Analysis
-
max time kernel
120s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 00:32
Behavioral task
behavioral1
Sample
3c6bbb58c7266b0a1b1df8533187d470N.exe
Resource
win7-20240704-en
windows7-x64
24 signatures
120 seconds
Behavioral task
behavioral2
Sample
3c6bbb58c7266b0a1b1df8533187d470N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
23 signatures
120 seconds
General
-
Target
3c6bbb58c7266b0a1b1df8533187d470N.exe
-
Size
46KB
-
MD5
3c6bbb58c7266b0a1b1df8533187d470
-
SHA1
0e82d8f9897323b1c67259c56f4f8487d69183a5
-
SHA256
239fabb87b36ee738861f1db61884c8669ee56002ac5b9be88833b4516fa6f74
-
SHA512
a62dc930819ee9b265ec705a434e4513c7dc610f44dc24a0b4ac2fc20dce9f67e7d4bca46393b370fb2397a4fd8429272b60bf5516c67f562584460561640e93
-
SSDEEP
768:CcMJOcV8OrUpdJ8WbqpD3TORaEXowekfKE:yOcjUpkWb2TTgKwuE
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" SMSS.EXE -
Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 4k51k4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SMSS.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 4k51k4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WINLOGON.EXE -
Disables RegEdit via registry modification 16 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 56 IoCs
pid Process 2404 4k51k4.exe 2904 IExplorer.exe 2732 WINLOGON.EXE 2764 CSRSS.EXE 2064 SERVICES.EXE 1692 LSASS.EXE 2292 SMSS.EXE 2452 4k51k4.exe 1668 IExplorer.exe 1448 4k51k4.exe 1780 WINLOGON.EXE 2060 IExplorer.exe 876 4k51k4.exe 1784 WINLOGON.EXE 2664 4k51k4.exe 2648 CSRSS.EXE 2568 IExplorer.exe 2576 CSRSS.EXE 752 WINLOGON.EXE 2384 4k51k4.exe 2884 IExplorer.exe 2552 CSRSS.EXE 1552 4k51k4.exe 1684 4k51k4.exe 2720 IExplorer.exe 584 SERVICES.EXE 2912 IExplorer.exe 1544 IExplorer.exe 1712 WINLOGON.EXE 2468 SERVICES.EXE 2420 SERVICES.EXE 2340 LSASS.EXE 1876 SMSS.EXE 444 WINLOGON.EXE 2416 LSASS.EXE 1204 LSASS.EXE 1420 SMSS.EXE 896 CSRSS.EXE 3032 WINLOGON.EXE 980 WINLOGON.EXE 1540 CSRSS.EXE 576 SMSS.EXE 1784 SERVICES.EXE 2548 CSRSS.EXE 2880 CSRSS.EXE 2568 SERVICES.EXE 836 SERVICES.EXE 2588 LSASS.EXE 1636 LSASS.EXE 1760 LSASS.EXE 2940 SMSS.EXE 1808 SMSS.EXE 2768 SERVICES.EXE 2564 SMSS.EXE 2660 LSASS.EXE 1340 SMSS.EXE -
Loads dropped DLL 64 IoCs
pid Process 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 2404 4k51k4.exe 2404 4k51k4.exe 2404 4k51k4.exe 2404 4k51k4.exe 2904 IExplorer.exe 2904 IExplorer.exe 2904 IExplorer.exe 2904 IExplorer.exe 2904 IExplorer.exe 2904 IExplorer.exe 2404 4k51k4.exe 2764 CSRSS.EXE 2764 CSRSS.EXE 2404 4k51k4.exe 2732 WINLOGON.EXE 2732 WINLOGON.EXE 2764 CSRSS.EXE 2764 CSRSS.EXE 2764 CSRSS.EXE 1692 LSASS.EXE 1692 LSASS.EXE 2904 IExplorer.exe 2904 IExplorer.exe 2292 SMSS.EXE 2292 SMSS.EXE 2064 SERVICES.EXE 2064 SERVICES.EXE 1692 LSASS.EXE 1692 LSASS.EXE 2904 IExplorer.exe 2404 4k51k4.exe 2404 4k51k4.exe 2764 CSRSS.EXE 2764 CSRSS.EXE 2904 IExplorer.exe 2904 IExplorer.exe 2064 SERVICES.EXE 2404 4k51k4.exe 2904 IExplorer.exe 2064 SERVICES.EXE 2404 4k51k4.exe 2764 CSRSS.EXE 2764 CSRSS.EXE 2064 SERVICES.EXE 2404 4k51k4.exe 2064 SERVICES.EXE 2404 4k51k4.exe 2292 SMSS.EXE 2292 SMSS.EXE 2732 WINLOGON.EXE 2764 CSRSS.EXE 2764 CSRSS.EXE -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3c6bbb58c7266b0a1b1df8533187d470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3c6bbb58c7266b0a1b1df8533187d470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 3c6bbb58c7266b0a1b1df8533187d470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3c6bbb58c7266b0a1b1df8533187d470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 3c6bbb58c7266b0a1b1df8533187d470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 3c6bbb58c7266b0a1b1df8533187d470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 4k51k4.exe -
resource yara_rule behavioral1/memory/1048-0-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x0007000000016d19-8.dat upx behavioral1/files/0x000500000001935d-113.dat upx behavioral1/memory/1048-114-0x00000000004A0000-0x00000000004C3000-memory.dmp upx behavioral1/files/0x0005000000019415-118.dat upx behavioral1/memory/2904-127-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1048-125-0x00000000004A0000-0x00000000004C3000-memory.dmp upx behavioral1/files/0x000500000001942a-132.dat upx behavioral1/memory/1048-134-0x00000000004A0000-0x00000000004C3000-memory.dmp upx behavioral1/memory/2732-140-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x0005000000019434-143.dat upx behavioral1/memory/1048-150-0x00000000004A0000-0x00000000004C3000-memory.dmp upx