8400d4ef53ac6449c5017c31250f50ae5999d73a85b111f4d6cab18b1474a209

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Size

1.1MB
MD5

1ad1254d89feb40d38edf3d3c7f1bf50
SHA1

2bc21e6d45118d8e0afe00cd5b01d1749a584ac0
SHA256

8400d4ef53ac6449c5017c31250f50ae5999d73a85b111f4d6cab18b1474a209
SHA512

01c0e5735fbe81956bdad526c495fb1393b311568ce65b38d2ffbf1fc4ab9150281f36f39faca790e7510665a7daff9420cf0bebc21337cbed501b9c942b6a54
SSDEEP

6144:mjljqj9jCfj9j3j9jtj9jOj9j9j9jvj9jGj9jSj9jSj9jmj9jE:8f

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	WINLOGON.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	LSASS.EXE

Disables RegEdit via registry modification 16 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 63 IoCs

pid	Process
2564	4k51k4.exe
4880	IExplorer.exe
3756	WINLOGON.EXE
4560	CSRSS.EXE
228	SERVICES.EXE
4632	LSASS.EXE
3712	SMSS.EXE
264	4k51k4.exe
2696	IExplorer.exe
4992	WINLOGON.EXE
3512	CSRSS.EXE
4652	4k51k4.exe
3200	IExplorer.exe
3276	WINLOGON.EXE
3520	CSRSS.EXE
4980	SERVICES.EXE
1144	LSASS.EXE
2076	SMSS.EXE
1296	4k51k4.exe
3328	IExplorer.exe
4332	WINLOGON.EXE
1464	CSRSS.EXE
4368	SERVICES.EXE
1584	LSASS.EXE
1548	SMSS.EXE
3660	4k51k4.exe
4820	IExplorer.exe
752	WINLOGON.EXE
4216	CSRSS.EXE
2228	SERVICES.EXE
4508	LSASS.EXE
1568	SMSS.EXE
2352	4k51k4.exe
3752	IExplorer.exe
3724	WINLOGON.EXE
4944	CSRSS.EXE
2488	4k51k4.exe
3952	IExplorer.exe
4920	SERVICES.EXE
2744	WINLOGON.EXE
2696	LSASS.EXE
4672	CSRSS.EXE
1800	SMSS.EXE
1596	SERVICES.EXE
3760	4k51k4.exe
4748	LSASS.EXE
1328	IExplorer.exe
4940	SMSS.EXE
1784	WINLOGON.EXE
2156	CSRSS.EXE
1392	4k51k4.exe
3180	SERVICES.EXE
2664	IExplorer.exe
2100	LSASS.EXE
1564	WINLOGON.EXE
2176	SMSS.EXE
868	CSRSS.EXE
3748	SERVICES.EXE
4648	LSASS.EXE
3232	SMSS.EXE
432	SERVICES.EXE
3944	LSASS.EXE
1368	SMSS.EXE

Loads dropped DLL 8 IoCs

pid	Process
264	4k51k4.exe
4652	4k51k4.exe
1296	4k51k4.exe
3660	4k51k4.exe
2352	4k51k4.exe
2488	4k51k4.exe
3760	4k51k4.exe
1392	4k51k4.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE

UPX packed file 63 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4008-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/files/0x0007000000023419-8.dat	upx
behavioral2/files/0x000700000002341d-111.dat	upx
behavioral2/memory/2564-112-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/files/0x0007000000023421-116.dat	upx
behavioral2/files/0x0007000000023423-123.dat	upx
behavioral2/files/0x0007000000023424-128.dat	upx
behavioral2/memory/4560-132-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/files/0x0007000000023426-135.dat	upx
behavioral2/files/0x0007000000023427-139.dat	upx
behavioral2/files/0x0007000000023428-144.dat	upx
behavioral2/memory/3712-146-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/264-175-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2696-179-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4992-184-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4008-183-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4992-186-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/files/0x000700000002341f-206.dat	upx
behavioral2/memory/3276-239-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1548-336-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1564-484-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2664-479-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1328-456-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4880-500-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3760-452-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2744-433-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3952-426-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2488-420-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3724-408-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3752-403-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2352-399-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3512-504-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/752-377-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4820-372-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3660-368-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/files/0x0007000000023420-345.dat	upx
behavioral2/files/0x000700000002341f-343.dat	upx
behavioral2/files/0x000700000002341e-342.dat	upx
behavioral2/files/0x0007000000023422-339.dat	upx
behavioral2/memory/4332-302-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3328-291-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1296-286-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2076-269-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1144-262-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4980-255-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3756-505-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3520-250-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3200-234-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4652-228-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/files/0x0007000000023422-215.dat	upx
behavioral2/files/0x000700000002341e-214.dat	upx
behavioral2/files/0x0007000000023420-213.dat	upx
behavioral2/memory/2564-204-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/432-509-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4560-510-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3944-515-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/228-514-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1368-519-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4008-520-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4632-521-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3712-522-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4880-524-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2564-523-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Adds Run key to start application 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	LSASS.EXE

