opened (read-only) \??\N: WishfulThinking.exe File opened (read-only) \??\K: nEwb0Rn.exe File opened (read-only) \??\Y: 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File opened (read-only) \??\L: WishfulThinking.exe File opened (read-only) \??\P: SERVICES.EXE File opened (read-only) \??\O: 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File opened (read-only) \??\O: SERVICES.EXE File opened (read-only) \??\L: 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File opened (read-only) \??\T: WishfulThinking.exe File opened (read-only) \??\E: WINLOGON.EXE File opened (read-only) \??\R: SERVICES.EXE File opened (read-only) \??\T: SERVICES.EXE File opened (read-only) \??\W: 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File opened (read-only) \??\S: 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File opened (read-only) \??\X: 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File opened (read-only) \??\F: WINLOGON.EXE File opened (read-only) \??\U: 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File opened (read-only) \??\Y: WishfulThinking.exe File opened (read-only) \??\B: SERVICES.EXE File opened (read-only) \??\J: SERVICES.EXE File opened (read-only) \??\R: 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File opened (read-only) \??\S: WishfulThinking.exe File opened (read-only) \??\Y: nEwb0Rn.exe File opened (read-only) \??\W: WishfulThinking.exe File opened (read-only) \??\T: WINLOGON.EXE File opened (read-only) \??\Y: WINLOGON.EXE File opened (read-only) \??\T: 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File opened (read-only) \??\P: WINLOGON.EXE File opened (read-only) \??\X: WINLOGON.EXE File opened (read-only) \??\U: SERVICES.EXE -
Drops file in System32 directory 34 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\DamageControl.scr WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File created C:\Windows\SysWOW64\JawsOfLife.exe 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe WishfulThinking.exe File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File opened for modification C:\Windows\SysWOW64\DamageControl.scr nEwb0Rn.exe File created C:\Windows\SysWOW64\WishfulThinking.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File created C:\Windows\SysWOW64\WishfulThinking.exe 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\DamageControl.scr WishfulThinking.exe File created C:\Windows\SysWOW64\DamageControl.scr 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File created C:\Windows\SysWOW64\WishfulThinking.exe WishfulThinking.exe File created C:\Windows\SysWOW64\WishfulThinking.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\DamageControl.scr 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File opened for modification C:\Windows\SysWOW64\WishfulThinking.exe nEwb0Rn.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe nEwb0Rn.exe File created C:\Windows\SysWOW64\WishfulThinking.exe nEwb0Rn.exe File opened for modification C:\Windows\SysWOW64\JawsOfLife.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\DamageControl.scr SERVICES.EXE File created C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll WishfulThinking.exe -
Drops file in Windows directory 22 IoCs
description ioc Process File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\nEwb0Rn.exe 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\nEwb0Rn.exe WishfulThinking.exe File created C:\Windows\nEwb0Rn.exe WishfulThinking.exe File opened for modification C:\Windows\nEwb0Rn.exe WINLOGON.EXE File created C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\nEwb0Rn.exe nEwb0Rn.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\nEwb0Rn.exe SERVICES.EXE File created C:\Windows\nEwb0Rn.exe nEwb0Rn.exe File created C:\Windows\nEwb0Rn.exe WINLOGON.EXE File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\nEwb0Rn.exe 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File created C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\msvbvm60.dll WishfulThinking.exe File opened for modification C:\Windows\nEwb0Rn.exe SERVICES.EXE -
