8400d4ef53ac6449c5017c31250f50ae5999d73a85b111f4d6cab18b1474a209

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
16-05-2024 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Size

1.1MB
MD5

1ad1254d89feb40d38edf3d3c7f1bf50
SHA1

2bc21e6d45118d8e0afe00cd5b01d1749a584ac0
SHA256

8400d4ef53ac6449c5017c31250f50ae5999d73a85b111f4d6cab18b1474a209
SHA512

01c0e5735fbe81956bdad526c495fb1393b311568ce65b38d2ffbf1fc4ab9150281f36f39faca790e7510665a7daff9420cf0bebc21337cbed501b9c942b6a54
SSDEEP

6144:mjljqj9jCfj9j3j9jtj9jOj9j9j9jvj9jGj9jSj9jSj9jmj9jE:8f

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	LSASS.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CSRSS.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe

Disables RegEdit via registry modification 16 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 56 IoCs

pid	Process
2804	4k51k4.exe
2992	IExplorer.exe
1848	WINLOGON.EXE
1684	CSRSS.EXE
2680	SERVICES.EXE
2000	LSASS.EXE
1648	SMSS.EXE
776	4k51k4.exe
1304	IExplorer.exe
1496	WINLOGON.EXE
1992	4k51k4.exe
1392	CSRSS.EXE
1568	IExplorer.exe
3064	4k51k4.exe
2332	WINLOGON.EXE
1812	SERVICES.EXE
1524	CSRSS.EXE
1804	IExplorer.exe
2876	LSASS.EXE
2652	WINLOGON.EXE
1448	CSRSS.EXE
1668	SMSS.EXE
1744	SERVICES.EXE
2724	SERVICES.EXE
2648	LSASS.EXE
2556	LSASS.EXE
2504	SMSS.EXE
2736	SMSS.EXE
2020	4k51k4.exe
2700	4k51k4.exe
1436	4k51k4.exe
2768	IExplorer.exe
1788	4k51k4.exe
2204	WINLOGON.EXE
2764	IExplorer.exe
1736	IExplorer.exe
816	IExplorer.exe
1724	CSRSS.EXE
1296	WINLOGON.EXE
1304	WINLOGON.EXE
2412	WINLOGON.EXE
408	SERVICES.EXE
1396	CSRSS.EXE
1992	CSRSS.EXE
1888	LSASS.EXE
1884	SMSS.EXE
928	SERVICES.EXE
2936	SERVICES.EXE
1652	CSRSS.EXE
1812	LSASS.EXE
968	LSASS.EXE
2216	SMSS.EXE
1524	SERVICES.EXE
1108	SMSS.EXE
1744	LSASS.EXE
2124	SMSS.EXE

Loads dropped DLL 64 IoCs

pid	Process
2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
2804	4k51k4.exe
2804	4k51k4.exe
2804	4k51k4.exe
2804	4k51k4.exe
2804	4k51k4.exe
2804	4k51k4.exe
2992	IExplorer.exe
2992	IExplorer.exe
2992	IExplorer.exe
2804	4k51k4.exe
2804	4k51k4.exe
2992	IExplorer.exe
2992	IExplorer.exe
2804	4k51k4.exe
2804	4k51k4.exe
2992	IExplorer.exe
1848	WINLOGON.EXE
1848	WINLOGON.EXE
2804	4k51k4.exe
2804	4k51k4.exe
1848	WINLOGON.EXE
2992	IExplorer.exe
1848	WINLOGON.EXE
1848	WINLOGON.EXE
2992	IExplorer.exe
2992	IExplorer.exe
1848	WINLOGON.EXE
1848	WINLOGON.EXE
1848	WINLOGON.EXE
1848	WINLOGON.EXE
2992	IExplorer.exe
2992	IExplorer.exe
2992	IExplorer.exe
1848	WINLOGON.EXE
1848	WINLOGON.EXE
1648	SMSS.EXE
1648	SMSS.EXE
1648	SMSS.EXE
2000	LSASS.EXE
1648	SMSS.EXE
2000	LSASS.EXE
2680	SERVICES.EXE
2680	SERVICES.EXE
1684	CSRSS.EXE
1684	CSRSS.EXE
1648	SMSS.EXE
1648	SMSS.EXE
2000	LSASS.EXE
2000	LSASS.EXE
1684	CSRSS.EXE
1684	CSRSS.EXE
2680	SERVICES.EXE