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	4k51k4.exe
File created	C:\desktop.ini	4k51k4.exe
File opened for modification	F:\desktop.ini	4k51k4.exe
File created	F:\desktop.ini	4k51k4.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	WINLOGON.EXE
File opened (read-only)	\??\J:	WINLOGON.EXE
File opened (read-only)	\??\I:	LSASS.EXE
File opened (read-only)	\??\Q:	SERVICES.EXE
File opened (read-only)	\??\N:	LSASS.EXE
File opened (read-only)	\??\K:	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File opened (read-only)	\??\S:	4k51k4.exe
File opened (read-only)	\??\V:	4k51k4.exe
File opened (read-only)	\??\L:	CSRSS.EXE
File opened (read-only)	\??\V:	CSRSS.EXE
File opened (read-only)	\??\R:	LSASS.EXE
File opened (read-only)	\??\U:	LSASS.EXE
File opened (read-only)	\??\T:	SMSS.EXE
File opened (read-only)	\??\G:	4k51k4.exe
File opened (read-only)	\??\P:	4k51k4.exe
File opened (read-only)	\??\H:	CSRSS.EXE
File opened (read-only)	\??\N:	SERVICES.EXE
File opened (read-only)	\??\I:	SMSS.EXE
File opened (read-only)	\??\R:	IExplorer.exe
File opened (read-only)	\??\H:	LSASS.EXE
File opened (read-only)	\??\K:	LSASS.EXE
File opened (read-only)	\??\S:	LSASS.EXE
File opened (read-only)	\??\O:	SMSS.EXE
File opened (read-only)	\??\Z:	SMSS.EXE
File opened (read-only)	\??\J:	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File opened (read-only)	\??\R:	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File opened (read-only)	\??\X:	4k51k4.exe
File opened (read-only)	\??\R:	CSRSS.EXE
File opened (read-only)	\??\B:	SERVICES.EXE
File opened (read-only)	\??\Q:	LSASS.EXE
File opened (read-only)	\??\S:	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File opened (read-only)	\??\X:	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File opened (read-only)	\??\H:	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File opened (read-only)	\??\M:	IExplorer.exe
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\S:	WINLOGON.EXE
File opened (read-only)	\??\O:	CSRSS.EXE
File opened (read-only)	\??\U:	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File opened (read-only)	\??\U:	4k51k4.exe
File opened (read-only)	\??\Q:	IExplorer.exe
File opened (read-only)	\??\O:	LSASS.EXE
File opened (read-only)	\??\E:	SMSS.EXE
File opened (read-only)	\??\N:	4k51k4.exe
File opened (read-only)	\??\W:	LSASS.EXE
File opened (read-only)	\??\Z:	LSASS.EXE
File opened (read-only)	\??\K:	SMSS.EXE
File opened (read-only)	\??\N:	SMSS.EXE
File opened (read-only)	\??\N:	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File opened (read-only)	\??\O:	WINLOGON.EXE
File opened (read-only)	\??\Z:	WINLOGON.EXE
File opened (read-only)	\??\O:	SERVICES.EXE
File opened (read-only)	\??\M:	SMSS.EXE
File opened (read-only)	\??\L:	4k51k4.exe
File opened (read-only)	\??\G:	SMSS.EXE
File opened (read-only)	\??\M:	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File opened (read-only)	\??\K:	IExplorer.exe
File opened (read-only)	\??\B:	WINLOGON.EXE
File opened (read-only)	\??\B:	CSRSS.EXE
File opened (read-only)	\??\Y:	CSRSS.EXE
File opened (read-only)	\??\J:	CSRSS.EXE
File opened (read-only)	\??\G:	SERVICES.EXE
File opened (read-only)	\??\P:	SERVICES.EXE
File opened (read-only)	\??\U:	SERVICES.EXE
File opened (read-only)	\??\Q:	4k51k4.exe