Modifies Control Panel 45 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s2359 = "Animate" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s1159 = "Inanimate" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s1159 = "Inanimate" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\AutoEndTasks = "1" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s2359 = "Animate" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\ 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s2359 = "Animate" nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\ WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\AutoEndTasks = "1" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s1159 = "Inanimate" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s1159 = "Inanimate" nEwb0Rn.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s2359 = "Animate" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\AutoEndTasks = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WishfulThinking.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\AutoEndTasks = "1" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s2359 = "Animate" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\DAMAGE~1.SCR" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\AutoEndTasks = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\WaitToKillServiceTimeout = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\s1159 = "Inanimate" WishfulThinking.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\ WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\ 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" nEwb0Rn.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" WishfulThinking.exe Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "w32.nEwb0Rn.A" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\ SERVICES.EXE -
Modifies data under HKEY_USERS 15 IoCs
description ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" nEwb0Rn.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ WishfulThinking.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" WishfulThinking.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" SERVICES.EXE Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ WINLOGON.EXE Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ SERVICES.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" SERVICES.EXE Key created \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ nEwb0Rn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" WINLOGON.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" WINLOGON.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\AutoEndTasks = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" nEwb0Rn.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\WaitToKillServiceTimeout = "1" WishfulThinking.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ WishfulThinking.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\JawsOfLife.exe\" \"%1\" %*" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe -
Suspicious behavior: GetForegroundWindowSpam 4 IoCs
pid Process 828 nEwb0Rn.exe 4560 WINLOGON.EXE 3932 WishfulThinking.exe 4304 SERVICES.EXE -
Suspicious use of SetWindowsHookEx 25 IoCs
pid Process 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 828 nEwb0Rn.exe 3932 WishfulThinking.exe 4560 WINLOGON.EXE 1704 nEwb0Rn.exe 3656 WishfulThinking.exe 216 WINLOGON.EXE 4304 SERVICES.EXE 640 SERVICES.EXE 724 nEwb0Rn.exe 3704 WishfulThinking.exe 5044 nEwb0Rn.exe 2796 WINLOGON.EXE 2340 WishfulThinking.exe 3048 nEwb0Rn.exe 4220 WINLOGON.EXE 1268 SERVICES.EXE 3552 WishfulThinking.exe 3424 SERVICES.EXE 4992 WINLOGON.EXE 3416 SERVICES.EXE 5016 nEwb0Rn.exe 3324 WishfulThinking.exe 4228 WINLOGON.EXE 3592 SERVICES.