Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 20:32
Behavioral task
behavioral1
Sample
3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Resource
win7-20240221-en
windows7-x64
23 signatures
150 seconds
Behavioral task
behavioral2
Sample
3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
-
Size
45KB
-
MD5
6eb19ae66d972318036d3db18d5d472a
-
SHA1
be8a4422b0e24543c2dcf77d573b68ff411e10cf
-
SHA256
3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2
-
SHA512
ebd9118fda8361dac4989a9da473122b60b9d0a85b3effc0893b65e2080dfe66fc673afd2c1937921eaa663723cfccb184ee4adc5b77b36cfcb2f611b21d988f
-
SSDEEP
768:CcMJOcV8OrUpdJ8WbqpD3TORaEXowekfKnl:yOcjUpkWb2TTgKwul
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 4k51k4.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SERVICES.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 4k51k4.exe -
Disables RegEdit via registry modification 16 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 63 IoCs
pid Process 856 4k51k4.exe 552 IExplorer.exe 1840 4k51k4.exe 1972 IExplorer.exe 1592 WINLOGON.EXE 2040 4k51k4.exe 676 CSRSS.EXE 1068 IExplorer.exe 2760 4k51k4.exe 988 SERVICES.EXE 2976 WINLOGON.EXE 2224 LSASS.EXE 2024 CSRSS.EXE 1896 IExplorer.exe 2540 WINLOGON.EXE 2432 SMSS.EXE 2904 SERVICES.EXE 2584 CSRSS.EXE 2612 LSASS.EXE 2384 SERVICES.EXE 2636 4k51k4.exe 2392 IExplorer.exe 2348 SMSS.EXE 2424 LSASS.EXE 1764 4k51k4.exe 1832 WINLOGON.EXE 2324 IExplorer.exe 1108 SMSS.EXE 2060 WINLOGON.EXE 1464 4k51k4.exe 1612 CSRSS.EXE 2960 4k51k4.exe 380 SERVICES.EXE 2916 CSRSS.EXE 2136 IExplorer.exe 2664 WINLOGON.EXE 2988 LSASS.EXE 2724 IExplorer.exe 1620 SMSS.EXE 844 SERVICES.EXE 2732 4k51k4.exe 1644 CSRSS.EXE 2852 WINLOGON.EXE 904 LSASS.EXE 2740 IExplorer.exe 2900 WINLOGON.EXE 2756 SERVICES.EXE 896 LSASS.EXE 2300 CSRSS.EXE 1636 SMSS.EXE 2012 SMSS.EXE 2024 CSRSS.EXE 1720 WINLOGON.EXE 2492 SERVICES.EXE 2504 SERVICES.EXE 2848 CSRSS.EXE 2584 LSASS.EXE 2628 LSASS.EXE 2544 SERVICES.EXE 2692 SMSS.EXE 2464 SMSS.EXE 2472 LSASS.EXE 2084 SMSS.EXE -
Loads dropped DLL 64 IoCs
pid Process 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 856 4k51k4.exe 856 4k51k4.exe 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 856 4k51k4.exe 856 4k51k4.exe 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 856 4k51k4.exe 856 4k51k4.exe 552 IExplorer.exe 552 IExplorer.exe 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 552 IExplorer.exe 552 IExplorer.exe 856 4k51k4.exe 856 4k51k4.exe 552 IExplorer.exe 552 IExplorer.exe 856 4k51k4.exe 856 4k51k4.exe 552 IExplorer.exe 552 IExplorer.exe 856 4k51k4.exe 1592 WINLOGON.EXE 552 IExplorer.exe 1592 WINLOGON.EXE 856 4k51k4.exe 552 IExplorer.exe 1592 WINLOGON.EXE 676 CSRSS.EXE 676 CSRSS.EXE 552 IExplorer.exe 552 IExplorer.exe 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 1592 WINLOGON.EXE 1592 WINLOGON.EXE 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 676 CSRSS.EXE 2224 LSASS.EXE 2224 LSASS.EXE 676 CSRSS.EXE 988 SERVICES.EXE 988 SERVICES.EXE 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 1592 WINLOGON.EXE 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 1592 WINLOGON.EXE 676 CSRSS.EXE -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe -
resource yara_rule behavioral1/memory/2072-0-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x00080000000155e2-8.dat upx behavioral1/files/0x0007000000015c2f-113.dat upx behavioral1/files/0x0006000000015e7c-118.dat upx behavioral1/memory/2072-119-0x0000000000540000-0x0000000000563000-memory.dmp upx behavioral1/memory/1840-202-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1972-203-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x0006000000015ec0-204.dat upx behavioral1/files/0x0006000000015eaf-224.dat upx behavioral1/memory/2040-261-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2072-260-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x0006000000016042-263.dat upx behavioral1/memory/856-264-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/552-269-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2040-273-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x0006000000015e6f-222.dat