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	LSASS.EXE

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2372-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x0008000000014ba7-8.dat	upx
behavioral1/files/0x00080000000153d9-112.dat	upx
behavioral1/memory/2804-115-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2372-119-0x00000000003D0000-0x00000000003F3000-memory.dmp	upx
behavioral1/files/0x0006000000015ce3-118.dat	upx
behavioral1/files/0x0006000000015d0c-132.dat	upx
behavioral1/files/0x0006000000015d24-142.dat	upx
behavioral1/memory/1848-140-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x0006000000015d44-158.dat	upx
behavioral1/memory/2000-171-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x0006000000015d4c-168.dat	upx
behavioral1/memory/2372-167-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x0006000000015e09-172.dat	upx
behavioral1/memory/2992-180-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2372-183-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2804-174-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1804-345-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2724-367-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1668-369-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2736-406-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2556-401-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2648-399-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2648-374-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2700-447-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1304-511-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/408-517-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1992-535-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/968-548-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2216-559-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1108-565-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1744-574-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2000-573-0x00000000003D0000-0x00000000003F3000-memory.dmp	upx
behavioral1/memory/1524-570-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1652-569-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1812-566-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1524-564-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2000-563-0x00000000003D0000-0x00000000003F3000-memory.dmp	upx
behavioral1/memory/2216-555-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1884-542-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2000-539-0x00000000003D0000-0x00000000003F3000-memory.dmp	upx
behavioral1/memory/928-534-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1396-532-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1888-524-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2412-513-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1304-506-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1724-498-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1736-495-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1296-505-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/816-501-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2764-493-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2204-487-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1436-479-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1788-472-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2700-465-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2020-457-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2020-443-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1448-362-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2652-350-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2724-365-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1744-359-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1744-353-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2652-348-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2876-343-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Adds Run key to start application 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SERVICES.EXE

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	F:\desktop.ini	4k51k4.exe
File opened for modification	C:\desktop.ini	4k51k4.exe
File created	C:\desktop.ini	4k51k4.exe
File opened for modification	F:\desktop.ini	4k51k4.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	WINLOGON.EXE
File opened (read-only)	\??\R:	SMSS.EXE
File opened (read-only)	\??\O:	CSRSS.EXE
File opened (read-only)	\??\O:	WINLOGON.EXE
File opened (read-only)	\??\G:	SMSS.EXE
File opened (read-only)	\??\M:	IExplorer.exe
File opened (read-only)	\??\T:	WINLOGON.EXE
File opened (read-only)	\??\S:	SERVICES.EXE
File opened (read-only)	\??\G:	CSRSS.EXE
File opened (read-only)	\??\K:	CSRSS.EXE
File opened (read-only)	\??\V:	CSRSS.EXE
File opened (read-only)	\??\Q:	4k51k4.exe
File opened (read-only)	\??\Y:	SMSS.EXE
File opened (read-only)	\??\P:	SERVICES.EXE
File opened (read-only)	\??\U:	SERVICES.EXE
File opened (read-only)	\??\B:	CSRSS.EXE
File opened (read-only)	\??\H:	CSRSS.EXE
File opened (read-only)	\??\U:	CSRSS.EXE
File opened (read-only)	\??\X:	CSRSS.EXE
File opened (read-only)	\??\G:	LSASS.EXE
File opened (read-only)	\??\Z:	LSASS.EXE
File opened (read-only)	\??\H:	SERVICES.EXE
File opened (read-only)	\??\M:	SERVICES.EXE
File opened (read-only)	\??\Q:	SERVICES.EXE
File opened (read-only)	\??\Z:	CSRSS.EXE
File opened (read-only)	\??\T:	IExplorer.exe
File opened (read-only)	\??\G:	WINLOGON.EXE
File opened (read-only)	\??\B:	LSASS.EXE
File opened (read-only)	\??\I:	CSRSS.EXE
File opened (read-only)	\??\S:	CSRSS.EXE
File opened (read-only)	\??\M:	WINLOGON.EXE
File opened (read-only)	\??\I:	SERVICES.EXE
File opened (read-only)	\??\V:	SERVICES.EXE
File opened (read-only)	\??\B:	WINLOGON.EXE
File opened (read-only)	\??\J:	WINLOGON.EXE
File opened (read-only)	\??\V:	LSASS.EXE
File opened (read-only)	\??\G:	SERVICES.EXE
File opened (read-only)	\??\H:	IExplorer.exe
File opened (read-only)	\??\U:	IExplorer.exe
File opened (read-only)	\??\Z:	IExplorer.exe
File opened (read-only)	\??\B:	4k51k4.exe
File opened (read-only)	\??\G:	4k51k4.exe
File opened (read-only)	\??\O:	4k51k4.exe
File opened (read-only)	\??\X:	4k51k4.exe
File opened (read-only)	\??\Y:	4k51k4.exe
File opened (read-only)	\??\W:	SMSS.EXE
File opened (read-only)	\??\O:	LSASS.EXE
File opened (read-only)	\??\Q:	LSASS.EXE
File opened (read-only)	\??\J:	SERVICES.EXE
File opened (read-only)	\??\K:	SERVICES.EXE
File opened (read-only)	\??\K:	4k51k4.exe
File opened (read-only)	\??\Z:	4k51k4.exe
File opened (read-only)	\??\Q:	IExplorer.exe
File opened (read-only)	\??\S:	LSASS.EXE
File opened (read-only)	\??\E:	4k51k4.exe
File opened (read-only)	\??\N:	4k51k4.exe
File opened (read-only)	\??\E:	IExplorer.exe
File opened (read-only)	\??\X:	IExplorer.exe
File opened (read-only)	\??\I:	LSASS.EXE
File opened (read-only)	\??\U:	SMSS.EXE
File opened (read-only)	\??\T:	LSASS.EXE
File opened (read-only)	\??\O:	SERVICES.EXE
File opened (read-only)	\??\N:	CSRSS.EXE
File opened (read-only)	\??\R:	LSASS.EXE

