7c0a7a60063a9997c830905fd02791393f3a1500b1032c102a9d0d1c63a5d819

Analysis

max time kernel
149s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 09:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Size

91KB
MD5

3e6c2d6b25eb536bd73cb64f8d6ce680
SHA1

16cbe8d43783b6bc4ea377eef4547e46258b11c9
SHA256

7c0a7a60063a9997c830905fd02791393f3a1500b1032c102a9d0d1c63a5d819
SHA512

6f7687b076ed2c931c9424c563b98dabc55b00d1d38989305617ba6c5ab4d11e5c4988dbbd76bad58e85fbc5ac54a9d1a54c3555f85b07de00e3676bf2f4fd56
SSDEEP

1536:yOcjUpkWb2TTgKwuoOcjUpkWb2TTgKwuq:yOcjWJu7toOcjWJu7tq

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	LSASS.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4k51k4.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe

Disables RegEdit via registry modification 16 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 56 IoCs

pid	Process
2064	4k51k4.exe
3920	IExplorer.exe
4196	WINLOGON.EXE
1444	CSRSS.EXE
2840	SERVICES.EXE
1524	LSASS.EXE
1788	SMSS.EXE
4596	4k51k4.exe
2608	4k51k4.exe
3124	IExplorer.exe
2256	WINLOGON.EXE
3056	IExplorer.exe
4636	CSRSS.EXE
3588	4k51k4.exe
3616	SERVICES.EXE
4352	4k51k4.exe
4348	4k51k4.exe
1520	4k51k4.exe
3300	IExplorer.exe
2752	LSASS.EXE
3896	WINLOGON.EXE
1044	IExplorer.exe
1036	IExplorer.exe
3288	IExplorer.exe
3440	WINLOGON.EXE
4920	SMSS.EXE
2824	CSRSS.EXE
2128	WINLOGON.EXE
4432	WINLOGON.EXE
900	WINLOGON.EXE
4760	CSRSS.EXE
2616	CSRSS.EXE
5036	CSRSS.EXE
1856	CSRSS.EXE
3576	SERVICES.EXE
3204	SERVICES.EXE
3404	SERVICES.EXE
880	LSASS.EXE
1408	SERVICES.EXE
464	SERVICES.EXE
4456	LSASS.EXE
4156	4k51k4.exe
3752	LSASS.EXE
2904	IExplorer.exe
2944	SMSS.EXE
1640	LSASS.EXE
3180	LSASS.EXE
2100	SMSS.EXE
2804	SMSS.EXE
564	SMSS.EXE
4736	WINLOGON.EXE
2856	SMSS.EXE
3312	CSRSS.EXE
1600	SERVICES.EXE
5084	LSASS.EXE
3056	SMSS.EXE

Loads dropped DLL 7 IoCs

pid	Process
4596	4k51k4.exe
2608	4k51k4.exe
3588	4k51k4.exe
4352	4k51k4.exe
4348	4k51k4.exe
1520	4k51k4.exe
4156	4k51k4.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4928-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/files/0x0007000000023411-8.dat	upx
behavioral2/files/0x0007000000023415-110.dat	upx
behavioral2/files/0x0007000000023419-115.dat	upx
behavioral2/files/0x000700000002341b-122.dat	upx
behavioral2/files/0x000700000002341c-127.dat	upx
behavioral2/files/0x000700000002341d-132.dat	upx
behavioral2/memory/2840-135-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/files/0x000700000002341e-138.dat	upx
behavioral2/files/0x000700000002341f-143.dat	upx
behavioral2/memory/4928-148-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/files/0x0007000000023418-153.dat	upx
behavioral2/files/0x000700000002341a-180.dat	upx
behavioral2/memory/3124-205-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2608-202-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/files/0x0007000000023418-178.dat	upx
behavioral2/files/0x0007000000023417-175.dat	upx
behavioral2/files/0x0007000000023416-174.dat	upx
behavioral2/memory/2256-238-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/files/0x000700000002341a-245.dat	upx
behavioral2/files/0x0007000000023418-251.dat	upx
behavioral2/files/0x0007000000023417-249.dat	upx
behavioral2/files/0x0007000000023416-247.dat	upx
behavioral2/memory/2064-239-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4596-236-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3920-262-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4636-264-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3588-270-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4196-269-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/files/0x0007000000023418-275.dat	upx
behavioral2/files/0x0007000000023416-279.dat	upx
behavioral2/files/0x0007000000023417-287.dat	upx
behavioral2/files/0x000700000002341a-277.dat	upx
behavioral2/memory/4636-306-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3616-314-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4348-329-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3300-337-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4352-339-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1520-336-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1044-333-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3896-332-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2752-331-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2840-330-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3440-353-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3288-360-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1044-357-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1036-355-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3440-351-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1788-362-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1524-350-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1444-313-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3588-312-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3056-310-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4920-371-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2128-388-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/900-386-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4432-384-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2824-406-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1856-429-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3404-430-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/5036-427-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3204-425-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3576-411-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1408-454-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Adds Run key to start application 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SMSS.EXE

