3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Size

45KB
MD5

6eb19ae66d972318036d3db18d5d472a
SHA1

be8a4422b0e24543c2dcf77d573b68ff411e10cf
SHA256

3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2
SHA512

ebd9118fda8361dac4989a9da473122b60b9d0a85b3effc0893b65e2080dfe66fc673afd2c1937921eaa663723cfccb184ee4adc5b77b36cfcb2f611b21d988f
SSDEEP

768:CcMJOcV8OrUpdJ8WbqpD3TORaEXowekfKnl:yOcjUpkWb2TTgKwul

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	SMSS.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SMSS.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CSRSS.EXE

Disables RegEdit via registry modification 16 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 56 IoCs

pid	Process
4752	4k51k4.exe
5064	IExplorer.exe
3860	WINLOGON.EXE
1512	CSRSS.EXE
4916	SERVICES.EXE
4512	LSASS.EXE
2760	SMSS.EXE
4824	4k51k4.exe
2040	IExplorer.exe
2464	4k51k4.exe
5076	WINLOGON.EXE
3572	IExplorer.exe
2328	CSRSS.EXE
448	SERVICES.EXE
4476	4k51k4.exe
3268	4k51k4.exe
3792	LSASS.EXE
5068	IExplorer.exe
1096	IExplorer.exe
4192	4k51k4.exe
4316	WINLOGON.EXE
4272	SMSS.EXE
4488	4k51k4.exe
1140	WINLOGON.EXE
2928	WINLOGON.EXE
796	CSRSS.EXE
3564	IExplorer.exe
3224	IExplorer.exe
3408	CSRSS.EXE
3596	CSRSS.EXE
4812	4k51k4.exe
4516	WINLOGON.EXE
4088	SERVICES.EXE
8	IExplorer.exe
1748	SERVICES.EXE
5044	WINLOGON.EXE
1496	SERVICES.EXE
896	LSASS.EXE
3752	CSRSS.EXE
4552	WINLOGON.EXE
4784	LSASS.EXE
4780	LSASS.EXE
4580	CSRSS.EXE
1080	SMSS.EXE
2892	SERVICES.EXE
3548	SMSS.EXE
3592	SMSS.EXE
2816	CSRSS.EXE
3104	SERVICES.EXE
2392	LSASS.EXE
3336	SERVICES.EXE
4408	LSASS.EXE
960	SMSS.EXE
1876	LSASS.EXE
4400	SMSS.EXE
4296	SMSS.EXE

Loads dropped DLL 7 IoCs

pid	Process
4824	4k51k4.exe
2464	4k51k4.exe
3268	4k51k4.exe
4476	4k51k4.exe
4192	4k51k4.exe
4488	4k51k4.exe
4812	4k51k4.exe