Drops file in System32 directory 51 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MrHelloween.scr	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	4k51k4.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	WINLOGON.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\shell.exe	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	WINLOGON.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	4k51k4.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	SMSS.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\shell.exe	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	WINLOGON.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	4k51k4.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	CSRSS.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	4k51k4.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	LSASS.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	CSRSS.EXE
File opened for modification	C:\Windows\4k51k4.exe	SERVICES.EXE
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	4k51k4.exe
File opened for modification	C:\Windows\4k51k4.exe	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\4k51k4.exe	IExplorer.exe
File created	C:\Windows\4k51k4.exe	LSASS.EXE
File created	C:\Windows\4k51k4.exe	SMSS.EXE
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\4k51k4.exe	CSRSS.EXE
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	WINLOGON.EXE
File created	C:\Windows\4k51k4.exe	WINLOGON.EXE
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File created	C:\Windows\4k51k4.exe	SERVICES.EXE
File opened for modification	C:\Windows\4k51k4.exe	LSASS.EXE
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\4k51k4.exe	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File created	C:\Windows\4k51k4.exe	4k51k4.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	SMSS.EXE
File created	C:\Windows\msvbvm60.dll	IExplorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 32 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	4k51k4.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	WINLOGON.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 7 IoCs

pid	Process
2804	4k51k4.exe
1684	CSRSS.EXE
1848	WINLOGON.EXE
2992	IExplorer.exe
1648	SMSS.EXE
2680	SERVICES.EXE
2000	LSASS.EXE