Drops file in System32 directory 52 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	4k51k4.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	CSRSS.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	LSASS.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\MrHelloween.scr	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	WINLOGON.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	LSASS.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	4k51k4.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	WINLOGON.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	4k51k4.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	4k51k4.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	LSASS.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	SMSS.EXE

Drops file in Windows directory 34 IoCs

description	ioc	Process
File created	C:\Windows\4k51k4.exe	SERVICES.EXE
File opened for modification	C:\Windows\4k51k4.exe	SMSS.EXE
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	CSRSS.EXE
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	SERVICES.EXE
File opened for modification	C:\Windows\4k51k4.exe	4k51k4.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\4k51k4.exe	CSRSS.EXE
File opened for modification	C:\Windows\4k51k4.exe	LSASS.EXE
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\4k51k4.exe	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	WINLOGON.EXE
File created	C:\Windows\4k51k4.exe	WINLOGON.EXE
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\4k51k4.exe	4k51k4.exe
File created	C:\Windows\4k51k4.exe	SMSS.EXE
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\4k51k4.exe	LSASS.EXE
File opened for modification	C:\Windows\4k51k4.exe	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File created	C:\Windows\4k51k4.exe	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe

Modifies Control Panel 32 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\	IExplorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 7 IoCs

pid	Process
2564	4k51k4.exe
4560	CSRSS.EXE
3756	WINLOGON.EXE
4880	IExplorer.exe
228	SERVICES.EXE
4632	LSASS.EXE
3712	SMSS.EXE

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
2564	4k51k4.exe
4880	IExplorer.exe
3756	WINLOGON.EXE
4560	CSRSS.EXE
228	SERVICES.EXE
4632	LSASS.EXE
3712	SMSS.EXE
264	4k51k4.exe
2696	IExplorer.exe
4992	WINLOGON.EXE
4652	4k51k4.exe
3200	IExplorer.exe
3276	WINLOGON.EXE
3520	CSRSS.EXE
4980	SERVICES.EXE
1144	LSASS.EXE
2076	SMSS.EXE
1296	4k51k4.exe
3328	IExplorer.exe
4332	WINLOGON.EXE
1464	CSRSS.EXE
4368	SERVICES.EXE
1584	LSASS.EXE
1548	SMSS.EXE
3660	4k51k4.exe
4820	IExplorer.exe
752	WINLOGON.EXE
4216	CSRSS.EXE
2228	SERVICES.EXE
4508	LSASS.EXE
1568	SMSS.EXE
2352	4k51k4.exe
3752	IExplorer.exe
3724	WINLOGON.EXE
4944	CSRSS.EXE
2488	4k51k4.exe
3952	IExplorer.exe
4920	SERVICES.EXE
2744	WINLOGON.EXE
2696	LSASS.EXE
4672	CSRSS.EXE
1800	SMSS.EXE
1596	SERVICES.EXE
4748	LSASS.EXE
3760	4k51k4.exe
1328	IExplorer.exe
4940	SMSS.EXE
1784	WINLOGON.EXE
2156	CSRSS.EXE
1392	4k51k4.exe
3180	SERVICES.EXE
2664	IExplorer.exe
2100	LSASS.EXE
1564	WINLOGON.EXE
2176	SMSS.EXE
868	CSRSS.EXE
3748	SERVICES.EXE
4648	LSASS.EXE
3232	SMSS.EXE
3512	CSRSS.EXE
432	SERVICES.EXE
3944	LSASS.EXE
1368	SMSS.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 2564	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	82
PID 4008 wrote to memory of 2564	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	82
PID 4008 wrote to memory of 2564	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	82
PID 4008 wrote to memory of 4880	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	83
PID 4008 wrote to memory of 4880	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	83
PID 4008 wrote to memory of 4880	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	83
PID 4008 wrote to memory of 3756	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	85
PID 4008 wrote to memory of 3756	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	85
PID 4008 wrote to memory of 3756	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	85
PID 4008 wrote to memory of 4560	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	87
PID 4008 wrote to memory of 4560	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	87
PID 4008 wrote to memory of 4560	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	87
PID 4008 wrote to memory of 228	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	89
PID 4008 wrote to memory of 228	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	89
PID 4008 wrote to memory of 228	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	89
PID 4008 wrote to memory of 4632	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	90
PID 4008 wrote to memory of 4632	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	90
PID 4008 wrote to memory of 4632	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	90
PID 4008 wrote to memory of 3712	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	91
PID 4008 wrote to memory of 3712	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	91
PID 4008 wrote to memory of 3712	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	91
PID 4008 wrote to memory of 264	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	92
PID 4008 wrote to memory of 264	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	92
PID 4008 wrote to memory of 264	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	92
PID 4008 wrote to memory of 2696	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	125
PID 4008 wrote to memory of 2696	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	125
PID 4008 wrote to memory of 2696	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	125
PID 4008 wrote to memory of 4992	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	94
PID 4008 wrote to memory of 4992	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	94
PID 4008 wrote to memory of 4992	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	94
PID 4008 wrote to memory of 3512	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	95
PID 4008 wrote to memory of 3512	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	95
PID 4008 wrote to memory of 3512	4008	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe	95
PID 2564 wrote to memory of 4652	2564	4k51k4.exe	96
PID 2564 wrote to memory of 4652	2564	4k51k4.exe	96
PID 2564 wrote to memory of 4652	2564	4k51k4.exe	96
PID 2564 wrote to memory of 3200	2564	4k51k4.exe	97
PID 2564 wrote to memory of 3200	2564	4k51k4.exe	97
PID 2564 wrote to memory of 3200	2564	4k51k4.exe	97
PID 2564 wrote to memory of 3276	2564	4k51k4.exe	98
PID 2564 wrote to memory of 3276	2564	4k51k4.exe	98
PID 2564 wrote to memory of 3276	2564	4k51k4.exe	98
PID 2564 wrote to memory of 3520	2564	4k51k4.exe	99
PID 2564 wrote to memory of 3520	2564	4k51k4.exe	99
PID 2564 wrote to memory of 3520	2564	4k51k4.exe	99
PID 2564 wrote to memory of 4980	2564	4k51k4.exe	100
PID 2564 wrote to memory of 4980	2564	4k51k4.exe	100
PID 2564 wrote to memory of 4980	2564	4k51k4.exe	100
PID 2564 wrote to memory of 1144	2564	4k51k4.exe	101
PID 2564 wrote to memory of 1144	2564	4k51k4.exe	101
PID 2564 wrote to memory of 1144	2564	4k51k4.exe	101
PID 2564 wrote to memory of 2076	2564	4k51k4.exe	102
PID 2564 wrote to memory of 2076	2564	4k51k4.exe	102
PID 2564 wrote to memory of 2076	2564	4k51k4.exe	102
PID 4880 wrote to memory of 1296	4880	IExplorer.exe	103
PID 4880 wrote to memory of 1296	4880	IExplorer.exe	103
PID 4880 wrote to memory of 1296	4880	IExplorer.exe	103
PID 4880 wrote to memory of 3328	4880	IExplorer.exe	104
PID 4880 wrote to memory of 3328	4880	IExplorer.exe	104
PID 4880 wrote to memory of 3328	4880	IExplorer.exe	104
PID 4880 wrote to memory of 4332	4880	IExplorer.exe	105
PID 4880 wrote to memory of 4332	4880	IExplorer.exe	105
PID 4880 wrote to memory of 4332	4880	IExplorer.exe	105
PID 4880 wrote to memory of 1464	4880	IExplorer.exe	106