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	LSASS.EXE

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1496-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/files/0x0007000000023474-8.dat	upx
behavioral2/files/0x0007000000023478-110.dat	upx
behavioral2/memory/4752-112-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/files/0x000700000002347c-116.dat	upx
behavioral2/files/0x000700000002347e-123.dat	upx
behavioral2/files/0x000700000002347f-128.dat	upx
behavioral2/files/0x0007000000023480-133.dat	upx
behavioral2/files/0x0007000000023481-138.dat	upx
behavioral2/files/0x0007000000023482-143.dat	upx
behavioral2/memory/1496-148-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/files/0x000700000002347a-150.dat	upx
behavioral2/memory/4824-185-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2040-217-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4752-220-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2464-222-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/files/0x000700000002347d-229.dat	upx
behavioral2/memory/2328-247-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/5064-250-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/448-249-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/files/0x000700000002347a-252.dat	upx
behavioral2/files/0x000700000002347d-262.dat	upx
behavioral2/memory/3860-286-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1512-288-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/files/0x000700000002347b-255.dat	upx
behavioral2/files/0x0007000000023479-251.dat	upx
behavioral2/memory/5076-242-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/files/0x000700000002347b-235.dat	upx
behavioral2/files/0x000700000002347a-233.dat	upx
behavioral2/files/0x0007000000023479-231.dat	upx
behavioral2/memory/448-300-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4916-301-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3268-303-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3572-305-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4512-310-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4476-309-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2464-205-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2760-331-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4316-341-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1096-340-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/5068-338-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3792-335-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2928-352-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4192-354-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4488-358-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2928-362-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1140-361-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4272-356-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3564-392-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3224-403-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4088-407-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4812-412-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4516-410-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/896-429-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1496-431-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/5044-428-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/8-421-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4552-443-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2892-453-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2816-467-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2392-472-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3336-476-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4408-481-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4408-478-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Adds Run key to start application 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	IExplorer.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	4k51k4.exe
File created	C:\desktop.ini	4k51k4.exe
File opened for modification	F:\desktop.ini	4k51k4.exe
File created	F:\desktop.ini	4k51k4.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	CSRSS.EXE
File opened (read-only)	\??\I:	WINLOGON.EXE
File opened (read-only)	\??\G:	SERVICES.EXE
File opened (read-only)	\??\B:	4k51k4.exe
File opened (read-only)	\??\Q:	IExplorer.exe
File opened (read-only)	\??\E:	4k51k4.exe
File opened (read-only)	\??\N:	SERVICES.EXE
File opened (read-only)	\??\N:	LSASS.EXE
File opened (read-only)	\??\L:	SMSS.EXE
File opened (read-only)	\??\Z:	SMSS.EXE
File opened (read-only)	\??\S:	4k51k4.exe
File opened (read-only)	\??\Y:	4k51k4.exe
File opened (read-only)	\??\B:	LSASS.EXE
File opened (read-only)	\??\S:	SMSS.EXE
File opened (read-only)	\??\E:	IExplorer.exe
File opened (read-only)	\??\T:	SERVICES.EXE
File opened (read-only)	\??\N:	4k51k4.exe
File opened (read-only)	\??\P:	SERVICES.EXE
File opened (read-only)	\??\V:	SERVICES.EXE
File opened (read-only)	\??\W:	LSASS.EXE
File opened (read-only)	\??\I:	SMSS.EXE
File opened (read-only)	\??\M:	IExplorer.exe
File opened (read-only)	\??\N:	WINLOGON.EXE
File opened (read-only)	\??\Y:	SERVICES.EXE
File opened (read-only)	\??\N:	SMSS.EXE
File opened (read-only)	\??\U:	SMSS.EXE
File opened (read-only)	\??\T:	IExplorer.exe
File opened (read-only)	\??\O:	CSRSS.EXE
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\W:	WINLOGON.EXE
File opened (read-only)	\??\R:	SERVICES.EXE
File opened (read-only)	\??\Z:	LSASS.EXE
File opened (read-only)	\??\T:	4k51k4.exe
File opened (read-only)	\??\X:	4k51k4.exe
File opened (read-only)	\??\O:	IExplorer.exe
File opened (read-only)	\??\K:	WINLOGON.EXE
File opened (read-only)	\??\X:	WINLOGON.EXE
File opened (read-only)	\??\X:	LSASS.EXE
File opened (read-only)	\??\Y:	LSASS.EXE
File opened (read-only)	\??\W:	SMSS.EXE
File opened (read-only)	\??\Q:	4k51k4.exe
File opened (read-only)	\??\G:	IExplorer.exe
File opened (read-only)	\??\S:	CSRSS.EXE
File opened (read-only)	\??\Z:	WINLOGON.EXE
File opened (read-only)	\??\M:	SERVICES.EXE
File opened (read-only)	\??\J:	4k51k4.exe
File opened (read-only)	\??\Z:	IExplorer.exe
File opened (read-only)	\??\W:	IExplorer.exe
File opened (read-only)	\??\O:	SERVICES.EXE
File opened (read-only)	\??\R:	LSASS.EXE
File opened (read-only)	\??\V:	4k51k4.exe
File opened (read-only)	\??\I:	IExplorer.exe
File opened (read-only)	\??\V:	WINLOGON.EXE
File opened (read-only)	\??\S:	SERVICES.EXE
File opened (read-only)	\??\L:	CSRSS.EXE
File opened (read-only)	\??\G:	WINLOGON.EXE
File opened (read-only)	\??\S:	IExplorer.exe
File opened (read-only)	\??\K:	CSRSS.EXE
File opened (read-only)	\??\Z:	CSRSS.EXE
File opened (read-only)	\??\H:	WINLOGON.EXE
File opened (read-only)	\??\R:	WINLOGON.EXE
File opened (read-only)	\??\I:	LSASS.EXE
File opened (read-only)	\??\I:	4k51k4.exe
File opened (read-only)	\??\W:	4k51k4.exe