Suspicious use of SetWindowsHookEx 57 IoCs

pid	Process
2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
2804	4k51k4.exe
2992	IExplorer.exe
1848	WINLOGON.EXE
1684	CSRSS.EXE
2680	SERVICES.EXE
2000	LSASS.EXE
1648	SMSS.EXE
776	4k51k4.exe
1304	IExplorer.exe
1496	WINLOGON.EXE
1992	4k51k4.exe
1392	CSRSS.EXE
1568	IExplorer.exe
2332	WINLOGON.EXE
1812	SERVICES.EXE
3064	4k51k4.exe
2876	LSASS.EXE
1524	CSRSS.EXE
1804	IExplorer.exe
2652	WINLOGON.EXE
1744	SERVICES.EXE
1448	CSRSS.EXE
1668	SMSS.EXE
2724	SERVICES.EXE
2648	LSASS.EXE
2556	LSASS.EXE
2504	SMSS.EXE
2736	SMSS.EXE
2020	4k51k4.exe
2700	4k51k4.exe
1436	4k51k4.exe
2768	IExplorer.exe
1788	4k51k4.exe
2204	WINLOGON.EXE
1736	IExplorer.exe
2764	IExplorer.exe
816	IExplorer.exe
1724	CSRSS.EXE
1296	WINLOGON.EXE
1304	WINLOGON.EXE
2412	WINLOGON.EXE
408	SERVICES.EXE
1888	LSASS.EXE
1992	CSRSS.EXE
1396	CSRSS.EXE
2936	SERVICES.EXE
928	SERVICES.EXE
1884	SMSS.EXE
968	LSASS.EXE
1812	LSASS.EXE
1652	CSRSS.EXE
2216	SMSS.EXE
1524	SERVICES.EXE
1108	SMSS.EXE
1744	LSASS.EXE
2124	SMSS.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2804	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	28
PID 2372 wrote to memory of 2804	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	28
PID 2372 wrote to memory of 2804	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	28
PID 2372 wrote to memory of 2804	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	28
PID 2372 wrote to memory of 2992	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	29
PID 2372 wrote to memory of 2992	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	29
PID 2372 wrote to memory of 2992	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	29
PID 2372 wrote to memory of 2992	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	29
PID 2372 wrote to memory of 1848	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	30
PID 2372 wrote to memory of 1848	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	30
PID 2372 wrote to memory of 1848	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	30
PID 2372 wrote to memory of 1848	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	30
PID 2372 wrote to memory of 1684	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	31
PID 2372 wrote to memory of 1684	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	31
PID 2372 wrote to memory of 1684	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	31
PID 2372 wrote to memory of 1684	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	31
PID 2372 wrote to memory of 2680	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	32
PID 2372 wrote to memory of 2680	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	32
PID 2372 wrote to memory of 2680	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	32
PID 2372 wrote to memory of 2680	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	32
PID 2372 wrote to memory of 2000	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	33
PID 2372 wrote to memory of 2000	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	33
PID 2372 wrote to memory of 2000	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	33
PID 2372 wrote to memory of 2000	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	33
PID 2372 wrote to memory of 1648	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	34
PID 2372 wrote to memory of 1648	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	34
PID 2372 wrote to memory of 1648	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	34
PID 2372 wrote to memory of 1648	2372	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	34
PID 2804 wrote to memory of 776	2804	4k51k4.exe	35
PID 2804 wrote to memory of 776	2804	4k51k4.exe	35
PID 2804 wrote to memory of 776	2804	4k51k4.exe	35
PID 2804 wrote to memory of 776	2804	4k51k4.exe	35
PID 2804 wrote to memory of 1304	2804	4k51k4.exe	36
PID 2804 wrote to memory of 1304	2804	4k51k4.exe	36
PID 2804 wrote to memory of 1304	2804	4k51k4.exe	36
PID 2804 wrote to memory of 1304	2804	4k51k4.exe	36
PID 2804 wrote to memory of 1496	2804	4k51k4.exe	37
PID 2804 wrote to memory of 1496	2804	4k51k4.exe	37
PID 2804 wrote to memory of 1496	2804	4k51k4.exe	37
PID 2804 wrote to memory of 1496	2804	4k51k4.exe	37
PID 2992 wrote to memory of 1992	2992	IExplorer.exe	38
PID 2992 wrote to memory of 1992	2992	IExplorer.exe	38
PID 2992 wrote to memory of 1992	2992	IExplorer.exe	38
PID 2992 wrote to memory of 1992	2992	IExplorer.exe	38
PID 2804 wrote to memory of 1392	2804	4k51k4.exe	39
PID 2804 wrote to memory of 1392	2804	4k51k4.exe	39
PID 2804 wrote to memory of 1392	2804	4k51k4.exe	39
PID 2804 wrote to memory of 1392	2804	4k51k4.exe	39
PID 2992 wrote to memory of 1568	2992	IExplorer.exe	40
PID 2992 wrote to memory of 1568	2992	IExplorer.exe	40
PID 2992 wrote to memory of 1568	2992	IExplorer.exe	40
PID 2992 wrote to memory of 1568	2992	IExplorer.exe	40
PID 1848 wrote to memory of 3064	1848	WINLOGON.EXE	41
PID 1848 wrote to memory of 3064	1848	WINLOGON.EXE	41
PID 1848 wrote to memory of 3064	1848	WINLOGON.EXE	41
PID 1848 wrote to memory of 3064	1848	WINLOGON.EXE	41
PID 2804 wrote to memory of 1812	2804	4k51k4.exe	43
PID 2804 wrote to memory of 1812	2804	4k51k4.exe	43
PID 2804 wrote to memory of 1812	2804	4k51k4.exe	43
PID 2804 wrote to memory of 1812	2804	4k51k4.exe	43
PID 2992 wrote to memory of 2332	2992	IExplorer.exe	42
PID 2992 wrote to memory of 2332	2992	IExplorer.exe	42
PID 2992 wrote to memory of 2332	2992	IExplorer.exe	42
PID 2992 wrote to memory of 2332	2992	IExplorer.exe	42