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	F:\desktop.ini	IExplorer.exe
File created	F:\desktop.ini	IExplorer.exe
File opened for modification	C:\desktop.ini	IExplorer.exe
File created	C:\desktop.ini	IExplorer.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	SERVICES.EXE
File opened (read-only)	\??\S:	SERVICES.EXE
File opened (read-only)	\??\Q:	LSASS.EXE
File opened (read-only)	\??\O:	SMSS.EXE
File opened (read-only)	\??\E:	IExplorer.exe
File opened (read-only)	\??\P:	WINLOGON.EXE
File opened (read-only)	\??\B:	CSRSS.EXE
File opened (read-only)	\??\S:	LSASS.EXE
File opened (read-only)	\??\Q:	IExplorer.exe
File opened (read-only)	\??\Z:	IExplorer.exe
File opened (read-only)	\??\N:	SERVICES.EXE
File opened (read-only)	\??\I:	WINLOGON.EXE
File opened (read-only)	\??\Y:	WINLOGON.EXE
File opened (read-only)	\??\J:	CSRSS.EXE
File opened (read-only)	\??\K:	LSASS.EXE
File opened (read-only)	\??\R:	SMSS.EXE
File opened (read-only)	\??\T:	WINLOGON.EXE
File opened (read-only)	\??\K:	CSRSS.EXE
File opened (read-only)	\??\L:	LSASS.EXE
File opened (read-only)	\??\M:	IExplorer.exe
File opened (read-only)	\??\R:	IExplorer.exe
File opened (read-only)	\??\B:	4k51k4.exe
File opened (read-only)	\??\H:	WINLOGON.EXE
File opened (read-only)	\??\J:	WINLOGON.EXE
File opened (read-only)	\??\B:	SMSS.EXE
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\V:	SMSS.EXE
File opened (read-only)	\??\P:	IExplorer.exe
File opened (read-only)	\??\X:	IExplorer.exe
File opened (read-only)	\??\H:	4k51k4.exe
File opened (read-only)	\??\S:	WINLOGON.EXE
File opened (read-only)	\??\V:	WINLOGON.EXE
File opened (read-only)	\??\Z:	WINLOGON.EXE
File opened (read-only)	\??\P:	SMSS.EXE
File opened (read-only)	\??\Z:	SMSS.EXE
File opened (read-only)	\??\S:	IExplorer.exe
File opened (read-only)	\??\W:	4k51k4.exe
File opened (read-only)	\??\J:	SERVICES.EXE
File opened (read-only)	\??\H:	CSRSS.EXE
File opened (read-only)	\??\Z:	CSRSS.EXE
File opened (read-only)	\??\E:	LSASS.EXE
File opened (read-only)	\??\H:	SMSS.EXE
File opened (read-only)	\??\K:	IExplorer.exe
File opened (read-only)	\??\K:	SERVICES.EXE
File opened (read-only)	\??\L:	WINLOGON.EXE
File opened (read-only)	\??\I:	CSRSS.EXE
File opened (read-only)	\??\E:	SMSS.EXE
File opened (read-only)	\??\N:	SMSS.EXE
File opened (read-only)	\??\U:	4k51k4.exe
File opened (read-only)	\??\B:	WINLOGON.EXE
File opened (read-only)	\??\G:	CSRSS.EXE
File opened (read-only)	\??\W:	CSRSS.EXE
File opened (read-only)	\??\Y:	LSASS.EXE
File opened (read-only)	\??\K:	SMSS.EXE
File opened (read-only)	\??\S:	4k51k4.exe
File opened (read-only)	\??\M:	CSRSS.EXE
File opened (read-only)	\??\T:	CSRSS.EXE
File opened (read-only)	\??\V:	IExplorer.exe
File opened (read-only)	\??\P:	SERVICES.EXE
File opened (read-only)	\??\S:	CSRSS.EXE
File opened (read-only)	\??\Y:	CSRSS.EXE
File opened (read-only)	\??\Y:	SMSS.EXE
File opened (read-only)	\??\E:	4k51k4.exe
File opened (read-only)	\??\J:	LSASS.EXE