upx behavioral1/files/0x0006000000015e5b-219.dat upx behavioral1/files/0x0006000000015e41-218.dat upx behavioral1/files/0x0006000000016332-216.dat upx behavioral1/files/0x000600000001604b-215.dat upx behavioral1/files/0x0006000000016283-332.dat upx behavioral1/files/0x0006000000015eaf-294.dat upx behavioral1/files/0x0006000000015e6f-292.dat upx behavioral1/files/0x0006000000015e5b-289.dat upx behavioral1/files/0x0006000000015e41-288.dat upx behavioral1/files/0x0006000000016332-287.dat upx behavioral1/memory/2760-321-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1068-285-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2224-340-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2976-343-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1592-339-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/988-327-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/676-354-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2024-370-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2540-372-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1896-363-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2760-350-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2224-383-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2072-382-0x0000000000540000-0x0000000000563000-memory.dmp upx behavioral1/memory/2904-381-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/552-379-0x00000000026B0000-0x00000000026D3000-memory.dmp upx behavioral1/memory/2584-405-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2612-410-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2384-414-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2384-420-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2636-425-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2432-421-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1832-479-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2324-510-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1764-492-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2060-508-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/380-537-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/988-534-0x0000000002590000-0x00000000025B3000-memory.dmp upx behavioral1/memory/1612-533-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1108-520-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2060-514-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1108-512-0x0000000000220000-0x0000000000230000-memory.dmp upx behavioral1/memory/2424-477-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2348-475-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2136-584-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2960-553-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2988-558-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2916-560-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1464-544-0x0000000000400000-0x0000000000423000-memory.dmp upx -
Adds Run key to start application 2 TTPs 40 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SMSS.EXE -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\desktop.ini 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File created C:\desktop.ini 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File opened for modification F:\desktop.ini 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File created F:\desktop.ini 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: 4k51k4.exe File opened (read-only) \??\W: CSRSS.EXE File opened (read-only) \??\J: WINLOGON.EXE File opened (read-only) \??\W: SERVICES.EXE File opened (read-only) \??\M: 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File opened (read-only) \??\Z: 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File opened (read-only) \??\E: 4k51k4.exe File opened (read-only) \??\O: 4k51k4.exe File opened (read-only) \??\B: CSRSS.EXE File opened (read-only) \??\X: CSRSS.EXE File opened (read-only) \??\P: WINLOGON.EXE File opened (read-only) \??\V: SERVICES.EXE File opened (read-only) \??\H: SMSS.EXE File opened (read-only) \??