System policy modification 1 TTPs 40 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	SMSS.EXE

C:\Users\Admin\AppData\Local\Temp\1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2372
- C:\Windows\4k51k4.exe
  C:\Windows\4k51k4.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2804
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:776
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1304
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1496
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1392
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1812
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2876
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1668
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2992
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1992
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1568
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2332
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1524
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1744
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2648
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2504
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1848
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3064
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1804
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2652
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1448
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2724
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2556
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2736
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1684
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1788
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:816
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1304
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1652
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1524
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1744
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2124
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2680
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1436
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1736
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2412
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1396
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:928
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:968
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2216
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2000
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2700
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2764
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1296
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1992
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2936
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1812
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1108
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1648
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2020
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2768
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2204
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1724
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:408
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1888
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4k51k4.exe

Filesize
1.1MB

MD5
32f74e1014d04c8c1e98024061b09e83

SHA1
441622066dcfedf0c3c0127e4f1739083a4d0532

SHA256
581c88249f1abdf7c40c1da538e12590df5fde6096e6f5c04f3e0fd9ec79a2c5

SHA512
bcf356ae5a2af511a681050e5802e53dab592314d7d5bb19418d258280ad0c699213f0b29d916bd4bef48b84a1e9e8d389bb187d69c4fcf8b3845db75d2d0db4

Download Submit
C:\Puisi.txt

Filesize
442B

MD5
001424d7974b9a3995af292f6fcfe171

SHA1
f8201d49d594d712c8450679c856c2e8307d2337

SHA256
660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d

SHA512
66ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
1.1MB

MD5
d5d99f4ac91e09cf4a4ad5857f4dfec1

SHA1
cc9e8fb7a8e125239a643d064271ce0dd534c756

SHA256
e060594b05f0fffa04b858ea2834a0b5e5653ec9342b6bfcd83544b8feb3bad3

SHA512
0ce4e1538d2afbf50735db2ba7e4456ff4fad03626aeec780e9fa96edc4a668ff0a40669ae573c1ce932816641d46da38f8fb12f4c62b8dbee81cff1778b67fe

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
1.1MB

MD5
43bc3bd030950b0d31fa000d688877fe

SHA1
43a8f4e2d387827115622070f07261f98509d6e7

SHA256
d0401c40a9dff9b10360192bf6aeaef6843853b411eed2a1577c9f469a589680

SHA512
2733896e037fbaf3a556603f7b054918e712797a51a8634f97078782197efe0df7db2b94f8ff1a1f73ee7b7ca04a3d9016de5a5cd260c813b7c79f6578723dac

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
1.1MB

MD5
1ad1254d89feb40d38edf3d3c7f1bf50

SHA1
2bc21e6d45118d8e0afe00cd5b01d1749a584ac0

SHA256
8400d4ef53ac6449c5017c31250f50ae5999d73a85b111f4d6cab18b1474a209

SHA512
01c0e5735fbe81956bdad526c495fb1393b311568ce65b38d2ffbf1fc4ab9150281f36f39faca790e7510665a7daff9420cf0bebc21337cbed501b9c942b6a54