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1392 wrote to memory of 828 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 82 PID 1392 wrote to memory of 828 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 82 PID 1392 wrote to memory of 828 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 82 PID 1392 wrote to memory of 3932 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 83 PID 1392 wrote to memory of 3932 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 83 PID 1392 wrote to memory of 3932 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 83 PID 1392 wrote to memory of 4560 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 84 PID 1392 wrote to memory of 4560 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 84 PID 1392 wrote to memory of 4560 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 84 PID 1392 wrote to memory of 1704 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 85 PID 1392 wrote to memory of 1704 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 85 PID 1392 wrote to memory of 1704 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 85 PID 1392 wrote to memory of 3656 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 86 PID 1392 wrote to memory of 3656 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 86 PID 1392 wrote to memory of 3656 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 86 PID 1392 wrote to memory of 216 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 87 PID 1392 wrote to memory of 216 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 87 PID 1392 wrote to memory of 216 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 87 PID 1392 wrote to memory of 4304 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 88 PID 1392 wrote to memory of 4304 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 88 PID 1392 wrote to memory of 4304 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 88 PID 828 wrote to memory of 724 828 nEwb0Rn.exe 90 PID 828 wrote to memory of 724 828 nEwb0Rn.exe 90 PID 828 wrote to memory of 724 828 nEwb0Rn.exe 90 PID 1392 wrote to memory of 640 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 89 PID 1392 wrote to memory of 640 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 89 PID 1392 wrote to memory of 640 1392 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe 89 PID 828 wrote to memory of 3704 828 nEwb0Rn.exe 91 PID 828 wrote to memory of 3704 828 nEwb0Rn.exe 91 PID 828 wrote to memory of 3704 828 nEwb0Rn.exe 91 PID 3932 wrote to memory of 5044 3932 WishfulThinking.exe 92 PID 3932 wrote to memory of 5044 3932 WishfulThinking.exe 92 PID 3932 wrote to memory of 5044 3932 WishfulThinking.exe 92 PID 3932 wrote to memory of 2340 3932 WishfulThinking.exe 93 PID 3932 wrote to memory of 2340 3932 WishfulThinking.exe 93 PID 3932 wrote to memory of 2340 3932 WishfulThinking.exe 93 PID 828 wrote to memory of 2796 828 nEwb0Rn.exe 94 PID 828 wrote to memory of 2796 828 nEwb0Rn.exe 94 PID 828 wrote to memory of 2796 828 nEwb0Rn.exe 94 PID 4560 wrote to memory of 3048 4560 WINLOGON.EXE 95 PID 4560 wrote to memory of 3048 4560 WINLOGON.EXE 95 PID 4560 wrote to memory of 3048 4560 WINLOGON.EXE 95 PID 3932 wrote to memory of 4220 3932 WishfulThinking.exe 97 PID 3932 wrote to memory of 4220 3932 WishfulThinking.exe 97 PID 3932 wrote to memory of 4220 3932 WishfulThinking.exe 97 PID 828 wrote to memory of 1268 828 nEwb0Rn.exe 96 PID 828 wrote to memory of 1268 828 nEwb0Rn.exe 96 PID 828 wrote to memory of 1268 828 nEwb0Rn.exe 96 PID 4560 wrote to memory of 3552 4560 WINLOGON.EXE 98 PID 4560 wrote to memory of 3552 4560 WINLOGON.EXE 98 PID 4560 wrote to memory of 3552 4560 WINLOGON.EXE 98 PID 3932 wrote to memory of 3424 3932 WishfulThinking.exe 99 PID 3932 wrote to memory of 3424 3932 WishfulThinking.exe 99 PID 3932 wrote to memory of 3424 3932 WishfulThinking.exe 99 PID 4560 wrote to memory of 4992 4560 WINLOGON.EXE 100 PID 4560 wrote to memory of 4992 4560 WINLOGON.EXE 100 PID 4560 wrote to memory of 4992 4560 WINLOGON.EXE 100 PID 4560 wrote to memory of 3416 4560 WINLOGON.EXE 101 PID 4560 wrote to memory of 3416 4560 WINLOGON.EXE 101 PID 4560 wrote to memory of 3416 4560 WINLOGON.EXE 101 PID 4304 wrote to memory of 5016 4304 SERVICES.EXE 102 PID 4304 wrote to memory of 5016 4304 SERVICES.EXE 102 PID 4304 wrote to memory of 5016 4304 SERVICES.EXE 102 PID 4304 wrote to memory of 3324 4304 SERVICES.EXE 103 -