\K: 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File opened (read-only) \??\P: 4k51k4.exe File opened (read-only) \??\M: WINLOGON.EXE File opened (read-only) \??\U: WINLOGON.EXE File opened (read-only) \??\L: SERVICES.EXE File opened (read-only) \??\H: LSASS.EXE File opened (read-only) \??\S: LSASS.EXE File opened (read-only) \??\H: 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File opened (read-only) \??\H: 4k51k4.exe File opened (read-only) \??\X: IExplorer.exe File opened (read-only) \??\Y: SMSS.EXE File opened (read-only) \??\I: 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File opened (read-only) \??\L: 4k51k4.exe File opened (read-only) \??\O: LSASS.EXE File opened (read-only) \??\E: LSASS.EXE File opened (read-only) \??\G: LSASS.EXE File opened (read-only) \??\J: SMSS.EXE File opened (read-only) \??\Q: 4k51k4.exe File opened (read-only) \??\S: 4k51k4.exe File opened (read-only) \??\K: SERVICES.EXE File opened (read-only) \??\Y: WINLOGON.EXE File opened (read-only) \??\N: LSASS.EXE File opened (read-only) \??\N: SMSS.EXE File opened (read-only) \??\X: 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File opened (read-only) \??\T: 4k51k4.exe File opened (read-only) \??\L: CSRSS.EXE File opened (read-only) \??\S: WINLOGON.EXE File opened (read-only) \??\Q: SERVICES.EXE File opened (read-only) \??\Z: LSASS.EXE File opened (read-only) \??\E: CSRSS.EXE File opened (read-only) \??\V: CSRSS.EXE File opened (read-only) \??\L: LSASS.EXE File opened (read-only) \??\U: CSRSS.EXE File opened (read-only) \??\Z: CSRSS.EXE File opened (read-only) \??\G: WINLOGON.EXE File opened (read-only) \??\T: WINLOGON.EXE File opened (read-only) \??\N: SERVICES.EXE File opened (read-only) \??\B: IExplorer.exe File opened (read-only) \??\R: IExplorer.exe File opened (read-only) \??\K: CSRSS.EXE File opened (read-only) \??\I: LSASS.EXE File opened (read-only) \??\V: LSASS.EXE File opened (read-only) \??\N: 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File opened (read-only) \??\B: WINLOGON.EXE File opened (read-only) \??\U: SERVICES.EXE File opened (read-only) \??\J: 4k51k4.exe File opened (read-only) \??\R: 4k51k4.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\L: IExplorer.exe File opened (read-only) \??\Q: CSRSS.EXE File opened (read-only) \??\P: 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe -
Drops file in System32 directory 52 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shell.exe 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe 4k51k4.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\shell.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\MrHelloween.scr SERVICES.EXE File created C:\Windows\SysWOW64\IExplorer.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr LSASS.EXE File opened for modification C:\Windows\SysWOW64\shell.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe 4k51k4.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe SMSS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 4k51k4.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File created C:\Windows\SysWOW64\IExplorer.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe CSRSS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\MrHelloween.scr CSRSS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe LSASS.EXE File created C:\Windows\SysWOW64\IExplorer.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe SERVICES.EXE File created C:\Windows\SysWOW64\shell.exe 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr 4k51k4.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\MrHelloween.scr SMSS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\MrHelloween.scr 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File created C:\Windows\SysWOW64\IExplorer.exe SERVICES.EXE File created C:\Windows\SysWOW64\IExplorer.exe 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe -
Drops file in Windows directory 34 IoCs