Drops file in System32 directory 50 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	4k51k4.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	WINLOGON.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	SMSS.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	SERVICES.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	LSASS.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\shell.exe	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	WINLOGON.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	WINLOGON.EXE
File created	C:\Windows\SysWOW64\MrHelloween.scr	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	4k51k4.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	LSASS.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	4k51k4.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	CSRSS.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	4k51k4.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	LSASS.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	SMSS.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	LSASS.EXE
File created	C:\Windows\4k51k4.exe	SMSS.EXE
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\4k51k4.exe	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
File opened for modification	C:\Windows\4k51k4.exe	IExplorer.exe
File created	C:\Windows\4k51k4.exe	WINLOGON.EXE
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	WINLOGON.EXE
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\4k51k4.exe	4k51k4.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	4k51k4.exe
File created	C:\Windows\4k51k4.exe	SERVICES.EXE
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	SERVICES.EXE
File created	C:\Windows\4k51k4.exe	LSASS.EXE
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\4k51k4.exe	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
File created	C:\Windows\4k51k4.exe	CSRSS.EXE
File opened for modification	C:\Windows\4k51k4.exe	SMSS.EXE
File opened for modification	C:\Windows\4k51k4.exe	CSRSS.EXE
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe

Modifies Control Panel 32 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	4k51k4.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	4k51k4.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe

Suspicious behavior: GetForegroundWindowSpam 7 IoCs

pid	Process
4752	4k51k4.exe
1512	CSRSS.EXE
3860	WINLOGON.EXE
4916	SERVICES.EXE
4512	LSASS.EXE
5064	IExplorer.exe
2760	SMSS.EXE