Drops file in System32 directory 50 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\shell.exe	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	SMSS.EXE
File created	C:\Windows\SysWOW64\shell.exe	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	WINLOGON.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	LSASS.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	WINLOGON.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	CSRSS.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	SERVICES.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	4k51k4.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	CSRSS.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	4k51k4.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	4k51k4.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	4k51k4.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
File created	C:\Windows\SysWOW64\MrHelloween.scr	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File created	C:\Windows\4k51k4.exe	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
File opened for modification	C:\Windows\4k51k4.exe	4k51k4.exe
File opened for modification	C:\Windows\4k51k4.exe	SERVICES.EXE
File opened for modification	C:\Windows\4k51k4.exe	CSRSS.EXE
File created	C:\Windows\4k51k4.exe	CSRSS.EXE
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\4k51k4.exe	LSASS.EXE
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	LSASS.EXE
File opened for modification	C:\Windows\4k51k4.exe	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\4k51k4.exe	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	WINLOGON.EXE
File created	C:\Windows\4k51k4.exe	SMSS.EXE
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\4k51k4.exe	SERVICES.EXE
File opened for modification	C:\Windows\4k51k4.exe	SMSS.EXE
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\4k51k4.exe	4k51k4.exe
File created	C:\Windows\4k51k4.exe	WINLOGON.EXE
File created	C:\Windows\msvbvm60.dll	IExplorer.exe

Modifies Control Panel 32 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	LSASS.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe

Suspicious behavior: GetForegroundWindowSpam 7 IoCs

pid	Process
2064	4k51k4.exe
1444	CSRSS.EXE
4196	WINLOGON.EXE
3920	IExplorer.exe
2840	SERVICES.EXE
1524	LSASS.EXE
1788	SMSS.EXE