System policy modification 1 TTPs 35 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" nEwb0Rn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" WishfulThinking.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" nEwb0Rn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" nEwb0Rn.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFileAssociate = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" 81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegedit = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WishfulThinking.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1" WINLOGON.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe"C:\Users\Admin\AppData\Local\Temp\81f8f21fb4cdc6e0f05e62e183e5f90725cc517bf08a1ecb157f665ea2e8f971.exe"1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Sets file execution options in registry
- Windows security modification
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1392 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:828 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:724
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3704
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2796
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1268
-
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3932 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5044
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2340
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4220
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3424
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4560 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3048
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3552
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4992
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3416
-
-
-
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1704
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3656
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:216
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4304 -
C:\Windows\nEwb0Rn.exeC:\Windows\nEwb0Rn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5016
-
-
C:\Windows\SysWOW64\WishfulThinking.exeC:\Windows\system32\WishfulThinking.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3324
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4228
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3592
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:640
-
Network
MITRE ATT&CK Enterprise v6
Persistence
Change Default File Association
1Hidden Files and Directories
2Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Disabling Security Tools
2Hidden Files and Directories
2Modify Registry
10Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD52303809dc129ce553c284e1cafd684cc
SHA1ea352af2adfa4d99b2f156e9a6c8b8d07d9ce6c2
SHA2560cc6c5eda2d231571a848bc23627617a315a79c9fb13665de0a3736430044cbe
SHA512ba4f1d3d06a32891ffc37788ec6310ccb27720263c44d7349b6369d052cea356c6c8e88c1db5034fc6a64f10f11066e945432525c23d6a98e7608b93810a4dcb
-
Filesize
65KB
MD52303809dc129ce553c284e1cafd684cc
SHA1ea352af2adfa4d99b2f156e9a6c8b8d07d9ce6c2
SHA2560cc6c5eda2d231571a848bc23627617a315a79c9fb13665de0a3736430044cbe
SHA512ba4f1d3d06a32891ffc37788ec6310ccb27720263c44d7349b6369d052cea356c6c8e88c1db5034fc6a64f10f11066e945432525c23d6a98e7608b93810a4dcb
-
Filesize
65KB
MD52303809dc129ce553c284e1cafd684cc
SHA1ea352af2adfa4d99b2f156e9a6c8b8d07d9ce6c2
SHA2560cc6c5eda2d231571a848bc23627617a315a79c9fb13665de0a3736430044cbe
SHA512ba4f1d3d06a32891ffc37788ec6310ccb27720263c44d7349b6369d052cea356c6c8e88c1db5034fc6a64f10f11066e945432525c23d6a98e7608b93810a4dcb
-
Filesize
65KB
MD52303809dc129ce553c284e1cafd684cc
SHA1ea352af2adfa4d99b2f156e9a6c8b8d07d9ce6c2
SHA2560cc6c5eda2d231571a848bc23627617a315a79c9fb13665de0a3736430044cbe
SHA512ba4f1d3d06a32891ffc37788ec6310ccb27720263c44d7349b6369d052cea356c6c8e88c1db5034fc6a64f10f11066e945432525c23d6a98e7608b93810a4dcb
-
Filesize
65KB
MD52303809dc129ce553c284e1cafd684cc
SHA1ea352af2adfa4d99b2f156e9a6c8b8d07d9ce6c2
SHA2560cc6c5eda2d231571a848bc23627617a315a79c9fb13665de0a3736430044cbe
