Analysis Overview
SHA256
60e76eda46185d1d2e9463d15e31d4c87eb03535d368cc3471c55992bc99ad5f
Threat Level: Known bad
The file WinLocker_Builder_0.4.exe was found to be: Known bad.
Malicious Activity Summary
ModiLoader, DBatLoader
ModiLoader Second Stage
ASPack v2.12-2.42
UPX packed file
Executes dropped EXE
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-04 18:36
Signatures
ASPack v2.12-2.42
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-04 18:36
Reported
2024-05-04 18:41
Platform
win11-20240426-en
Max time kernel
300s
Max time network
298s
Command Line
Signatures
ModiLoader, DBatLoader
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Upx.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3} | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000 | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "2" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656} | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3 | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000 | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "2" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1" | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2364 wrote to memory of 868 | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | C:\Users\Admin\AppData\Local\Temp\Upx.exe |
| PID 2364 wrote to memory of 868 | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | C:\Users\Admin\AppData\Local\Temp\Upx.exe |
| PID 2364 wrote to memory of 868 | N/A | C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe | C:\Users\Admin\AppData\Local\Temp\Upx.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe
"C:\Users\Admin\AppData\Local\Temp\WinLocker_Builder_0.4.exe"
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Users\Admin\AppData\Local\Temp\Upx.exe
"C:\Users\Admin\AppData\Local\Temp\Upx.exe" "C:\Users\Admin\Desktop\asd.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
memory/2364-0-0x0000000000400000-0x0000000000545000-memory.dmp
memory/2364-1-0x00000000006F0000-0x00000000006F1000-memory.dmp
memory/2364-2-0x0000000000400000-0x0000000000545000-memory.dmp
memory/2364-4-0x00000000006F0000-0x00000000006F1000-memory.dmp
memory/2364-13-0x0000000000400000-0x0000000000545000-memory.dmp
memory/2364-15-0x0000000000400000-0x0000000000545000-memory.dmp
memory/2364-16-0x0000000000400000-0x0000000000545000-memory.dmp
memory/2364-17-0x0000000000400000-0x0000000000545000-memory.dmp
memory/2364-18-0x0000000000400000-0x0000000000545000-memory.dmp
memory/2364-20-0x0000000000400000-0x0000000000545000-memory.dmp
memory/2364-21-0x0000000000400000-0x0000000000545000-memory.dmp
memory/2364-22-0x0000000000400000-0x0000000000545000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | f636bb22c96d1d096ff4d6140f045a97 |
| SHA1 | f0afce8b0a5c82fb52c70be4cdce039a7fff7cbc |
| SHA256 | 9ee21216db71d8e730a5decee8d1e6a166470c38096cb716491e11759453f52a |
| SHA512 | 20fd5108fa5cdc77bb325385968d3fd048c536f8ac51e7f66f51fe8e367c8cce35f93d3fc931a5c43945df3a1681e46191d00782e19b01e8975b50beb90e0b36 |
memory/2364-31-0x0000000000400000-0x0000000000545000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | a1e53a66fae6381feb626622d4608a86 |
| SHA1 | fd0ba6b10878bba45bab306bb89020b7d6233d76 |
| SHA256 | 33f0f4861ddcd5fea204612598a89d50aafd7750426a19bdaee401dde0f093a6 |
| SHA512 | 9bf4ec9f975b63faed933bdd301c8a312c940ce89732355f47e3ad2a661534db7c13747bb799e1709399032cb1ccef997ccd3f4f80853ca2f63ab6010e1db001 |
memory/2364-43-0x0000000000400000-0x0000000000545000-memory.dmp
memory/2364-44-0x0000000000400000-0x0000000000545000-memory.dmp
memory/2364-47-0x0000000000400000-0x0000000000545000-memory.dmp
memory/2364-48-0x0000000000400000-0x0000000000545000-memory.dmp
memory/2364-49-0x0000000000400000-0x0000000000545000-memory.dmp
memory/2364-50-0x0000000000400000-0x0000000000545000-memory.dmp
memory/2364-51-0x0000000000400000-0x0000000000545000-memory.dmp
C:\Users\Admin\Desktop\RCXD55F.tmp
| MD5 | 1d0aca621884b727941e738a116bf2a4 |
| SHA1 | 361e0f2e67de52443b89cbcbca96b067bc30eead |
| SHA256 | 51df50d806004e4d59be7c497b2b474d838822747b53a5422b17526300b362cb |
| SHA512 | 9dec55524dca4cfefcb0d4426d87fddf6c802f2babe973f170e540cc591ccc7f2e4a6b35c75c1a9c5a39e647370f0627556626aa85d2e63bf17e5da90de3cf39 |
C:\Users\Admin\AppData\Local\Temp\Upx.exe
| MD5 | 308f709a8f01371a6dd088a793e65a5f |
| SHA1 | a07c073d807ab0119b090821ee29edaae481e530 |
| SHA256 | c0f9faffdf14ab2c853880457be19a237b10f8986755f184ecfe21670076cb35 |
| SHA512 | c107f1af768d533d02fb82ae2ed5c126c63b53b11a2e5a5bbf45e396cb7796ca4e7984ce969b487ad38d817f4d4366e7953fb555b279aa019ffb5d1bbba57e28 |
C:\Users\Admin\Desktop\asd.exe
| MD5 | 97eb6f7ec0586fe37b82dbe2f522da35 |
| SHA1 | 7b9995845a89aec0a6eabe7e9eeb446abe8e5d58 |
| SHA256 | f738afbd4c316267d35e2f4d7b818139a55d8ef6b636c3bf736f1672cb4c8ea1 |
| SHA512 | 888850fe4ea693a5168d6c0f2ab638862dc1a09a1e25f1de8cbfb373753cad982f2461826f5fa54144ba04ff6ed2c19c5850d70a3a2edc3bbb2024cf42710c49 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
| MD5 | 867c71eff6afffc64e7f41954bd2cb75 |
| SHA1 | 25af5fd9e3d090aa1d99093eb33fb40c62e5d7e6 |
| SHA256 | c00505ed4ec8951a3d2a4374ac2c7cc01affdc03d2d81da1006c2eddb64fc089 |
| SHA512 | 94a8d8c4a89335bc9ddb85013dc64ac12e910a7fff1e3203e5f82ab0d3d72072937c84f16f9bb87432be7592764c18f981feedde7a9397a26aba2e64bfa839a9 |
memory/868-101-0x0000000000400000-0x000000000057E000-memory.dmp
C:\Users\Admin\Desktop\asd.exe
| MD5 | ba86a45f0ec07371681bb896a102a09b |
| SHA1 | 10ad3f69451300fe5c7d733f9787df5987bbbf1e |
| SHA256 | c136b7595dcb6ca9850377d104a930bae2ffb0fc787b5a52b3cb5a5210df8cdd |
| SHA512 | 5003e270d20c807e12391d99f5d57e2c2616a708e80b736228d40927afff474099345ae2aefee920d53198eb151de82184a8bbfc81cb49894a3288fef83b5519 |
memory/868-110-0x0000000000400000-0x000000000057E000-memory.dmp