Suspicious use of SetWindowsHookEx 57 IoCs

pid	Process
4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
2064	4k51k4.exe
3920	IExplorer.exe
4196	WINLOGON.EXE
1444	CSRSS.EXE
2840	SERVICES.EXE
1524	LSASS.EXE
1788	SMSS.EXE
2608	4k51k4.exe
3124	IExplorer.exe
4596	4k51k4.exe
2256	WINLOGON.EXE
4636	CSRSS.EXE
3056	IExplorer.exe
3588	4k51k4.exe
3616	SERVICES.EXE
1520	4k51k4.exe
4348	4k51k4.exe
4352	4k51k4.exe
3300	IExplorer.exe
2752	LSASS.EXE
3896	WINLOGON.EXE
1044	IExplorer.exe
1036	IExplorer.exe
3288	IExplorer.exe
3440	WINLOGON.EXE
4920	SMSS.EXE
2128	WINLOGON.EXE
900	WINLOGON.EXE
4432	WINLOGON.EXE
2824	CSRSS.EXE
4760	CSRSS.EXE
2616	CSRSS.EXE
3576	SERVICES.EXE
5036	CSRSS.EXE
3204	SERVICES.EXE
1856	CSRSS.EXE
3404	SERVICES.EXE
880	LSASS.EXE
1408	SERVICES.EXE
464	SERVICES.EXE
4456	LSASS.EXE
3752	LSASS.EXE
4156	4k51k4.exe
3180	LSASS.EXE
1640	LSASS.EXE
2904	IExplorer.exe
2944	SMSS.EXE
2804	SMSS.EXE
2100	SMSS.EXE
4736	WINLOGON.EXE
564	SMSS.EXE
2856	SMSS.EXE
3312	CSRSS.EXE
1600	SERVICES.EXE
5084	LSASS.EXE
3056	SMSS.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 2064	4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe	83
PID 4928 wrote to memory of 2064	4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe	83
PID 4928 wrote to memory of 2064	4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe	83
PID 4928 wrote to memory of 3920	4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe	84
PID 4928 wrote to memory of 3920	4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe	84
PID 4928 wrote to memory of 3920	4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe	84
PID 4928 wrote to memory of 4196	4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe	85
PID 4928 wrote to memory of 4196	4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe	85
PID 4928 wrote to memory of 4196	4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe	85
PID 4928 wrote to memory of 1444	4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe	86
PID 4928 wrote to memory of 1444	4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe	86
PID 4928 wrote to memory of 1444	4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe	86
PID 4928 wrote to memory of 2840	4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe	87
PID 4928 wrote to memory of 2840	4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe	87
PID 4928 wrote to memory of 2840	4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe	87
PID 4928 wrote to memory of 1524	4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe	88
PID 4928 wrote to memory of 1524	4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe	88
PID 4928 wrote to memory of 1524	4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe	88
PID 4928 wrote to memory of 1788	4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe	89
PID 4928 wrote to memory of 1788	4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe	89
PID 4928 wrote to memory of 1788	4928	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe	89
PID 2064 wrote to memory of 4596	2064	4k51k4.exe	91
PID 2064 wrote to memory of 4596	2064	4k51k4.exe	91
PID 2064 wrote to memory of 4596	2064	4k51k4.exe	91
PID 3920 wrote to memory of 2608	3920	IExplorer.exe	93
PID 3920 wrote to memory of 2608	3920	IExplorer.exe	93
PID 3920 wrote to memory of 2608	3920	IExplorer.exe	93
PID 3920 wrote to memory of 3124	3920	IExplorer.exe	94
PID 3920 wrote to memory of 3124	3920	IExplorer.exe	94
PID 3920 wrote to memory of 3124	3920	IExplorer.exe	94
PID 3920 wrote to memory of 2256	3920	IExplorer.exe	95
PID 3920 wrote to memory of 2256	3920	IExplorer.exe	95
PID 3920 wrote to memory of 2256	3920	IExplorer.exe	95
PID 2064 wrote to memory of 3056	2064	4k51k4.exe	140
PID 2064 wrote to memory of 3056	2064	4k51k4.exe	140
PID 2064 wrote to memory of 3056	2064	4k51k4.exe	140
PID 3920 wrote to memory of 4636	3920	IExplorer.exe	97
PID 3920 wrote to memory of 4636	3920	IExplorer.exe	97
PID 3920 wrote to memory of 4636	3920	IExplorer.exe	97
PID 4196 wrote to memory of 3588	4196	WINLOGON.EXE	98
PID 4196 wrote to memory of 3588	4196	WINLOGON.EXE	98
PID 4196 wrote to memory of 3588	4196	WINLOGON.EXE	98
PID 3920 wrote to memory of 3616	3920	IExplorer.exe	141
PID 3920 wrote to memory of 3616	3920	IExplorer.exe	141
PID 3920 wrote to memory of 3616	3920	IExplorer.exe	141
PID 2840 wrote to memory of 4352	2840	SERVICES.EXE	102
PID 2840 wrote to memory of 4352	2840	SERVICES.EXE	102
PID 2840 wrote to memory of 4352	2840	SERVICES.EXE	102
PID 1444 wrote to memory of 4348	1444	CSRSS.EXE	101
PID 1444 wrote to memory of 4348	1444	CSRSS.EXE	101
PID 1444 wrote to memory of 4348	1444	CSRSS.EXE	101
PID 1524 wrote to memory of 1520	1524	LSASS.EXE	100
PID 1524 wrote to memory of 1520	1524	LSASS.EXE	100
PID 1524 wrote to memory of 1520	1524	LSASS.EXE	100
PID 4196 wrote to memory of 3300	4196	WINLOGON.EXE	103
PID 4196 wrote to memory of 3300	4196	WINLOGON.EXE	103
PID 4196 wrote to memory of 3300	4196	WINLOGON.EXE	103
PID 3920 wrote to memory of 2752	3920	IExplorer.exe	105
PID 3920 wrote to memory of 2752	3920	IExplorer.exe	105
PID 3920 wrote to memory of 2752	3920	IExplorer.exe	105
PID 2064 wrote to memory of 3896	2064	4k51k4.exe	104
PID 2064 wrote to memory of 3896	2064	4k51k4.exe	104
PID 2064 wrote to memory of 3896	2064	4k51k4.exe	104
PID 1444 wrote to memory of 1044	1444	CSRSS.EXE	106

System policy modification 1 TTPs 40 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	LSASS.EXE