SHA512ba4f1d3d06a32891ffc37788ec6310ccb27720263c44d7349b6369d052cea356c6c8e88c1db5034fc6a64f10f11066e945432525c23d6a98e7608b93810a4dcb
-
Filesize
65KB
MD5f81a60acd64a3561ce746cf9a1191596
SHA1ac7fba8795953802764ff2912003c43d1e7e6364
SHA25684b893bf129d1b0e50f761e3c350d5c35ac278b303c136c3ef00b6fc8c4bb01b
SHA5129961971175990c4e407f98a27dfc75ce52c275c0b7de8f68bfc76ba3c9a38b0c7483766044bbe34f9c077937b6554bf2a841fc399f97ab1bdb17b6b898ed188f
-
Filesize
65KB
MD5f81a60acd64a3561ce746cf9a1191596
SHA1ac7fba8795953802764ff2912003c43d1e7e6364
SHA25684b893bf129d1b0e50f761e3c350d5c35ac278b303c136c3ef00b6fc8c4bb01b
SHA5129961971175990c4e407f98a27dfc75ce52c275c0b7de8f68bfc76ba3c9a38b0c7483766044bbe34f9c077937b6554bf2a841fc399f97ab1bdb17b6b898ed188f
-
Filesize
65KB
MD5f81a60acd64a3561ce746cf9a1191596
SHA1ac7fba8795953802764ff2912003c43d1e7e6364
SHA25684b893bf129d1b0e50f761e3c350d5c35ac278b303c136c3ef00b6fc8c4bb01b
SHA5129961971175990c4e407f98a27dfc75ce52c275c0b7de8f68bfc76ba3c9a38b0c7483766044bbe34f9c077937b6554bf2a841fc399f97ab1bdb17b6b898ed188f
-
Filesize
65KB
MD5f81a60acd64a3561ce746cf9a1191596
SHA1ac7fba8795953802764ff2912003c43d1e7e6364
SHA25684b893bf129d1b0e50f761e3c350d5c35ac278b303c136c3ef00b6fc8c4bb01b
SHA5129961971175990c4e407f98a27dfc75ce52c275c0b7de8f68bfc76ba3c9a38b0c7483766044bbe34f9c077937b6554bf2a841fc399f97ab1bdb17b6b898ed188f
-
Filesize
65KB
MD5f81a60acd64a3561ce746cf9a1191596
SHA1ac7fba8795953802764ff2912003c43d1e7e6364
SHA25684b893bf129d1b0e50f761e3c350d5c35ac278b303c136c3ef00b6fc8c4bb01b
SHA5129961971175990c4e407f98a27dfc75ce52c275c0b7de8f68bfc76ba3c9a38b0c7483766044bbe34f9c077937b6554bf2a841fc399f97ab1bdb17b6b898ed188f
-
Filesize
65KB
MD5e5efe743545547edda84a73e88a26e1d
SHA1edf56c90d4e0ba1fedc9ebfbf2910101da9c0ca4
SHA25677518c3016e4f04732da3068b1f9f6a9d2df143d044cb57dcd479822f6165fcb
SHA5125b1d4bc0cc8defb8bb5dd84cacdaaff6f96edc07189c915d17c7b4c7352504c7e6a69b08404df6d215ef93495da38f4dac2d1f0598649e8b4f5f718a7a468c83
-
Filesize
65KB
MD55447d47e33b2faeb760f0f8fc91f1b03
SHA169c27507f6c78782491be458c43c68543d86b987
SHA2563bc4e674bb9a2ad7346b3ba97730aa1f820b2a04e457ec054d9a5adb0912532c
SHA5129f95380af7cebfdeeda812c7d567804a3310711a525211b107178d2c82b6d8ddd9d1de33beab9baaf9b4949d50eed45e5c98bb03b359c0750abfaf895de8b509
-
Filesize
65KB
MD5f81a60acd64a3561ce746cf9a1191596
SHA1ac7fba8795953802764ff2912003c43d1e7e6364
SHA25684b893bf129d1b0e50f761e3c350d5c35ac278b303c136c3ef00b6fc8c4bb01b
SHA5129961971175990c4e407f98a27dfc75ce52c275c0b7de8f68bfc76ba3c9a38b0c7483766044bbe34f9c077937b6554bf2a841fc399f97ab1bdb17b6b898ed188f
-
Filesize
65KB
MD52303809dc129ce553c284e1cafd684cc
SHA1ea352af2adfa4d99b2f156e9a6c8b8d07d9ce6c2
SHA2560cc6c5eda2d231571a848bc23627617a315a79c9fb13665de0a3736430044cbe
SHA512ba4f1d3d06a32891ffc37788ec6310ccb27720263c44d7349b6369d052cea356c6c8e88c1db5034fc6a64f10f11066e945432525c23d6a98e7608b93810a4dcb
-
Filesize
65KB
MD5e5efe743545547edda84a73e88a26e1d
SHA1edf56c90d4e0ba1fedc9ebfbf2910101da9c0ca4
SHA25677518c3016e4f04732da3068b1f9f6a9d2df143d044cb57dcd479822f6165fcb
SHA5125b1d4bc0cc8defb8bb5dd84cacdaaff6f96edc07189c915d17c7b4c7352504c7e6a69b08404df6d215ef93495da38f4dac2d1f0598649e8b4f5f718a7a468c83
-
Filesize
65KB
MD55447d47e33b2faeb760f0f8fc91f1b03
SHA169c27507f6c78782491be458c43c68543d86b987
SHA2563bc4e674bb9a2ad7346b3ba97730aa1f820b2a04e457ec054d9a5adb0912532c
SHA5129f95380af7cebfdeeda812c7d567804a3310711a525211b107178d2c82b6d8ddd9d1de33beab9baaf9b4949d50eed45e5c98bb03b359c0750abfaf895de8b509
-
Filesize
65KB
MD5f81a60acd64a3561ce746cf9a1191596
SHA1ac7fba8795953802764ff2912003c43d1e7e6364
SHA25684b893bf129d1b0e50f761e3c350d5c35ac278b303c136c3ef00b6fc8c4bb01b
SHA5129961971175990c4e407f98a27dfc75ce52c275c0b7de8f68bfc76ba3c9a38b0c7483766044bbe34f9c077937b6554bf2a841fc399f97ab1bdb17b6b898ed188f
-
Filesize
65KB
MD52303809dc129ce553c284e1cafd684cc
SHA1ea352af2adfa4d99b2f156e9a6c8b8d07d9ce6c2
SHA2560cc6c5eda2d231571a848bc23627617a315a79c9fb13665de0a3736430044cbe
SHA512ba4f1d3d06a32891ffc37788ec6310ccb27720263c44d7349b6369d052cea356c6c8e88c1db5034fc6a64f10f11066e945432525c23d6a98e7608b93810a4dcb