Suspicious use of SetWindowsHookEx 57 IoCs

pid	Process
1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
4752	4k51k4.exe
5064	IExplorer.exe
3860	WINLOGON.EXE
1512	CSRSS.EXE
4916	SERVICES.EXE
4512	LSASS.EXE
2760	SMSS.EXE
4824	4k51k4.exe
2040	IExplorer.exe
2464	4k51k4.exe
5076	WINLOGON.EXE
2328	CSRSS.EXE
448	SERVICES.EXE
3572	IExplorer.exe
4476	4k51k4.exe
3268	4k51k4.exe
3792	LSASS.EXE
5068	IExplorer.exe
1096	IExplorer.exe
4316	WINLOGON.EXE
4272	SMSS.EXE
4192	4k51k4.exe
4488	4k51k4.exe
1140	WINLOGON.EXE
2928	WINLOGON.EXE
796	CSRSS.EXE
3564	IExplorer.exe
3408	CSRSS.EXE
3224	IExplorer.exe
3596	CSRSS.EXE
4812	4k51k4.exe
4516	WINLOGON.EXE
4088	SERVICES.EXE
8	IExplorer.exe
1748	SERVICES.EXE
5044	WINLOGON.EXE
1496	SERVICES.EXE
896	LSASS.EXE
3752	CSRSS.EXE
4552	WINLOGON.EXE
4784	LSASS.EXE
4780	LSASS.EXE
4580	CSRSS.EXE
1080	SMSS.EXE
2892	SERVICES.EXE
3548	SMSS.EXE
3592	SMSS.EXE
2816	CSRSS.EXE
3104	SERVICES.EXE
2392	LSASS.EXE
3336	SERVICES.EXE
4408	LSASS.EXE
1876	LSASS.EXE
4400	SMSS.EXE
960	SMSS.EXE
4296	SMSS.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 4752	1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe	82
PID 1496 wrote to memory of 4752	1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe	82
PID 1496 wrote to memory of 4752	1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe	82
PID 1496 wrote to memory of 5064	1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe	83
PID 1496 wrote to memory of 5064	1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe	83
PID 1496 wrote to memory of 5064	1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe	83
PID 1496 wrote to memory of 3860	1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe	85
PID 1496 wrote to memory of 3860	1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe	85
PID 1496 wrote to memory of 3860	1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe	85
PID 1496 wrote to memory of 1512	1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe	86
PID 1496 wrote to memory of 1512	1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe	86
PID 1496 wrote to memory of 1512	1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe	86
PID 1496 wrote to memory of 4916	1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe	87
PID 1496 wrote to memory of 4916	1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe	87
PID 1496 wrote to memory of 4916	1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe	87
PID 1496 wrote to memory of 4512	1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe	89
PID 1496 wrote to memory of 4512	1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe	89
PID 1496 wrote to memory of 4512	1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe	89
PID 1496 wrote to memory of 2760	1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe	90
PID 1496 wrote to memory of 2760	1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe	90
PID 1496 wrote to memory of 2760	1496	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe	90
PID 4752 wrote to memory of 4824	4752	4k51k4.exe	92
PID 4752 wrote to memory of 4824	4752	4k51k4.exe	92
PID 4752 wrote to memory of 4824	4752	4k51k4.exe	92
PID 4752 wrote to memory of 2040	4752	4k51k4.exe	93
PID 4752 wrote to memory of 2040	4752	4k51k4.exe	93
PID 4752 wrote to memory of 2040	4752	4k51k4.exe	93
PID 5064 wrote to memory of 2464	5064	IExplorer.exe	94
PID 5064 wrote to memory of 2464	5064	IExplorer.exe	94
PID 5064 wrote to memory of 2464	5064	IExplorer.exe	94
PID 4752 wrote to memory of 5076	4752	4k51k4.exe	95
PID 4752 wrote to memory of 5076	4752	4k51k4.exe	95
PID 4752 wrote to memory of 5076	4752	4k51k4.exe	95
PID 5064 wrote to memory of 3572	5064	IExplorer.exe	96
PID 5064 wrote to memory of 3572	5064	IExplorer.exe	96
PID 5064 wrote to memory of 3572	5064	IExplorer.exe	96
PID 4752 wrote to memory of 2328	4752	4k51k4.exe	97
PID 4752 wrote to memory of 2328	4752	4k51k4.exe	97
PID 4752 wrote to memory of 2328	4752	4k51k4.exe	97
PID 4752 wrote to memory of 448	4752	4k51k4.exe	98
PID 4752 wrote to memory of 448	4752	4k51k4.exe	98
PID 4752 wrote to memory of 448	4752	4k51k4.exe	98
PID 3860 wrote to memory of 3268	3860	WINLOGON.EXE	99
PID 3860 wrote to memory of 3268	3860	WINLOGON.EXE	99
PID 3860 wrote to memory of 3268	3860	WINLOGON.EXE	99
PID 1512 wrote to memory of 4476	1512	CSRSS.EXE	100
PID 1512 wrote to memory of 4476	1512	CSRSS.EXE	100
PID 1512 wrote to memory of 4476	1512	CSRSS.EXE	100
PID 3860 wrote to memory of 5068	3860	WINLOGON.EXE	102
PID 3860 wrote to memory of 5068	3860	WINLOGON.EXE	102
PID 3860 wrote to memory of 5068	3860	WINLOGON.EXE	102
PID 4752 wrote to memory of 3792	4752	4k51k4.exe	101
PID 4752 wrote to memory of 3792	4752	4k51k4.exe	101
PID 4752 wrote to memory of 3792	4752	4k51k4.exe	101
PID 1512 wrote to memory of 1096	1512	CSRSS.EXE	103
PID 1512 wrote to memory of 1096	1512	CSRSS.EXE	103
PID 1512 wrote to memory of 1096	1512	CSRSS.EXE	103
PID 5064 wrote to memory of 4316	5064	IExplorer.exe	104
PID 5064 wrote to memory of 4316	5064	IExplorer.exe	104
PID 5064 wrote to memory of 4316	5064	IExplorer.exe	104
PID 4752 wrote to memory of 4272	4752	4k51k4.exe	105
PID 4752 wrote to memory of 4272	4752	4k51k4.exe	105
PID 4752 wrote to memory of 4272	4752	4k51k4.exe	105
PID 4512 wrote to memory of 4192	4512	LSASS.EXE	106