description ioc Process File created C:\Windows\4k51k4.exe CSRSS.EXE File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe SERVICES.EXE File created C:\Windows\4k51k4.exe 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe WINLOGON.EXE File opened for modification C:\Windows\4k51k4.exe LSASS.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe SMSS.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe WINLOGON.EXE File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe SERVICES.EXE File created C:\Windows\4k51k4.exe SMSS.EXE File opened for modification C:\Windows\4k51k4.exe IExplorer.exe File created C:\Windows\4k51k4.exe LSASS.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe 4k51k4.exe File created C:\Windows\4k51k4.exe 4k51k4.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe CSRSS.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 32 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" LSASS.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ LSASS.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SMSS.EXE Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" CSRSS.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command CSRSS.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe -
Suspicious behavior: GetForegroundWindowSpam 7 IoCs
pid Process 856 4k51k4.exe 676 CSRSS.EXE 1592 WINLOGON.EXE 552 IExplorer.exe 2224 LSASS.EXE 988 SERVICES.EXE 2432 SMSS.EXE -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 856 4k51k4.exe 552 IExplorer.exe 1840 4k51k4.exe 1972 IExplorer.exe 1592 WINLOGON.EXE 2040 4k51k4.exe 676 CSRSS.EXE 1068 IExplorer.exe 988 SERVICES.EXE 2976 WINLOGON.EXE 2224 LSASS.EXE 2760 4k51k4.exe 2024 CSRSS.EXE 1896 IExplorer.exe 2540 WINLOGON.EXE 2904 SERVICES.EXE 2432 SMSS.EXE 2584 CSRSS.EXE 2612 LSASS.EXE 2384 SERVICES.EXE 2636 4k51k4.exe 2392 IExplorer.exe 2424 LSASS.EXE 2348 SMSS.EXE 1764 4k51k4.exe 1832 WINLOGON.EXE 2324 IExplorer.exe 2060 WINLOGON.EXE 1108 SMSS.EXE 1612 CSRSS.EXE 380 SERVICES.EXE 1464 4k51k4.exe 2916 CSRSS.EXE 2960 4k51k4.exe 2664 WINLOGON.EXE 2988 LSASS.EXE 844 SERVICES.EXE 2136 IExplorer.exe 1620 SMSS.EXE 2724 IExplorer.exe 1644 CSRSS.EXE 2732 4k51k4.exe 904 LSASS.EXE 2852 WINLOGON.EXE 2756 SERVICES.EXE 2900 WINLOGON.EXE 896 LSASS.EXE 2740 IExplorer.exe 2300 CSRSS.EXE 1720 WINLOGON.EXE 2012 SMSS.EXE 2024 CSRSS.EXE 1636 SMSS.EXE 2492 SERVICES.EXE 2504 SERVICES.EXE 2584 LSASS.EXE 2848 CSRSS.EXE 2628 LSASS.EXE 2544 SERVICES.EXE 2692 SMSS.EXE 2472 LSASS.EXE 2464 SMSS.EXE 2084 SMSS.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2072 wrote to memory of 856 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 28 PID 2072 wrote to memory of 856 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 28 PID 2072 wrote to memory of 856 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 28 PID 2072 wrote to memory of 856 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 28 PID 2072 wrote to memory of 552 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 29 PID 2072 wrote to memory of 552 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 29 PID 2072 wrote to memory of 552 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 29 PID 2072 wrote to memory of 552 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 29 PID 2072 wrote to memory of 1840 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 30 PID 2072 wrote to memory of 1840 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 30 PID 2072 wrote to memory of 1840 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 30 PID 2072 wrote to memory of 1840 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 30 PID 2072 wrote to memory of 1972 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 31 PID 2072 wrote to memory of 1972 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 31 PID 2072 wrote to memory of 1972 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 31 PID 2072 wrote to memory of 1972 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 31 PID 2072 wrote to memory of 1592 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 32 PID 2072 wrote to memory of 1592 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 32 PID 2072 wrote to memory of 1592 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 