-
Filesize
65KB
MD52303809dc129ce553c284e1cafd684cc
SHA1ea352af2adfa4d99b2f156e9a6c8b8d07d9ce6c2
SHA2560cc6c5eda2d231571a848bc23627617a315a79c9fb13665de0a3736430044cbe
SHA512ba4f1d3d06a32891ffc37788ec6310ccb27720263c44d7349b6369d052cea356c6c8e88c1db5034fc6a64f10f11066e945432525c23d6a98e7608b93810a4dcb
-
Filesize
65KB
MD5e5efe743545547edda84a73e88a26e1d
SHA1edf56c90d4e0ba1fedc9ebfbf2910101da9c0ca4
SHA25677518c3016e4f04732da3068b1f9f6a9d2df143d044cb57dcd479822f6165fcb
SHA5125b1d4bc0cc8defb8bb5dd84cacdaaff6f96edc07189c915d17c7b4c7352504c7e6a69b08404df6d215ef93495da38f4dac2d1f0598649e8b4f5f718a7a468c83
-
Filesize
65KB
MD55447d47e33b2faeb760f0f8fc91f1b03
SHA169c27507f6c78782491be458c43c68543d86b987
SHA2563bc4e674bb9a2ad7346b3ba97730aa1f820b2a04e457ec054d9a5adb0912532c
SHA5129f95380af7cebfdeeda812c7d567804a3310711a525211b107178d2c82b6d8ddd9d1de33beab9baaf9b4949d50eed45e5c98bb03b359c0750abfaf895de8b509
-
Filesize
65KB
MD5f81a60acd64a3561ce746cf9a1191596
SHA1ac7fba8795953802764ff2912003c43d1e7e6364
SHA25684b893bf129d1b0e50f761e3c350d5c35ac278b303c136c3ef00b6fc8c4bb01b
SHA5129961971175990c4e407f98a27dfc75ce52c275c0b7de8f68bfc76ba3c9a38b0c7483766044bbe34f9c077937b6554bf2a841fc399f97ab1bdb17b6b898ed188f
-
Filesize
65KB
MD52303809dc129ce553c284e1cafd684cc
SHA1ea352af2adfa4d99b2f156e9a6c8b8d07d9ce6c2
SHA2560cc6c5eda2d231571a848bc23627617a315a79c9fb13665de0a3736430044cbe
SHA512ba4f1d3d06a32891ffc37788ec6310ccb27720263c44d7349b6369d052cea356c6c8e88c1db5034fc6a64f10f11066e945432525c23d6a98e7608b93810a4dcb
-
Filesize
65KB
MD5f81a60acd64a3561ce746cf9a1191596
SHA1ac7fba8795953802764ff2912003c43d1e7e6364
SHA25684b893bf129d1b0e50f761e3c350d5c35ac278b303c136c3ef00b6fc8c4bb01b
SHA5129961971175990c4e407f98a27dfc75ce52c275c0b7de8f68bfc76ba3c9a38b0c7483766044bbe34f9c077937b6554bf2a841fc399f97ab1bdb17b6b898ed188f
-
Filesize
65KB
MD5e5efe743545547edda84a73e88a26e1d
SHA1edf56c90d4e0ba1fedc9ebfbf2910101da9c0ca4
SHA25677518c3016e4f04732da3068b1f9f6a9d2df143d044cb57dcd479822f6165fcb
SHA5125b1d4bc0cc8defb8bb5dd84cacdaaff6f96edc07189c915d17c7b4c7352504c7e6a69b08404df6d215ef93495da38f4dac2d1f0598649e8b4f5f718a7a468c83
-
Filesize
65KB
MD55447d47e33b2faeb760f0f8fc91f1b03
SHA169c27507f6c78782491be458c43c68543d86b987
SHA2563bc4e674bb9a2ad7346b3ba97730aa1f820b2a04e457ec054d9a5adb0912532c
SHA5129f95380af7cebfdeeda812c7d567804a3310711a525211b107178d2c82b6d8ddd9d1de33beab9baaf9b4949d50eed45e5c98bb03b359c0750abfaf895de8b509
-
Filesize
65KB
MD5f81a60acd64a3561ce746cf9a1191596
SHA1ac7fba8795953802764ff2912003c43d1e7e6364
SHA25684b893bf129d1b0e50f761e3c350d5c35ac278b303c136c3ef00b6fc8c4bb01b
SHA5129961971175990c4e407f98a27dfc75ce52c275c0b7de8f68bfc76ba3c9a38b0c7483766044bbe34f9c077937b6554bf2a841fc399f97ab1bdb17b6b898ed188f
-
Filesize
65KB
MD52303809dc129ce553c284e1cafd684cc
SHA1ea352af2adfa4d99b2f156e9a6c8b8d07d9ce6c2
SHA2560cc6c5eda2d231571a848bc23627617a315a79c9fb13665de0a3736430044cbe
SHA512ba4f1d3d06a32891ffc37788ec6310ccb27720263c44d7349b6369d052cea356c6c8e88c1db5034fc6a64f10f11066e945432525c23d6a98e7608b93810a4dcb
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
65KB
MD5e5efe743545547edda84a73e88a26e1d
SHA1edf56c90d4e0ba1fedc9ebfbf2910101da9c0ca4
SHA25677518c3016e4f04732da3068b1f9f6a9d2df143d044cb57dcd479822f6165fcb
SHA5125b1d4bc0cc8defb8bb5dd84cacdaaff6f96edc07189c915d17c7b4c7352504c7e6a69b08404df6d215ef93495da38f4dac2d1f0598649e8b4f5f718a7a468c83
-
Filesize
65KB
MD55447d47e33b2faeb760f0f8fc91f1b03
SHA169c27507f6c78782491be458c43c68543d86b987
SHA2563bc4e674bb9a2ad7346b3ba97730aa1f820b2a04e457ec054d9a5adb0912532c
SHA5129f95380af7cebfdeeda812c7d567804a3310711a525211b107178d2c82b6d8ddd9d1de33beab9baaf9b4949d50eed45e5c98bb03b359c0750abfaf895de8b509
-
Filesize
65KB
MD5f81a60acd64a3561ce746cf9a1191596
SHA1ac7fba8795953802764ff2912003c43d1e7e6364
SHA25684b893bf129d1b0e50f761e3c350d5c35ac278b303c136c3ef00b6fc8c4bb01b
SHA5129961971175990c4e407f98a27dfc75ce52c275c0b7de8f68bfc76ba3c9a38b0c7483766044bbe34f9c077937b6554bf2a841fc399f97ab1bdb17b6b898ed188f
-
Filesize
65KB
MD52303809dc129ce553c284e1cafd684cc