C:\Users\Admin\AppData\Local\Temp\3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\3e6c2d6b25eb536bd73cb64f8d6ce680_NeikiAnalytics.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4928
- C:\Windows\4k51k4.exe
  C:\Windows\4k51k4.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2064
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4596
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3056
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3896
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2824
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3576
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:880
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2944
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3920
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2608
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3124
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2256
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4636
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3616
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2752
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4920
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4196
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3588
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3300
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3440
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4760
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3204
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4456
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2100
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1444
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4348
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1044
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4432
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1856
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:464
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1640
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2856
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2840
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4352
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3288
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:900
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2616
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3404
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3752
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2804
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1524
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1520
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1036
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2128
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5036
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1408
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3180
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:564
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1788
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4156
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2904
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4736
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3312
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1600
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5084
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3056

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe d47963ee757b79d4ec5b0c67314c0254 gc/ucfYnJkKwjzddCXdJFw.0.1.0.0.0
1⤵
PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4k51k4.exe

Filesize
91KB

MD5
f363c13fb6bf8ab5c84f1289185fdca2

SHA1
5d9ebcd0e0199356512cf618c1c002a04a874f35

SHA256
9ab694428894a6792551ba58144ab6322350b4442175ba5b36dc4fd4d0fe1a4d

SHA512
31acc4c04e6595f987bc0b9f116fb181940906fd7f0728572b40fffa6c745f435ba39b189c4554fb332277dd9df8eca58e5b08b163068cb559df27007c580ba4

Download Submit
C:\4k51k4.exe

Filesize
91KB

MD5
dffc2a4b85d9a5ed0afa3a73705083bb

SHA1
8927d81f3b572d46f9ccfbfa10135d92df2fe35f

SHA256
4dbe0a65a92f91f7fbf2a7206005d92a62e95f3cff8c30ddadee8fc04e84fda7

SHA512
62320af083df6206e1763daaf86bf1cd83811def039d6fa2badddfc54d91ca33a5808c5e44261eddd0231cc8f0283c4b0859b0494c3aff0058907715e793591f

Download Submit
C:\4k51k4.exe

Filesize
91KB

MD5
1d535a5e34dc7dd93dd77f47ea8992c6

SHA1
dafecdc7f8d5f297e27640cca735b56b32416e11

SHA256
be1858d8eb5124f98322af40a32067892632d952ccc5cb5ca40da9cff0953b4d

SHA512
948f87769ea2edae3b2e351f603a81479eab1e5a57c1bba3c0902fd666f43ea023e8cb8810e7531d4ce4ca77384f54e16aa23799c93ab2d0f2a0a148ae422ae0

Download Submit
C:\Puisi.txt

Filesize
442B

MD5
001424d7974b9a3995af292f6fcfe171

SHA1
f8201d49d594d712c8450679c856c2e8307d2337

SHA256
660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d

SHA512
66ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
151d099da49819e29f41cd45e48e1611

SHA1
7f12207e5072b8ee22484c91c6c1876c2a02e461

SHA256
8e70a6cc10d4ba90877f7ce313068552447b561557ce0c7c292184fda04a49bd

SHA512
1e97f02a522553ee6157c35885623a3ac8655129b5de2d973f4a2300e33cf8356ab64aa679e946e568af167701848aecc393b7cc303fe3839e04d30ed4f05315

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
a361b89ea694a5490c35c6f9f16557c1

SHA1
6a45fe8d180758d282746ea4373f317e04b01927

SHA256
b24e4ae50487cc29ff0352ac103bbfcbf4c9c5982a9195e0d7f561d1a2c7c69c

SHA512
054c51826023a12285f948925f4eef5b62249b0ca14ab0aba92f479de8d38357e7db5e32795685429ed04efe18336870945bb050aa9c3227922ace8c2f771a22

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
4223ba4cfcd9348cdb81163c3ddc9fa1

SHA1
0c664a5445ef497433b3ab3ca9de7b5d5caec48f

SHA256
e52a846f796e820dff85595e5b2f7a3c8df3a4a2297d726bfe2f2375527df955

SHA512
acf3ef9894aa7eebb4526670f49964ec0b65c5e70e43aeee8caed286f5a24f588fb931aeced1818e4a4b2c06168ebe3257ee3b6f2350918b25d9132a759964b9

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
f3bb868f04132f368b732017807e823f