System policy modification 1 TTPs 40 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	SERVICES.EXE

C:\Users\Admin\AppData\Local\Temp\3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe
"C:\Users\Admin\AppData\Local\Temp\3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1496
- C:\Windows\4k51k4.exe
  C:\Windows\4k51k4.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4752
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4824
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2040
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5076
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2328
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:448
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3792
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4272
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5064
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2464
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3572
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4316
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:796
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4088
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:896
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1080
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3860
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:3268
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:5068
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2928
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3408
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1748
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4780
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3548
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1512
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4476
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1096
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1140
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3596
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1496
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4784
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3592
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:4916
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4488
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3224
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5044
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4580
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3104
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4408
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4400
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4512
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4192
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3564
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4516
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3752
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2892
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2392
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:960
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2760
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:4812
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:8
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4552
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2816
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3336
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1876
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4k51k4.exe

Filesize
45KB

MD5
7b0a241fd3c0ab64ea082ba092e72fcc

SHA1
f4463f48e80d4fa2ec6462975ae44773e244160a

SHA256
582ff4a3ac5719c51648b74af335358527a566c1ead2b68efce3e924bf43cf60

SHA512
e8fae0b089f7ec436391ef13c6954d51f3adfe8c427a6a624728fe6d662310dc6455737362d940b3b470c18e2f9592f219e06f942a2e1463b7031d53d04514f9

Download Submit
C:\4k51k4.exe

Filesize
45KB

MD5
1773ff8f61a0c13e6606b3f74bcffa99

SHA1
91860e9140d5b48378297c2aa0c07ff64f716156

SHA256
91d08b3374d704c5957608f89687a4142c7decad18285f086f2965a03f256a18

SHA512
50b1e08b9a6aa9da0e2f80f68275f93cbb7322e80f883dd9c9f4015d99f801e023776c471322b459dfc5806b1101c69d72b6b6d1b506d5f7459d67f2615cadd7

Download Submit
C:\Puisi.txt

Filesize
442B

MD5
001424d7974b9a3995af292f6fcfe171

SHA1
f8201d49d594d712c8450679c856c2e8307d2337

SHA256
660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d

SHA512
66ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
45KB

MD5
e1b24eb0587f150811db2c9cbdf1a0cc

SHA1
295daaa0bdc88956d83aa7d2ef31e8a1d6016af5

SHA256
74bf43d4ca1f1d613db1a616ccea421f533298e2722aef8f634049e003437c80

SHA512
20816f2fff941e3fdb61cdddac70a5ef91f361ad35720d289977677ff2b54effedde65b5bbc4012426559e147e154367a028e8525ff34b890b11a84ceb788811

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
45KB

MD5
adfd95fb727d46605e79dd784ab22e22

SHA1
fd54eb4f4ec2ee61572f2f9d1641d5f1d65ddb51

SHA256
a60bf3167a0f90db6b83effefad244e6e2cac39b342bea4021fb355fdabe3dad

SHA512
a5b77eb43bab5039314b6c1221bf4bb448ea513840668a2963b012f1d5150e21822f1e6eebe01059c6b86e5cf55df48964920f2a1d546baea3be286481cbc87e