SHA1ea352af2adfa4d99b2f156e9a6c8b8d07d9ce6c2
SHA2560cc6c5eda2d231571a848bc23627617a315a79c9fb13665de0a3736430044cbe
SHA512ba4f1d3d06a32891ffc37788ec6310ccb27720263c44d7349b6369d052cea356c6c8e88c1db5034fc6a64f10f11066e945432525c23d6a98e7608b93810a4dcb
-
Filesize
65KB
MD5e5efe743545547edda84a73e88a26e1d
SHA1edf56c90d4e0ba1fedc9ebfbf2910101da9c0ca4
SHA25677518c3016e4f04732da3068b1f9f6a9d2df143d044cb57dcd479822f6165fcb
SHA5125b1d4bc0cc8defb8bb5dd84cacdaaff6f96edc07189c915d17c7b4c7352504c7e6a69b08404df6d215ef93495da38f4dac2d1f0598649e8b4f5f718a7a468c83
-
Filesize
65KB
MD55447d47e33b2faeb760f0f8fc91f1b03
SHA169c27507f6c78782491be458c43c68543d86b987
SHA2563bc4e674bb9a2ad7346b3ba97730aa1f820b2a04e457ec054d9a5adb0912532c
SHA5129f95380af7cebfdeeda812c7d567804a3310711a525211b107178d2c82b6d8ddd9d1de33beab9baaf9b4949d50eed45e5c98bb03b359c0750abfaf895de8b509
-
Filesize
65KB
MD5f81a60acd64a3561ce746cf9a1191596
SHA1ac7fba8795953802764ff2912003c43d1e7e6364
SHA25684b893bf129d1b0e50f761e3c350d5c35ac278b303c136c3ef00b6fc8c4bb01b
SHA5129961971175990c4e407f98a27dfc75ce52c275c0b7de8f68bfc76ba3c9a38b0c7483766044bbe34f9c077937b6554bf2a841fc399f97ab1bdb17b6b898ed188f
-
Filesize
65KB
MD52303809dc129ce553c284e1cafd684cc
SHA1ea352af2adfa4d99b2f156e9a6c8b8d07d9ce6c2
SHA2560cc6c5eda2d231571a848bc23627617a315a79c9fb13665de0a3736430044cbe
SHA512ba4f1d3d06a32891ffc37788ec6310ccb27720263c44d7349b6369d052cea356c6c8e88c1db5034fc6a64f10f11066e945432525c23d6a98e7608b93810a4dcb
-
Filesize
65KB
MD55447d47e33b2faeb760f0f8fc91f1b03
SHA169c27507f6c78782491be458c43c68543d86b987
SHA2563bc4e674bb9a2ad7346b3ba97730aa1f820b2a04e457ec054d9a5adb0912532c
SHA5129f95380af7cebfdeeda812c7d567804a3310711a525211b107178d2c82b6d8ddd9d1de33beab9baaf9b4949d50eed45e5c98bb03b359c0750abfaf895de8b509
-
Filesize
65KB
MD55447d47e33b2faeb760f0f8fc91f1b03
SHA169c27507f6c78782491be458c43c68543d86b987
SHA2563bc4e674bb9a2ad7346b3ba97730aa1f820b2a04e457ec054d9a5adb0912532c
SHA5129f95380af7cebfdeeda812c7d567804a3310711a525211b107178d2c82b6d8ddd9d1de33beab9baaf9b4949d50eed45e5c98bb03b359c0750abfaf895de8b509
-
Filesize
65KB
MD55447d47e33b2faeb760f0f8fc91f1b03
SHA169c27507f6c78782491be458c43c68543d86b987
SHA2563bc4e674bb9a2ad7346b3ba97730aa1f820b2a04e457ec054d9a5adb0912532c
SHA5129f95380af7cebfdeeda812c7d567804a3310711a525211b107178d2c82b6d8ddd9d1de33beab9baaf9b4949d50eed45e5c98bb03b359c0750abfaf895de8b509
-
Filesize
65KB
MD55447d47e33b2faeb760f0f8fc91f1b03
SHA169c27507f6c78782491be458c43c68543d86b987
SHA2563bc4e674bb9a2ad7346b3ba97730aa1f820b2a04e457ec054d9a5adb0912532c
SHA5129f95380af7cebfdeeda812c7d567804a3310711a525211b107178d2c82b6d8ddd9d1de33beab9baaf9b4949d50eed45e5c98bb03b359c0750abfaf895de8b509
-
Filesize
65KB
MD55447d47e33b2faeb760f0f8fc91f1b03
SHA169c27507f6c78782491be458c43c68543d86b987
SHA2563bc4e674bb9a2ad7346b3ba97730aa1f820b2a04e457ec054d9a5adb0912532c
SHA5129f95380af7cebfdeeda812c7d567804a3310711a525211b107178d2c82b6d8ddd9d1de33beab9baaf9b4949d50eed45e5c98bb03b359c0750abfaf895de8b509
-
Filesize
65KB
MD55447d47e33b2faeb760f0f8fc91f1b03
SHA169c27507f6c78782491be458c43c68543d86b987
SHA2563bc4e674bb9a2ad7346b3ba97730aa1f820b2a04e457ec054d9a5adb0912532c
SHA5129f95380af7cebfdeeda812c7d567804a3310711a525211b107178d2c82b6d8ddd9d1de33beab9baaf9b4949d50eed45e5c98bb03b359c0750abfaf895de8b509
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
65KB
MD5e5efe743545547edda84a73e88a26e1d
SHA1edf56c90d4e0ba1fedc9ebfbf2910101da9c0ca4
SHA25677518c3016e4f04732da3068b1f9f6a9d2df143d044cb57dcd479822f6165fcb
SHA5125b1d4bc0cc8defb8bb5dd84cacdaaff6f96edc07189c915d17c7b4c7352504c7e6a69b08404df6d215ef93495da38f4dac2d1f0598649e8b4f5f718a7a468c83
-
Filesize
65KB
MD5e5efe743545547edda84a73e88a26e1d
SHA1edf56c90d4e0ba1fedc9ebfbf2910101da9c0ca4
SHA25677518c3016e4f04732da3068b1f9f6a9d2df143d044cb57dcd479822f6165fcb
SHA5125b1d4bc0cc8defb8bb5dd84cacdaaff6f96edc07189c915d17c7b4c7352504c7e6a69b08404df6d215ef93495da38f4dac2d1f0598649e8b4f5f718a7a468c83
-
Filesize
65KB
MD5e5efe743545547edda84a73e88a26e1d
SHA1edf56c90d4e0ba1fedc9ebfbf2910101da9c0ca4
SHA25677518c3016e4f04732da3068b1f9f6a9d2df143d044cb57dcd479822f6165fcb