SHA1
618403d7b60e6d4cf748aa0e1186f8a2098c23e0

SHA256
252a590dad44e8ff37ead30e0f5207cbdb7d2053396e1e7494ad91cb3886f623

SHA512
22ada195ac5b472de9ce3707336b6da6de0d943e2b10f8f1364d1c156b2049740901e7293ed7402036f578d541ce5eb73d53e83887cfabb3df2e38d87c0a08a2

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
ec8ab90dc102f0fcebf6950b9616dba8

SHA1
e5a704c7b681871f938c315d93bed3cba7c16a0c

SHA256
515970073a1f0bcdedba6e64781e3e21f4fcfc69abd0434ce02b9a063091edb8

SHA512
5e4c7c1624aa9f42393168c5a31c7c67ea7caf04cd5a4d126bc549d9c260c3ae9c04e0a93d1ac7f6e8a42d6072b8bf3028949e4bff59cc2105321ad812493cd5

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
91KB

MD5
3e6c2d6b25eb536bd73cb64f8d6ce680

SHA1
16cbe8d43783b6bc4ea377eef4547e46258b11c9

SHA256
7c0a7a60063a9997c830905fd02791393f3a1500b1032c102a9d0d1c63a5d819

SHA512
6f7687b076ed2c931c9424c563b98dabc55b00d1d38989305617ba6c5ab4d11e5c4988dbbd76bad58e85fbc5ac54a9d1a54c3555f85b07de00e3676bf2f4fd56

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
91KB

MD5
62a4553a7bc672aa9efa566a315ed6f8

SHA1
a28444c5118d023fea3fe03bbce443f7ccb96946

SHA256
ae89db70b60c2eec6a485e69b0080469338638eea2a33050b1e3fa4577ff3de0

SHA512
275148d0a3eecfc337bed084a433325771c21c019845998ac00d50c6931b783ac79a3a3b793ae753836d2c2af0e6a3f8310a55495a00c45ed056a37e5f7ff08c

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
91KB

MD5
e9052576f72f0e51a9c4b7dbf7d8024f

SHA1
c750301113c77bd928a19b70b1c114d77daffb52

SHA256
78a4a519bd830bfc237b2669afa3f71fd6bd9d02070acf4bf122088dc771ff3e

SHA512
9d8ae9a515f262f84760a3cadc838b213d8fec67013a9541b6f9f57b9fa5a52ac6338d6f7a0260bd890fcb0d9caa87293149e0163738ec5613579145b84099e1

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
91KB

MD5
c5ab611b5a227e2362ece9210900c378

SHA1
7ab04481251782744bb058a3b0dc8fd39fb0362c

SHA256
c07d23c92e4dacc0ba19e3c36b516b01eed96dfc61220ff4a054fb2fdbdec55e

SHA512
04590b31b724679c829f89d4f2a893a10da43f93ec709385bb0486c9c048ca2d14c5420224aa07dbe5bd59aab2b818f137a9321cc00fb068ab1f48b2acc915db

Download Submit
C:\Windows\4k51k4.exe

Filesize
91KB

MD5
4a3bf01cfe8a9fcd2bf2ba9be750c1cd

SHA1
a7a28840fab564431c8cdb4cb9fdd03b716dd7cd

SHA256
a165c64b3cc588da25977ab7df6ddf97236836f68fefb56823aaf15636ed910c

SHA512
5edb3d6b2a9840734a40344e38f709de05afa148e2119b84b2eb3aade5aec248a4bb4e15551eff53a2e1cefd84f8f7c6259cd278333d442704bb48ef755c435a

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
57053cea96785fc7cf2e86e334e87098

SHA1
44a58f43cc904ab02238ffb67127c690224d021e

SHA256
04c44bcbc797a85321a430f5cc455c3599c939443ffd6c6599f9cb4aa5cc65ab

SHA512
07aa3b60eeb51219d19e9529f77a748e85dfcc1361ffa35b6bfc0092a0c44adbbe1e51cbd8b5b44e654065a054f1f14024295722ef4310e805b8f90daad62650

Download Submit
C:\Windows\SysWOW64\MrHelloween.scr

Filesize
91KB

MD5
8969f0bf100bdda9eb256ac0ed37dabd

SHA1
a9722e7b399a638965ccb6d237a4431a2e3bf4e7

SHA256
a314c6b4da6ca6fba78771ff66975fcf4a65521f336ff84b912e8c297778290e

SHA512
0eb7c25b655294b1f7418efa909e927c674c633439c36222046c5f7e295fce15a7db319ec96bc96ef19d431967f57214a165e225349ea9bcf1a378ccf88a4833