System policy modification 1 TTPs 40 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	SERVICES.EXE

C:\Users\Admin\AppData\Local\Temp\1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\1ad1254d89feb40d38edf3d3c7f1bf50_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4008
- C:\Windows\4k51k4.exe
  C:\Windows\4k51k4.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2564
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4652
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3200
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3276
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3520
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4980
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1144
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2076
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4880
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1296
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3328
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4332
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1464
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4368
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1584
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1548
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3756
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3660
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:4820
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:752
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4216
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2228
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4508
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1568
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4560
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2352
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3752
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3724
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4944
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4920
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2696
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1800
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:228
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2488
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3952
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2744
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4672
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1596
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4748
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4940
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4632
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3760
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1328
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1784
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2156
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3180
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2100
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2176
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:3712
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1392
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2664
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1564
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:868
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3748
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4648
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3232
- C:\Windows\4k51k4.exe
  C:\Windows\4k51k4.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:264
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2696
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4992
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3512
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:432
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3944
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1368

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4k51k4.exe

Filesize
1.1MB

MD5
ea50097ca448310be9fe6be99458e516

SHA1
57039a51a2e5a26078b184e9223b65a635cf64db

SHA256
a1cddaf50d87e464aa56950af7825c59d94ebf4699031e5c3709d8f4a70a28ca

SHA512
4704e5f34161a00b42b5650250f67a815e087df0d02ff1e994310ae6fb862ea39d1adfa497ebcff8a547df246d5e068a947735c94ce28cd45ff3a4050f20a1aa