behavioral1/files/0x000500000001943f-153.dat upx behavioral1/files/0x000500000001944a-162.dat upx behavioral1/files/0x000500000001944e-172.dat upx behavioral1/memory/1048-184-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x0005000000019418-197.dat upx behavioral1/files/0x0005000000019397-195.dat upx behavioral1/files/0x0005000000019389-192.dat upx behavioral1/files/0x000500000001936d-191.dat upx behavioral1/memory/2904-251-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x0005000000019397-228.dat upx behavioral1/files/0x0005000000019389-224.dat upx behavioral1/files/0x000500000001936d-223.dat upx behavioral1/memory/2452-221-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x0005000000019418-230.dat upx behavioral1/memory/1780-297-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2292-373-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2568-349-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2404-419-0x00000000004B0000-0x00000000004D3000-memory.dmp upx behavioral1/memory/2384-422-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2904-412-0x0000000001DD0000-0x0000000001DF3000-memory.dmp upx behavioral1/memory/2568-347-0x00000000001B0000-0x00000000001C0000-memory.dmp upx behavioral1/memory/876-345-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x0005000000019418-315.dat upx behavioral1/files/0x0005000000019397-313.dat upx behavioral1/files/0x0005000000019389-310.dat upx behavioral1/files/0x000500000001936d-309.dat upx behavioral1/memory/1784-308-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2060-299-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1692-340-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2664-339-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/876-336-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2064-335-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1780-291-0x00000000001C0000-0x00000000001D0000-memory.dmp upx behavioral1/files/0x0005000000019418-275.dat upx behavioral1/files/0x0005000000019397-273.dat upx behavioral1/files/0x0005000000019389-270.dat upx behavioral1/files/0x000500000001936d-269.dat upx behavioral1/memory/1448-267-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2404-235-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2764-265-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2732-260-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1668-256-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2720-477-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1552-474-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/584-469-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1684-467-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2552-455-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2884-454-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2576-441-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2648-440-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2552-481-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/444-498-0x0000000000400000-0x0000000000423000-memory.dmp upx -
Adds Run key to start application 2 TTPs 40 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" WINLOGON.EXE -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\desktop.ini IExplorer.exe File created C:\desktop.ini IExplorer.exe File opened for modification F:\desktop.ini IExplorer.exe File created F:\desktop.ini IExplorer.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\S: 4k51k4.exe File opened (read-only) \??\E: SMSS.EXE File opened (read-only) \??\V: WINLOGON.EXE File opened (read-only) \??\R: 4k51k4.exe File opened (read-only) \??\H: SMSS.EXE File opened (read-only) \??\W: LSASS.EXE File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\Z: CSRSS.EXE File opened (read-only) \??\S: SMSS.EXE File opened (read-only) \??\T: LSASS.EXE File opened (read-only) \??\E: 4k51k4.exe File opened (read-only) \??\T: SMSS.EXE File opened (read-only) \??\V: LSASS.EXE File opened (read-only) \??\B: WINLOGON.EXE File opened (read-only) \??\M: CSRSS.EXE File opened (read-only) \??\L: SMSS.EXE File opened (read-only) \??\M: SERVICES.EXE File opened (read-only) \??\E: LSASS.EXE File opened (read-only) \??\Q: LSASS.EXE File opened (read-only) \??\P: WINLOGON.EXE File opened (read-only) \??\O: IExplorer.exe File opened (read-only) \??\T: IExplorer.exe File opened (read-only) \??\Z: SMSS.EXE File opened (read-only) \??\I: SERVICES.EXE File opened (read-only) \??\R: SERVICES.EXE File opened (read-only) \??