32 PID 2072 wrote to memory of 1592 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 32 PID 856 wrote to memory of 2040 856 4k51k4.exe 33 PID 856 wrote to memory of 2040 856 4k51k4.exe 33 PID 856 wrote to memory of 2040 856 4k51k4.exe 33 PID 856 wrote to memory of 2040 856 4k51k4.exe 33 PID 2072 wrote to memory of 676 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 34 PID 2072 wrote to memory of 676 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 34 PID 2072 wrote to memory of 676 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 34 PID 2072 wrote to memory of 676 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 34 PID 856 wrote to memory of 1068 856 4k51k4.exe 35 PID 856 wrote to memory of 1068 856 4k51k4.exe 35 PID 856 wrote to memory of 1068 856 4k51k4.exe 35 PID 856 wrote to memory of 1068 856 4k51k4.exe 35 PID 2072 wrote to memory of 988 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 36 PID 2072 wrote to memory of 988 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 36 PID 2072 wrote to memory of 988 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 36 PID 2072 wrote to memory of 988 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 36 PID 552 wrote to memory of 2760 552 IExplorer.exe 37 PID 552 wrote to memory of 2760 552 IExplorer.exe 37 PID 552 wrote to memory of 2760 552 IExplorer.exe 37 PID 552 wrote to memory of 2760 552 IExplorer.exe 37 PID 856 wrote to memory of 2976 856 4k51k4.exe 38 PID 856 wrote to memory of 2976 856 4k51k4.exe 38 PID 856 wrote to memory of 2976 856 4k51k4.exe 38 PID 856 wrote to memory of 2976 856 4k51k4.exe 38 PID 2072 wrote to memory of 2224 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 39 PID 2072 wrote to memory of 2224 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 39 PID 2072 wrote to memory of 2224 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 39 PID 2072 wrote to memory of 2224 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 39 PID 856 wrote to memory of 2024 856 4k51k4.exe 78 PID 856 wrote to memory of 2024 856 4k51k4.exe 78 PID 856 wrote to memory of 2024 856 4k51k4.exe 78 PID 856 wrote to memory of 2024 856 4k51k4.exe 78 PID 552 wrote to memory of 1896 552 IExplorer.exe 41 PID 552 wrote to memory of 1896 552 IExplorer.exe 41 PID 552 wrote to memory of 1896 552 IExplorer.exe 41 PID 552 wrote to memory of 1896 552 IExplorer.exe 41 PID 2072 wrote to memory of 2432 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 42 PID 2072 wrote to memory of 2432 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 42 PID 2072 wrote to memory of 2432 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 42 PID 2072 wrote to memory of 2432 2072 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe 42 PID 552 wrote to memory of 2540 552 IExplorer.exe 43 PID 552 wrote to memory of 2540 552 IExplorer.exe 43 PID 552 wrote to memory of 2540 552 IExplorer.exe 43 PID 552 wrote to memory of 2540 552 IExplorer.exe 43 -
System policy modification 1 TTPs 40 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe"C:\Users\Admin\AppData\Local\Temp\3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2072 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:856 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2040
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1068
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2976
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2024
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2904
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2612
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2348
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:552 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2760
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1896
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2540
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2584
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2384
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2424
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1108
