Malware Analysis Report

2024-10-23 19:35

Sample ID 240504-w89npaeh51
Target WinLocker_Builder_0.4.exe
SHA256 60e76eda46185d1d2e9463d15e31d4c87eb03535d368cc3471c55992bc99ad5f
Tags
aspackv2 modiloader trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

60e76eda46185d1d2e9463d15e31d4c87eb03535d368cc3471c55992bc99ad5f

Threat Level: Known bad

The file WinLocker_Builder_0.4.exe was found to be: Known bad.

Malicious Activity Summary

aspackv2 modiloader trojan upx

ModiLoader, DBatLoader

ModiLoader Second Stage

ASPack v2.12-2.42

UPX packed file

Executes dropped EXE

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-04 18:36

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-04 18:36

Reported

2024-05-04 18:41

Platform

win11-20240426-en

Max time kernel

300s

Max time network

298s

Command Line

"C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Upx.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3} C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000 C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "2" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = ffffffff C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1" C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe

"C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Users\Admin\AppData\Local\Temp\Upx.exe

"C:\Users\Admin\AppData\Local\Temp\Upx.exe" "C:\Users\Admin\Desktop\asd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2364-0-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2364-1-0x00000000006F0000-0x00000000006F1000-memory.dmp

memory/2364-2-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2364-4-0x00000000006F0000-0x00000000006F1000-memory.dmp

memory/2364-13-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2364-15-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2364-16-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2364-17-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2364-18-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2364-20-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2364-21-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2364-22-0x0000000000400000-0x0000000000545000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 f636bb22c96d1d096ff4d6140f045a97
SHA1 f0afce8b0a5c82fb52c70be4cdce039a7fff7cbc
SHA256 9ee21216db71d8e730a5decee8d1e6a166470c38096cb716491e11759453f52a
SHA512 20fd5108fa5cdc77bb325385968d3fd048c536f8ac51e7f66f51fe8e367c8cce35f93d3fc931a5c43945df3a1681e46191d00782e19b01e8975b50beb90e0b36

memory/2364-31-0x0000000000400000-0x0000000000545000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 a1e53a66fae6381feb626622d4608a86
SHA1 fd0ba6b10878bba45bab306bb89020b7d6233d76
SHA256 33f0f4861ddcd5fea204612598a89d50aafd7750426a19bdaee401dde0f093a6
SHA512 9bf4ec9f975b63faed933bdd301c8a312c940ce89732355f47e3ad2a661534db7c13747bb799e1709399032cb1ccef997ccd3f4f80853ca2f63ab6010e1db001

memory/2364-43-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2364-44-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2364-47-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2364-48-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2364-49-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2364-50-0x0000000000400000-0x0000000000545000-memory.dmp

memory/2364-51-0x0000000000400000-0x0000000000545000-memory.dmp

C:\Users\Admin\Desktop\RCXD55F.tmp

MD5 1d0aca621884b727941e738a116bf2a4
SHA1 361e0f2e67de52443b89cbcbca96b067bc30eead
SHA256 51df50d806004e4d59be7c497b2b474d838822747b53a5422b17526300b362cb
SHA512 9dec55524dca4cfefcb0d4426d87fddf6c802f2babe973f170e540cc591ccc7f2e4a6b35c75c1a9c5a39e647370f0627556626aa85d2e63bf17e5da90de3cf39

C:\Users\Admin\AppData\Local\Temp\Upx.exe

MD5 308f709a8f01371a6dd088a793e65a5f
SHA1 a07c073d807ab0119b090821ee29edaae481e530
SHA256 c0f9faffdf14ab2c853880457be19a237b10f8986755f184ecfe21670076cb35
SHA512 c107f1af768d533d02fb82ae2ed5c126c63b53b11a2e5a5bbf45e396cb7796ca4e7984ce969b487ad38d817f4d4366e7953fb555b279aa019ffb5d1bbba57e28

C:\Users\Admin\Desktop\asd.exe

MD5 97eb6f7ec0586fe37b82dbe2f522da35
SHA1 7b9995845a89aec0a6eabe7e9eeb446abe8e5d58
SHA256 f738afbd4c316267d35e2f4d7b818139a55d8ef6b636c3bf736f1672cb4c8ea1
SHA512 888850fe4ea693a5168d6c0f2ab638862dc1a09a1e25f1de8cbfb373753cad982f2461826f5fa54144ba04ff6ed2c19c5850d70a3a2edc3bbb2024cf42710c49

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

MD5 867c71eff6afffc64e7f41954bd2cb75
SHA1 25af5fd9e3d090aa1d99093eb33fb40c62e5d7e6
SHA256 c00505ed4ec8951a3d2a4374ac2c7cc01affdc03d2d81da1006c2eddb64fc089
SHA512 94a8d8c4a89335bc9ddb85013dc64ac12e910a7fff1e3203e5f82ab0d3d72072937c84f16f9bb87432be7592764c18f981feedde7a9397a26aba2e64bfa839a9

memory/868-101-0x0000000000400000-0x000000000057E000-memory.dmp

C:\Users\Admin\Desktop\asd.exe

MD5 ba86a45f0ec07371681bb896a102a09b
SHA1 10ad3f69451300fe5c7d733f9787df5987bbbf1e
SHA256 c136b7595dcb6ca9850377d104a930bae2ffb0fc787b5a52b3cb5a5210df8cdd
SHA512 5003e270d20c807e12391d99f5d57e2c2616a708e80b736228d40927afff474099345ae2aefee920d53198eb151de82184a8bbfc81cb49894a3288fef83b5519

memory/868-110-0x0000000000400000-0x000000000057E000-memory.dmp