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
45KB

MD5
d4ef9b46a0b7d8069b4e194b2e33e384

SHA1
4829ba106f50dee23c79912637ee68cb3b5a51b7

SHA256
52bcf0c75691c789b2c9e46344e7ae482c16ed6347797ea09540dacd1c3bff6c

SHA512
e0f7ade14073ec304c28cf4e9f53d314c946a1b306553d0f6e85980e415db8c9bd72b4a56bfbda72efc6e51ae108b7c9b0bcc07fd7b2fd040202db636c3c3b30

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
45KB

MD5
5a84061c5423af7d0f02106204b964fd

SHA1
1d6a1b4a4dd4667dd38a7dbac9fe98677d82d7fb

SHA256
ec7cf79040fe907d536cbe21b1cf40b6267b38927d6550c3d04ce23408ce4668

SHA512
aceec7d201171a5d109e36c47080d290e3cc462d55564758be3ca95e7b55ddaded5ccd65b79cb9030807362835346b1342e6393a3278901b5a9c203de591a062

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
45KB

MD5
74d1414a96441104069cb32dfbffcfef

SHA1
dc75f19f59b39635a24195e8c3610d74278b1d0b

SHA256
84253e3464b3fb7387ada610ad9413ad2cfebc6253967812a3d51c3dac9595d8

SHA512
1965f7005ebc80fd758fa14e1f5fc8f17a697b4f3ea4134b778aab952864bbe463976c2182e4214e81b3da120ed90e2706ab114259e356fb0265d91eb0694f3a

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
45KB

MD5
6eb19ae66d972318036d3db18d5d472a

SHA1
be8a4422b0e24543c2dcf77d573b68ff411e10cf

SHA256
3a1e07f5d3779e1d0374452c1914cc986ec04219a4451780c069e39e66888aa2

SHA512
ebd9118fda8361dac4989a9da473122b60b9d0a85b3effc0893b65e2080dfe66fc673afd2c1937921eaa663723cfccb184ee4adc5b77b36cfcb2f611b21d988f

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
45KB

MD5
3708021fea995623ce0efa0754c0c85e

SHA1
0cd27871def42e4f06756a344c8783efca1ad8ef

SHA256
8d3cad1350980af802bc4ac7bc6e8ba1f2328da1b73e990e5751ec3e7b2dbea9

SHA512
9a0ee2658a666b1b31eac21aa628db73f69f0b62b2c81f47bf370161a20148c3e53c5ec2cdc205bdb83c8f77ec86cb1ebb034bfc38a94ed3820ddddce13332db

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
45KB

MD5
ac208ecc73d2061277dd1d6ca5f8b6de

SHA1
29f61a08123b88ac5b4b98f2433529e2c275baf4

SHA256
3fb380f1034aeb2cf7eae0ae4eee1b12fae7c3539247a2673ea7906a202e9fbf

SHA512
05ec052aab749548a47b23c6114e51c9a955ab59fcbd5dcf681770370bd8fe2284b39e3f4e07da912ea0cfa80e692e14e492254d0ba1f451b1e216430b0c39be

Download Submit
C:\Windows\4k51k4.exe

Filesize
45KB

MD5
f4c3326df270412d62666cefa047ba89

SHA1
d3dbfd03806b9c4fb704e51d581caa0fb11e59dd

SHA256
08af9dd4732473d4e40786902beb7f251b0d5bde2838b983be3f4fab8f7db814

SHA512
71d85911d632939dec8878ff099e0677c8422a339614dd287eafe5cd8f537fb3edff741bc6b7b1a923b73682a0920cfb30a73c4faf33fb9967ca5372b8461834