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
1.1MB

MD5
01ac24561bf2826ad2aa4ec135d0dfc0

SHA1
e2fb3e6785e19632dbd123f64cdfc60514320f96

SHA256
3d5af62e4325c147fda4bb089f74f5f6fc41bf7a9ff6918e1077307a59d862c6

SHA512
72865bf736f0a769df8a935298c86dfd44f66e86e998f09044d9c07a52aafa122cd8ce3343f4f19849f162513ce6b52972d5fa6f4d70de57883a99fe1710d48e

Download Submit
C:\Windows\4k51k4.exe

Filesize
1.1MB

MD5
e0803ba1041a09be6585acd43cea7dd9

SHA1
bbbff6bd134c27c0f22ea6fc465f9e5a1e06d8db

SHA256
13ac6d567fde5e04e788b29be4a9b0135389e769a27a493c2585505c50a03d1e

SHA512
b001d529ed786ed71313c50e44c7c0b3d9d205d31816d9898dace48367000ec50866fe7d3c1cc74f739b81eed8d9b535faa3f9b8f8e51ae93c32dee120424a87

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\MrHelloween.scr

Filesize
1.1MB

MD5
2a67cb22372b9844bad06f6a33ba433b

SHA1
63917419e4e42158e0d4776c395f9ed3203799e3

SHA256
c07f3c18497d6d87dab6f55867e7c3e8208a77c05d2dee0795918cffdd845a40

SHA512
53c1a9192022888aa31178a296649fc68262ad353f861b22351acc89db910c755aa264821ad80c6c99a0cad2c8533ed8a278a4bfe94de9a2bcd57f6a4691d7fa

Download Submit
C:\Windows\SysWOW64\MrHelloween.scr

Filesize
1.1MB

MD5
b113e0f313afcf32bbfcc2a10fb6f99d

SHA1
6c1145ac10f3d6e064270ac06b69806fe1f6c4a1

SHA256
e0700fc94dfbdb71b280cb77d39ddad06c1cc34d61c215b4b199d6bc622941f4

SHA512
a2f8010129f024987dfae55813e72cb3b622befb500dca4850e30296037d14bcd1faebebfee7682e572e1eb32e9875bd4cc68c594d963ddd4689f41e7062fd3e

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
1.1MB

MD5
5ab0c00e04f6d20765be3b2d9ee598a7

SHA1
88f1a43b1ea4b998cd088a4cbcf510dd93be07f3

SHA256
051bd231bab559944884daa84f725135988de2dab3b08855b42d7c7cad9d195d

SHA512
1b21faeae7647c8d719b1c3eaa74da8a7fc347698eb78da0d4d31ded776096656caf4203247e9ccdd001030842032e8e55438ec8c40f53a48696d53fda87338d

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
1.1MB

MD5
d14cd3006b76a758230210490c5ffef4

SHA1
bc5b835134f8f811135fca6e3e95beaa3cb1d0d6

SHA256
d0745a3e06a03c380841c5241baf5038f312a25a7fe69fd8291200f16dc87b2b

SHA512
982b93de2d14c15d112674d382e6701a6d6b3fdfe7c9e8d153d7a298cc1b5a1ee95400c1f2626cdafc1f0c3f29352168a92df09fdee4696c1880e7dcbef11ec4

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
1.1MB

MD5
4b2fb77f48e8066305061c20cbdcf537

SHA1
1b761e78972e6f11881d2cc08afc52be2c4e7973

SHA256
20570c2de18003341da25ada2469f1900de77517ecf9341165ebb0d9f6830950

SHA512
193d139857c164c2e97beb3a10b253cff6c9e0fb9742313ee616d61f48f6b85526bb2a4c70d0c119cc00fc0423c17e303d0d11841779bfbea95874ab7f28b74d

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
1.1MB

MD5
7fcd92bdb42b7d3ce3db124ad10b7ac0

SHA1
49dd9f07ef1956e0286e5e94c47a3375ad5346d6

SHA256
56aa7af6746e9b4ed505d095eff2c433835313cfef664d8467b981c6126d5c62

SHA512
487b7324dbecbfe78d92bdb74db746d2dfa2fabceda700b020345432d67770959374d5791f694cf281b4369cd8ae391c2db6603472d7dfb8253e5ee7ab0e096a