SHA5125b1d4bc0cc8defb8bb5dd84cacdaaff6f96edc07189c915d17c7b4c7352504c7e6a69b08404df6d215ef93495da38f4dac2d1f0598649e8b4f5f718a7a468c83
-
Filesize
65KB
MD5e5efe743545547edda84a73e88a26e1d
SHA1edf56c90d4e0ba1fedc9ebfbf2910101da9c0ca4
SHA25677518c3016e4f04732da3068b1f9f6a9d2df143d044cb57dcd479822f6165fcb
SHA5125b1d4bc0cc8defb8bb5dd84cacdaaff6f96edc07189c915d17c7b4c7352504c7e6a69b08404df6d215ef93495da38f4dac2d1f0598649e8b4f5f718a7a468c83
-
Filesize
65KB
MD5e5efe743545547edda84a73e88a26e1d
SHA1edf56c90d4e0ba1fedc9ebfbf2910101da9c0ca4
SHA25677518c3016e4f04732da3068b1f9f6a9d2df143d044cb57dcd479822f6165fcb
SHA5125b1d4bc0cc8defb8bb5dd84cacdaaff6f96edc07189c915d17c7b4c7352504c7e6a69b08404df6d215ef93495da38f4dac2d1f0598649e8b4f5f718a7a468c83
-
Filesize
65KB
MD5e5efe743545547edda84a73e88a26e1d
SHA1edf56c90d4e0ba1fedc9ebfbf2910101da9c0ca4
SHA25677518c3016e4f04732da3068b1f9f6a9d2df143d044cb57dcd479822f6165fcb
SHA5125b1d4bc0cc8defb8bb5dd84cacdaaff6f96edc07189c915d17c7b4c7352504c7e6a69b08404df6d215ef93495da38f4dac2d1f0598649e8b4f5f718a7a468c83
-
Filesize
65KB
MD5e5efe743545547edda84a73e88a26e1d
SHA1edf56c90d4e0ba1fedc9ebfbf2910101da9c0ca4
SHA25677518c3016e4f04732da3068b1f9f6a9d2df143d044cb57dcd479822f6165fcb
SHA5125b1d4bc0cc8defb8bb5dd84cacdaaff6f96edc07189c915d17c7b4c7352504c7e6a69b08404df6d215ef93495da38f4dac2d1f0598649e8b4f5f718a7a468c83
-
Filesize
2KB
MD594c0c5518c4f4bb044842a006d04932a
SHA123d9a914f6681d65e2b1faa171f4cf492562ebdb
SHA256224c4e5cdc0e7495c5fb5d1f52d76807092b5cc2d0a7c95fa612ff7b1412706e
SHA51279cb2cd9e19ac3cc8bd94f1a20369e61224f8db02bc04d1f5768d62163b68467a3d317808a942bc7cca6ca84c221bb54a76e097f543c88bb89f0a3c9534ff3bb
-
Filesize
2KB
MD594c0c5518c4f4bb044842a006d04932a
SHA123d9a914f6681d65e2b1faa171f4cf492562ebdb
SHA256224c4e5cdc0e7495c5fb5d1f52d76807092b5cc2d0a7c95fa612ff7b1412706e
SHA51279cb2cd9e19ac3cc8bd94f1a20369e61224f8db02bc04d1f5768d62163b68467a3d317808a942bc7cca6ca84c221bb54a76e097f543c88bb89f0a3c9534ff3bb
-
Filesize
2KB
MD594c0c5518c4f4bb044842a006d04932a
SHA123d9a914f6681d65e2b1faa171f4cf492562ebdb
SHA256224c4e5cdc0e7495c5fb5d1f52d76807092b5cc2d0a7c95fa612ff7b1412706e
SHA51279cb2cd9e19ac3cc8bd94f1a20369e61224f8db02bc04d1f5768d62163b68467a3d317808a942bc7cca6ca84c221bb54a76e097f543c88bb89f0a3c9534ff3bb
-
Filesize
2KB
MD594c0c5518c4f4bb044842a006d04932a
SHA123d9a914f6681d65e2b1faa171f4cf492562ebdb
SHA256224c4e5cdc0e7495c5fb5d1f52d76807092b5cc2d0a7c95fa612ff7b1412706e
SHA51279cb2cd9e19ac3cc8bd94f1a20369e61224f8db02bc04d1f5768d62163b68467a3d317808a942bc7cca6ca84c221bb54a76e097f543c88bb89f0a3c9534ff3bb
-
Filesize
65KB
MD5e5efe743545547edda84a73e88a26e1d
SHA1edf56c90d4e0ba1fedc9ebfbf2910101da9c0ca4
SHA25677518c3016e4f04732da3068b1f9f6a9d2df143d044cb57dcd479822f6165fcb
SHA5125b1d4bc0cc8defb8bb5dd84cacdaaff6f96edc07189c915d17c7b4c7352504c7e6a69b08404df6d215ef93495da38f4dac2d1f0598649e8b4f5f718a7a468c83
-
Filesize
65KB
MD5e5efe743545547edda84a73e88a26e1d
SHA1edf56c90d4e0ba1fedc9ebfbf2910101da9c0ca4
SHA25677518c3016e4f04732da3068b1f9f6a9d2df143d044cb57dcd479822f6165fcb
SHA5125b1d4bc0cc8defb8bb5dd84cacdaaff6f96edc07189c915d17c7b4c7352504c7e6a69b08404df6d215ef93495da38f4dac2d1f0598649e8b4f5f718a7a468c83
-
Filesize
65KB
MD5f81a60acd64a3561ce746cf9a1191596
SHA1ac7fba8795953802764ff2912003c43d1e7e6364
SHA25684b893bf129d1b0e50f761e3c350d5c35ac278b303c136c3ef00b6fc8c4bb01b
SHA5129961971175990c4e407f98a27dfc75ce52c275c0b7de8f68bfc76ba3c9a38b0c7483766044bbe34f9c077937b6554bf2a841fc399f97ab1bdb17b6b898ed188f
-
Filesize
65KB
MD52303809dc129ce553c284e1cafd684cc
SHA1ea352af2adfa4d99b2f156e9a6c8b8d07d9ce6c2
SHA2560cc6c5eda2d231571a848bc23627617a315a79c9fb13665de0a3736430044cbe
SHA512ba4f1d3d06a32891ffc37788ec6310ccb27720263c44d7349b6369d052cea356c6c8e88c1db5034fc6a64f10f11066e945432525c23d6a98e7608b93810a4dcb
-
Filesize
65KB
MD52303809dc129ce553c284e1cafd684cc
SHA1ea352af2adfa4d99b2f156e9a6c8b8d07d9ce6c2
SHA2560cc6c5eda2d231571a848bc23627617a315a79c9fb13665de0a3736430044cbe
SHA512ba4f1d3d06a32891ffc37788ec6310ccb27720263c44d7349b6369d052cea356c6c8e88c1db5034fc6a64f10f11066e945432525c23d6a98e7608b93810a4dcb