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
45KB

MD5
102394253ba7c90b1e17b098b0655a1a

SHA1
2ca28a05df234ba6c867d1849060e8439795f38e

SHA256
6a1c95905366cc70bf9b65d9c677e966a7b9f5930103bf5aea6a01cfd8d38440

SHA512
12cc4748587eb5d21040feb5455bd814ce7869a5f549d103c70b757fe608369af721e5d4372140f3b221b1fbe440f3ed281a3c3b310695463dd90caeb59cde38

Download Submit
C:\Windows\SysWOW64\MrHelloween.scr

Filesize
45KB

MD5
8e30ef6970c2370756aa73a0a695ed82

SHA1
8d016e2df638b8f9afa7285ae47f8a0448e951ca

SHA256
6e8411d3bae3aeaf692d8583e2c8fca951d1087f3e30950b8565d2b05bbceb81

SHA512
d3375c9429dc8a9a24334f0c014b8851a8fe87325bf009a8ac4bffe150c23377169cf549831b9648acce1116b38f2e81437438b8b60515322912a8ef67b88aa2

Download Submit
C:\Windows\SysWOW64\MrHelloween.scr

Filesize
45KB

MD5
d2bf1dac64f0f51ae6169c732e9330f2

SHA1
35617a33410fd174c59c650f334650af8f704490

SHA256
fd371d37a75e9636b9f666e402d43eae0f84eceef239fbee0044a107077e740f

SHA512
9b9e29dca368edddcecce763f98899a301d0c4c6a0c40b9342b2d5b7c98517e05903660d9ec7de18f20332ff487d34d780055f06ff24d07f20b52b052b9fa57a

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
45KB

MD5
7a207f22604049c22e6f2be4600f3cf4

SHA1
b54597ff544e41620cc68d7dfde1af42149cf23d

SHA256
68481e3eb544c440e41f54b6bceaef399d7e507d4c6c7723b9ef46e7e7fa3edd

SHA512
0b3831d71a161b5c8931d5d5757c7a4983e1905c0f1f98eaf4f541b25ebc3914f98e2cdcd5efc6a0218dab8757ec75d351d2223f4b0d2a0a356c000e0a805d70

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
45KB

MD5
491f9c7600b5f4a19231199fbc474d83

SHA1
98c093ca643ab09ed3f313443ffa7ff12e6c1d99

SHA256
67335e24e79793244c8517cee326ff108965217d7558a86bc52526c88fc894da

SHA512
de35b3801a9fcf8254cec9cd04728a59daf3d24dad520c7d7ea421edc258e8b5096853b801ed075d6e1e6c62ea95fab779c994af0b75aa2e86638f8d24e4f288

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
45KB

MD5
1c2155cb0b34348fca7d207078831432

SHA1
047c1f1874445e6713d1edbc7da19a95a553ae92

SHA256
1c80afd0ccabb197daa3d797adde6eeb48f5906033e7160f008308c2025f56c3

SHA512
589eb1c53d7a51c1f7f2481cd2ae92798a4971d73567b9d5b4c4df170396298cf0487089e6af50aedfbecc6215efef6b6c393f8f2782217206550d1a55d063ee

Download Submit
memory/8-421-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/448-249-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/448-300-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/896-429-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/960-492-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1096-340-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1140-361-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1496-431-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1496-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1496-148-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1512-288-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1512-499-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1876-489-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2040-217-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2328-247-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2392-472-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2464-222-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2464-205-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2760-502-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2760-331-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2816-467-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2892-453-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2928-352-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2928-362-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3224-403-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3268-303-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3336-476-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3564-392-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3572-305-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3792-335-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3860-286-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3860-498-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4088-407-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4192-354-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4272-356-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4316-341-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4408-481-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4408-478-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4476-309-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4488-358-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4512-310-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4512-501-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4516-410-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4552-443-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4752-220-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4752-112-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4752-496-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4812-412-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4824-185-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4916-301-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4916-500-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5044-428-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5064-497-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5064-250-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5068-338-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5076-242-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download