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
1.1MB

MD5
23c6b0ca5d3a938e39385b71efe26e5e

SHA1
6fc7dec84fc509b9e34e67d4fd5a003ccb082aba

SHA256
8987ab949a537beb3e64f6e15a57ca1c55568109d783297fde33673ef8c6ccf9

SHA512
0027ce0a72a4ca9f8abc8dba91ae68a002ec0428fbe8fe0c03955615bb71f37296c7c98c252bd18fb593ad255890ad57eb777f334674068b00e8ae44a4bf3dec

Download Submit
memory/408-517-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/776-222-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/776-221-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/816-501-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/928-534-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/968-548-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1108-565-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1296-505-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1304-229-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1304-511-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1304-506-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1392-310-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1396-532-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1436-479-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1436-478-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1448-362-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1496-252-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1496-260-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1496-250-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1496-248-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/1524-564-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1524-570-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1524-341-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1568-306-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1648-525-0x00000000026F0000-0x0000000002713000-memory.dmp

Filesize
140KB

Download
memory/1648-303-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1648-466-0x00000000026F0000-0x0000000002713000-memory.dmp

Filesize
140KB

Download
memory/1648-536-0x00000000026F0000-0x0000000002713000-memory.dmp

Filesize
140KB

Download
memory/1648-488-0x00000000026F0000-0x0000000002713000-memory.dmp

Filesize
140KB

Download
memory/1648-486-0x00000000026F0000-0x0000000002713000-memory.dmp

Filesize
140KB

Download
memory/1652-569-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1668-369-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1684-504-0x0000000003210000-0x0000000003233000-memory.dmp

Filesize
140KB

Download
memory/1684-251-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1684-468-0x0000000003210000-0x0000000003233000-memory.dmp

Filesize
140KB

Download
memory/1684-587-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1724-498-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1736-495-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1744-353-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1744-359-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1744-574-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1788-471-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1788-472-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1804-345-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1812-322-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1812-566-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1812-329-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1848-140-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1848-302-0x00000000003C0000-0x00000000003E3000-memory.dmp

Filesize
140KB

Download
memory/1848-586-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1848-216-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1884-542-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1888-524-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1992-535-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1992-274-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2000-539-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2000-552-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2000-543-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2000-491-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2000-171-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2000-563-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2000-270-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2000-533-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2000-573-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2020-458-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2020-443-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2020-457-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2204-487-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2216-559-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2216-555-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2332-326-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-183-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-114-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2372-113-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2372-119-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2372-137-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2372-139-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2372-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2372-149-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2372-167-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2412-513-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2556-401-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2648-399-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2648-374-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2652-348-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2652-350-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2680-262-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2680-562-0x00000000026A0000-0x00000000026C3000-memory.dmp

Filesize
140KB

Download
memory/2680-467-0x00000000026A0000-0x00000000026C3000-memory.dmp

Filesize
140KB

Download
memory/2700-465-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2700-447-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2700-464-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2724-367-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2724-365-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2736-406-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2764-493-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2804-307-0x0000000000470000-0x0000000000493000-memory.dmp

Filesize
140KB

Download
memory/2804-315-0x0000000000470000-0x0000000000493000-memory.dmp

Filesize
140KB

Download
memory/2804-316-0x0000000000470000-0x0000000000493000-memory.dmp

Filesize
140KB

Download
memory/2804-361-0x0000000000470000-0x0000000000493000-memory.dmp

Filesize
140KB

Download
memory/2804-174-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2804-584-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2804-115-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2804-215-0x0000000000470000-0x0000000000493000-memory.dmp

Filesize
140KB

Download
memory/2804-225-0x0000000000470000-0x0000000000493000-memory.dmp

Filesize
140KB

Download
memory/2876-343-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2876-337-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2992-180-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2992-476-0x0000000002610000-0x0000000002633000-memory.dmp

Filesize
140KB

Download
memory/2992-474-0x0000000002610000-0x0000000002633000-memory.dmp

Filesize
140KB

Download
memory/2992-391-0x0000000002610000-0x0000000002633000-memory.dmp

Filesize
140KB

Download
memory/2992-585-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2992-263-0x0000000002610000-0x0000000002633000-memory.dmp

Filesize
140KB

Download
memory/2992-275-0x0000000002610000-0x0000000002633000-memory.dmp

Filesize
140KB

Download
memory/3064-332-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3064-331-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download