Download Submit
C:\4k51k4.exe

Filesize
1.1MB

MD5
938b4a922b37936a031878521248fae3

SHA1
50ae78e3c08e2f5e1924d4434eaef960a63be145

SHA256
a43503c604c6978c2c51daf9c0fdedd27e4ade2cd6a927581cd2f02c981651d6

SHA512
d3827030169a07401a0a1639453eaf52bd1d6ffddd17e5e605ace88610cd5391a755d28d033f8bbf17bff88242537d6b92b8b604dd395026b26632ae3807f402

Download Submit
C:\Puisi.txt

Filesize
442B

MD5
001424d7974b9a3995af292f6fcfe171

SHA1
f8201d49d594d712c8450679c856c2e8307d2337

SHA256
660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d

SHA512
66ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
1.1MB

MD5
81beb43bc351751f8f424da1d8232ab4

SHA1
6d2e263d92b92793f05289589056c2ee642ed92d

SHA256
6d10d4cf5f2be8813d8749e44bc515bd15fb52a8234b36aad9393016226001e1

SHA512
8f833f5652dbdafe1a5f7869341c44b40727cf35e91fdc58fb7ae58160d9fa6f5918dd8fda67b56bb9621c4bbb8305b9d08d9c3b61de085c7057127263d66a1a

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
1.1MB

MD5
38ca91f6ae1abfc70116f352b384f41c

SHA1
ddf3ec26cd62b49261fd0eab16b27d58ed80aec3

SHA256
10adbc93202057f1e2da5b0be42f31734734f5e0387cddc878b40310825f250c

SHA512
437a3afc12813923add874f7e3aecaed5c65d0113fc6f8bcc22837d5c9cbefe9deacf4b8df2d23d28034f5247a7992f9b7e6b632aed714bb7d5859a2cf0b857c

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
1.1MB

MD5
6fe94d64d759565e0ef8b13b3f6414c3

SHA1
1c577e15b982cc249d8574a5e4562a337704efc1

SHA256
c563c87c506bf925e334b3a8b17921b527aa66faef8bda2e53bedc2c578e6ba3

SHA512
948af2edde57671a2b60115f8c0cf6c57e7c84a9c197c60fcb73ad3edbccb947e1948cacc0334b67a26280763c28c6394a48a93f250ffd95f42931877034f346

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
1.1MB

MD5
e6ea936c511e9b1c6945fa3c76da0228

SHA1
e73f431b81a18586a9720a327184629974c47f7c

SHA256
54f361ea26aa0349700e76569c946af637653a595fd714562460753b117efd16

SHA512
e9051e0ac41c996f3f8ebd384e861f97aa2e231b446c080c40d07a6bacc2524bc3713868faeb797e0590c1b88da51a2e5365a825c1066917c379c7bdfa014bff

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
1.1MB

MD5
1ad1254d89feb40d38edf3d3c7f1bf50

SHA1
2bc21e6d45118d8e0afe00cd5b01d1749a584ac0

SHA256
8400d4ef53ac6449c5017c31250f50ae5999d73a85b111f4d6cab18b1474a209

SHA512
01c0e5735fbe81956bdad526c495fb1393b311568ce65b38d2ffbf1fc4ab9150281f36f39faca790e7510665a7daff9420cf0bebc21337cbed501b9c942b6a54

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Filesize
1.1MB

MD5
b488d7a66c7826c244715fc89bf67b28

SHA1
c2c853d60c4dcab623d0be3093e0616543bb904a

SHA256
2ac566930581775affb2e6c365aa76059510bf28efa8b5fd8d108f3d35a507ab

SHA512
95ab3c71649b743515d3fa7fba955cb6a02341519a6b88d8fdc0af5c345e070fda3a1507b5cf142d8e8045bb7eb4e9683edbfb6a825f86edff826874d27c9f7f

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
256KB

MD5
e74ef162e002651c59fd65ffaefdb24d

SHA1
4659d8966976c2788974f94d13b278afd46fec7e

SHA256
fea0fe15eb8194e472bd540792d58ba71cabad9a6ad3fee163542e1bdcff9aff

SHA512
b3739d629d47bdd5348b27d5891fbf9ffb240982a97716d8b0a53f93ac92b80d174ee9f4e5419ae2bbc58f4d1e786dc17df7e31da07d25e0a8f12d711cd43981