-
-
-
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1840
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1972
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1592 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2636
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2392
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1832
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2916
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:844
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:904
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1636
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:676 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1764
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2324
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2664
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1644
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2756
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:896
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2012
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:988 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2960
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2724
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2900
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2300
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2492
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2584
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2692
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2224 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1464
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2136
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2852
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2024
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2504
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2628
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2464
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2432 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2732
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2740
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1720
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2848
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2544
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2472
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2084
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2060
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1612
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:380
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2988
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1620
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5bc6d5e1eb4ee06c17d99c9b8f89e9172
SHA1125d7dba8d7bbd94d70441033fa84fdff4270dd5
SHA2569bbce46b7cfe134b056a5c94e4b812815f3dedfc9281579545ab168845f6e83d
SHA51240112b0ba2a84a2ff33edbd1527de94440adf06bafcdde7d390a604778b345faba9ec93a85acda0b36b7d3298f5122becc34130e79431ab0723e6c257173a6a1
-
Filesize
45KB
MD54a973b4d3a4e68ffe008e7f1f85c4e63
SHA1fcdb7e69dc99b2f70f416c4d2b3cc417d5f89e63
SHA2563e07e1f1f1b63997915049fc1b6f39acd64b5ce320d387aedb02dd61380ea818
SHA512a246973e89468b8fdfc3a9e0fd6a265ecdf601f6d3ecac5ca6cc2edd52ddcfa2ca39d35c262084349de3bbb4afeffb501a25d5ac6410b32ac72b45ab7c14591a
-
Filesize
442B
MD5001424d7974b9a3995af292f6fcfe171
SHA1f8201d49d594d712c8450679c856c2e8307d2337
SHA256660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d
SHA51266ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657
-
Filesize
45KB
MD56eb19ae66d972318036d3db18d5d472a
SHA1be8a4422b0e24543c2dcf77d573b68ff411e10cf
SHA2563a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2
SHA512ebd9118fda8361dac4989a9da473122b60b9d0a85b3effc0893b65e2080dfe66fc673afd2c1937921eaa663723cfccb184ee4adc5b77b36cfcb2f611b21d988f
-
Filesize
45KB
MD52645b13ee95008eac4721190a4d28f4d
SHA11af7653da880bb35d01941e010f4c0a438fd2d2a
SHA2566fcc7f11dfecbb15aa6535f8cdbac13fa913f23b41b5df654a496cd167be71f2