Download Submit
C:\Windows\SysWOW64\MrHelloween.scr

Filesize
91KB

MD5
da9f8ad1f0198e71db98e30d69d31257

SHA1
9395e6869ae6f4fcafef9272e388c790488c1d87

SHA256
1a4889ca900972b5cfa9f9b61cd27e7dccacf0197d99c315c5891a34673f7ebf

SHA512
b902d4c3b1277f7cf2ab0ae0d0d9e87a78c7f0a4ec9bd28a80a9694d399cfa3153fcca163edd2888078539f00b2b2673b94cfd083b613a452f1b04774b3414ff

Download Submit
C:\Windows\SysWOW64\MrHelloween.scr

Filesize
91KB

MD5
ed4e13952e0821b8c9f2e595eacd514a

SHA1
57374c091eb2a5f287ac4aa5ef290b25ea5d7c74

SHA256
d8790f80bed13f433a5c8a48c9999b879893265414571211ef643d08ff3fde65

SHA512
1a89e5e536e4eb53d7fbb433d893fe1a3f4ef812a901d2fcb9c7a2e8088e52380101250cfe560e09d59c9741d2f72c273125429d1b75251c1453cfd7d5fdcdec

Download Submit
C:\Windows\SysWOW64\MrHelloween.scr

Filesize
91KB

MD5
856b485a3d22c0fe1478175a69848a8b

SHA1
fc70ded738268052a705b6bda5ffec0bf21b7be5

SHA256
670e29280fa629df8e34c238e42164898e798348b42c7faf2c683727e8f15cd3

SHA512
bf4bb4da0f876ef892a3416fe8be15e4ca34b17e8443bdf1922091b3437b533175104a6bcfe3a9024f6b69ee8b184a37335acaeca9672631d2aa47907e5cadb4

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
91KB

MD5
befd9fb3b58beeef5562409b0e35769d

SHA1
5c3305a461f4b4d2ea504dc0773119c9a5b5f9a1

SHA256
3b1d970fcb22ca2438a23e2021cbaf9b8ba6733ab937d3f02be31d784646bdcf

SHA512
d3de8e04fa4caf5078ddf2a5d8f1c738ea499a43463322097e44c410a2a04bc0c692fccb4646c5f53d4e939cc20d5bdb7fde9fe8dce6f295b489ff380d539b20

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
91KB

MD5
b2beb3c21ff090b8e9fdeb8dc3f49c20

SHA1
809ad2a6a081044241d3ec939e85dd711ec139cd

SHA256
8a6a7c4e3351c803e0e1842559c978333cf2780dd7e7379b94a61f0e351d7f65

SHA512
355bba46389fd82624a865b5c5ea76c957e100d1198cbcc9c29a7f9de51bf2bc0a39aa670a7e1674f4b01d47ed3a76f1a5abd83c3db78f79631ae55ad08269b7

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
91KB

MD5
9e9cd2e0c02e09bcd885c66b49eebe10

SHA1
505aa1f30483d95d952569888a23ed846824c39c

SHA256
91766d9b6e874886bd73bf4ee0cb650cb8812eb4f4f256a4f9f5791a24c1c558

SHA512
94d62716eeed0ec7ef9bfb81035724800f7d031c4ac0d9d94444c0c4c24670c95469a3c546acfbe6ddfe9d538a98f8a821dcbede80c0d0f23dd4344e3f02189e

Download Submit
memory/564-479-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/880-453-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/900-386-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1036-355-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1044-357-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1044-333-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1408-454-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1444-509-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1444-313-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1520-336-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1524-350-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1524-511-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1788-512-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1788-362-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1856-429-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2064-239-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2064-506-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2128-388-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2256-238-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2608-202-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2752-331-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2824-406-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2840-330-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2840-135-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2840-510-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2904-471-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2944-474-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3056-505-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3056-310-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3124-205-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3204-425-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3288-360-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3300-337-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3312-494-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3404-430-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3440-353-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3440-351-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3576-411-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3588-270-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3588-312-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3616-314-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3752-457-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3896-332-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3920-507-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3920-262-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4156-459-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4196-508-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4196-269-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4348-329-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4352-339-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4432-384-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4596-236-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4636-264-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4636-306-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4736-484-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4920-371-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4928-148-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4928-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5036-427-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5084-501-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download