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
1.1MB

MD5
d1ea81a797b79c78fe2a4ed32bff95da

SHA1
4065c2289f7dde728e00c666961948af4cb21555

SHA256
727db80915a01fe0290083b7b8caacb03552f6de01260ddec683ab063d23ffa4

SHA512
31a559726fd9a98a4471b03a58f643b844c5fb7dd0142c6f0c5662d8484862bd7f1755a87d3491ddeea403fa7a1f41e57aa6d97ec0de5ad71753980693c8ba39

Download Submit
C:\Windows\4k51k4.exe

Filesize
1.1MB

MD5
14d9235d507cf140eb5fd3e481e55822

SHA1
a882232f9526c1dc8e47645d52911a550920d292

SHA256
ab00170c553ce7790fbb419c89cf435e5bce3845cb715e5543589dfdd380b3a2

SHA512
2b6fe49a8cbe0c52ebbe8766964ebc61b91d4cdbaaaa2ed9667d6b43d62e7be3790d8f67aeccfab3bf735d1035bcad22e715a991d5f294dd8d90b63bcb7febeb

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
1.1MB

MD5
73d0d7a2652654c83f02639bac243819

SHA1
5e1b51e363755261976494dc4d591e02b4eb85dd

SHA256
f159985122e6debb5f237460bba97c03b5bf28f66716f377343da9ba0b0ae87b

SHA512
2ac1e39f80062cfb475ee696dc1eacbb0292c077663109b8db5a52eba8827b108d6ce2f4427a6ab9ff6db1f990886c00ac85b5e0fa19d155f18182c31e59efeb

Download Submit
C:\Windows\SysWOW64\MrHelloween.scr

Filesize
1.1MB

MD5
a09b4e240c1365f41283394d4371fe0f

SHA1
4f618597f5e0cf6716ce65473f178c6570c87a1f

SHA256
bd842e7821160f1421f9bab4fee06a9866dfb0b4684eee4f37e23df2665f164f

SHA512
bfe8b6ca861a7c8b6e2c2a5bfdaf0bb15ef286f380dac07323bc48a1a6286297351fb9f266ee658d8466c76a7381b6eba123f86b6ea434d4ecd93d5e9cade42d

Download Submit
C:\Windows\SysWOW64\MrHelloween.scr

Filesize
1.1MB

MD5
12a7e213c6603925c7c797ef9b138792

SHA1
570a5f2fa817ebbbcc02b6369bef72af2bcb34cf

SHA256
486d7c27f28ce816130bf635d665ef88a11a8a8578455eab937fe641b9b949d6

SHA512
9771ea3d466980a6128b3eb785c6a0405109a08957accd2bf629877387b3cd25d8d52b2b4d160af35239d02006b9e1158e4048b77469c9436d770054d3ea8944

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
1.1MB

MD5
31fd519169489187fd34fb6967855176

SHA1
fa4c0cb3532b3082f41b003274518184b3cb8922

SHA256
de94e7d127b636d9c3fe02f7a983b005b1c4188b8bfc5d07ec688f213664759e

SHA512
404322a6b25d984f6a26e7fa6f3015c0bd2ef55415c5f7068130a5830e2bde490f3a3d4c096a241b065ca3952ee264d7d51a754a90f8a582cc2c2dd4d41d2aa1

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
1.1MB

MD5
81dbf7b14c39f771d1a46abb35576f98

SHA1
89d0ea29d8870b2e59efe04d30541e9538740e8e

SHA256
ecc419e6030aa61a2dd24a44bba0eeace6edee3cf812085c38167dec17d885a1

SHA512
309d2f410095b4e180ed66f782a3882eff934aa1ea99cd35b903d9294981ea4fda81259239bb21e1d3a82aa5eac8af61ccbc8a0edaf9f7daffb47aab3030e55b

Download Submit
C:\Windows\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
memory/228-514-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/264-175-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/432-509-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/752-377-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1144-262-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1296-286-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1328-456-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1368-519-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1548-336-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1564-484-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2076-269-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2352-399-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2488-420-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2564-204-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2564-523-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2564-112-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2664-479-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2696-179-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2744-433-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3200-234-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3276-239-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3328-291-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3512-504-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3520-250-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3660-368-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3712-522-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3712-146-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3724-408-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3752-403-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3756-505-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3760-452-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3944-515-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3952-426-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4008-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4008-520-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4008-183-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4332-302-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4560-132-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4560-510-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4632-521-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4652-228-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4820-372-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4880-500-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4880-524-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4980-255-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4992-184-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4992-186-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download