SHA5128f31ff62a98998e1a7dcd10ef19744b24b8732aecf2691d1ef6d1b62713131c403da1ead109f43abb81a7b42477604861a5d8e3acd242e20cf9dbc1884aa701d
-
Filesize
45KB
MD5bdd4399a52d6552c67e3402be18d3179
SHA1a962df6ddb9e6f29ade8b1b7e8af03c241bd3d38
SHA2565cab30ed558bcc578e122d36e1015e692efb32a62d452e0fecb0884dae755c84
SHA512362a07ed8a47a5ece630e51b60b5333a3c92b9650fd712847a0ca17addf57f252633e4a5d5d7a63621d7278dd854130807262c8b911514ee05ad6dafb3b4576e
-
Filesize
45KB
MD5bf28f95081745b67689c008aaf52f5ec
SHA16b7504e84c29efd06da03c5d8c67a86ee7f42dba
SHA2568617d38ebdd5999e0d8ebca1df966ddd314b980afc308d37b0eb77975c5d9f40
SHA512f15ea27b6d5ea57aa56f0ed5b64b14d2fcc1d0eab2ef354d7c522813ec015d9f1968ac47068680739d6601c9a0a9ffb0b03ee9678a3015ea23139d780ea94bf1
-
Filesize
45KB
MD591becd579b40094a5e9f9c9c71ed0f18
SHA1adcf9c3094ff226e657d3eb0773f311b1d71518b
SHA2564a8d24b08f531c250f1d9cc26b29adc3c64daad8c7423b21a3d88abf02136880
SHA512a3ee77614b960f7143f9a38d7298a217bc9f3dd53d57ada624700aba0acfeb728534fa0065b7a91bf6948764392256026d18a5bfc7a2dc01cb995cfd2b3523b3
-
Filesize
45KB
MD55cfda9cfa461eaf4da813a903a490d5c
SHA115bea2d252fb4f1d97c2a9f4f64402e82f3d68e5
SHA256efc7f5634c816c3858c746db5c165aa234eb88f7a724c664d92920207cdf94a8
SHA51244e074cc48d4ce0fa6a4f8370c638f73fd8ec835522d188c41d1e8013c341d810d808365c656a831afd84c07520ad49db22964bbdd3edffff80db678791f72d5
-
Filesize
45KB
MD5a5183271fe96bfdadd8cac1615f638fd
SHA1adc8feca2a6e34a448a16786e14b51eca74f7c62
SHA256e21d36cb6b9be810e57dcc94e500384d2ca5979e60643fe81d3ac3b3074cd0fb
SHA512a0cbba1367c9a82dcd6cfc2c260fa69364b4474ae10c7f53a69728f0ca3aa6ae599d3f0ff6d19574cc2b27ff6421ac0f911e17bcc898a3020ecbc39ad543fdaa
-
Filesize
45KB
MD5fc6230dc89b9124a570e4ad1e91d7060
SHA162f9a4c0bb6bf0ac3d7f36766a124355514e4abc
SHA256703586e99951a1a3cfe9f692f55720290e8ddc02b36878487a55a502eca770a1
SHA512f18243a6c5df75ebb2187886e061c4a65e66a80ae0e2877372dcc99ba4b3b55f4cb67490a27396db61c3e1f6692245e5bad26d82de74ccd04f49488bfc808156
-
Filesize
45KB
MD5b1f4687424858ecde6c4054b232e75d5
SHA1abf018cb5fe959dde85ab278387fbf48b511b395
SHA2563b073ea3e9163615f07e09493d0956959e876e9179d749a6414a49634e967a89
SHA5121a5d77fcac26ccc5df04c463f9bea3e542e9af501928f56e50123f1c900cf4f97ad5eca35f6d7cbdd985e0190ba6f9d1f8a6cc943a0902cab55eb061f5e05017
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
45KB
MD5c40d64d4f20761be14727366123c10c5
SHA1ff748cca2d8fc4943612ef9f3fc396826c6b1c98
SHA2560172de7bb6b9a1746e45158dfa7f79c42f68503a93d4860b35a16f881f18dc36
SHA512b03b3f5b8d1de6170ca363150e6799428a6e6213062e882db07a4c803f78c342b33eb4d86449678fe6e4387236763ecc893af376da86da60337d212a1a6d8026
-
Filesize
45KB
MD53b198b7b8718602ed9e19b2109ecf153
SHA128c1ce439a8a03c84d4242528d5622cb9ed3e5f6
SHA256c19efcd0104e9f55f6e274c970be61da27e0ea473df851176ded0977b97fe677
SHA512794438ed58f3962a67da1a985ea04d9a47c8ecbff03ccd5234877b485509b15ac83bf01b9c00b986c56fd048c06cfd6f3070da24bde86e55e5509179f48ed0aa
-
Filesize
45KB
MD5f15c88af793f2af0c6e382ad19cd6392
SHA163cb4987ae0f9dcf0644490b24af3529547846e6
SHA2561d3c0a2229206a218df4dbb752f79940c3072434d49094462227091b8b2be160
SHA512edf97bc2616cb2f29395cdd1767937a0566f55f26af909752223e99bc60e0a26011463df5a749c3619177ef4a09542f2073b427877a4937d59a2516f99f997ca
-
Filesize
45KB
MD5795e1dcfafaedb8ca4e085d1637f2702
SHA1cecb67045651c095783ba1d7cab994eb0a24d1f8
SHA256960787fd1459cf7acaea3465e64e19eae64746be756ff239ac060fca5e2e5414
SHA5126a795593329aed0d46acf492c901b8f24e5ad2fe4e2eb711cd9c01de7f66034ceb4ced1908c9316a5cb4391e1f26238ce6e65b6881a845708a4f13685db848c8
-
Filesize
45KB
MD539899c6507ff48f6ed9cf521206fd697
SHA1a0af681d16937e0c16b38f14f494a967a5334b7a
SHA2569949e70903c1b38d9626af1afef779d8ee0752e7acfcc7f0dbaa0301221896da
SHA512045ad4eb5ac441a22a27cbf75c11265871a949bfde066b60b50ed3de3fea0a5b3acc256df89d820609011a4e7032abc0527612929134b92cc57907b80ca988b6
-
Filesize
45KB
MD5ed29ef018cea03d2296aac6aa1e6ea30
SHA177aa8b170a226ecc296ba25c5ae8ca23c2721f2f
SHA256a01a216de83e7496aa7028fe5b55325d1ff67f74ade1c68490f83b7922a9024b
SHA5129ef1ef2dbda74d51463e272a6459064ad51071c0f244dc3fb20f162c7149d5eddb844bb59cba987a715ee78b0479b4a961912d7421eba286046911ebc9d32aa2