\X: SERVICES.EXE File opened (read-only) \??\Z: 4k51k4.exe File opened (read-only) \??\X: LSASS.EXE File opened (read-only) \??\L: IExplorer.exe File opened (read-only) \??\U: WINLOGON.EXE File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\J: 4k51k4.exe File opened (read-only) \??\Q: SMSS.EXE File opened (read-only) \??\R: IExplorer.exe File opened (read-only) \??\U: SMSS.EXE File opened (read-only) \??\X: SMSS.EXE File opened (read-only) \??\L: LSASS.EXE File opened (read-only) \??\N: LSASS.EXE File opened (read-only) \??\K: WINLOGON.EXE File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\I: 4k51k4.exe File opened (read-only) \??\Z: SERVICES.EXE File opened (read-only) \??\X: IExplorer.exe File opened (read-only) \??\J: SERVICES.EXE File opened (read-only) \??\P: SERVICES.EXE File opened (read-only) \??\T: SERVICES.EXE File opened (read-only) \??\V: SERVICES.EXE File opened (read-only) \??\J: WINLOGON.EXE File opened (read-only) \??\Y: WINLOGON.EXE File opened (read-only) \??\Q: SERVICES.EXE File opened (read-only) \??\Y: IExplorer.exe File opened (read-only) \??\B: 4k51k4.exe File opened (read-only) \??\P: 4k51k4.exe File opened (read-only) \??\O: CSRSS.EXE File opened (read-only) \??\V: CSRSS.EXE File opened (read-only) \??\B: SERVICES.EXE File opened (read-only) \??\L: SERVICES.EXE File opened (read-only) \??\W: SERVICES.EXE File opened (read-only) \??\J: LSASS.EXE File opened (read-only) \??\Z: LSASS.EXE File opened (read-only) \??\E: IExplorer.exe File opened (read-only) \??\O: 4k51k4.exe File opened (read-only) \??\P: SMSS.EXE -
Drops file in System32 directory 50 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\shell.exe LSASS.EXE File created C:\Windows\SysWOW64\shell.exe 3c6bbb58c7266b0a1b1df8533187d470N.exe File created C:\Windows\SysWOW64\MrHelloween.scr 3c6bbb58c7266b0a1b1df8533187d470N.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\shell.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\MrHelloween.scr CSRSS.EXE File created C:\Windows\SysWOW64\IExplorer.exe SERVICES.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe 4k51k4.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr 3c6bbb58c7266b0a1b1df8533187d470N.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 4k51k4.exe File opened for modification C:\Windows\SysWOW64\shell.exe WINLOGON.EXE File created C:\Windows\SysWOW64\IExplorer.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\shell.exe CSRSS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe 3c6bbb58c7266b0a1b1df8533187d470N.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 3c6bbb58c7266b0a1b1df8533187d470N.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr 4k51k4.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr LSASS.EXE File created C:\Windows\SysWOW64\IExplorer.exe SMSS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe 3c6bbb58c7266b0a1b1df8533187d470N.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe LSASS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr SMSS.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\MrHelloween.scr SERVICES.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe 4k51k4.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe SMSS.EXE -
Drops file in Windows directory 32 IoCs
description ioc Process File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe SMSS.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe SERVICES.EXE File created C:\Windows\4k51k4.exe IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe WINLOGON.EXE File opened for modification C:\Windows\4k51k4.exe CSRSS.EXE File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe 4k51k4.exe File created C:\Windows\4k51k4.exe LSASS.EXE File opened for modification C:\Windows\4k51k4.exe SERVICES.EXE File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe 4k51k4.exe File opened for modification C:\Windows\4k51k4.exe IExplorer.exe File created C:\Windows\4k51k4.exe CSRSS.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe 3c6bbb58c7266b0a1b1df8533187d470N.exe File created C:\Windows\4k51k4.exe WINLOGON.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe LSASS.EXE File opened for modification C:\Windows\4k51k4.exe SMSS.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe 3c6bbb58c7266b0a1b1df8533187d470N.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 57 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3c6bbb58c7266b0a1b1df8533187d470N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe -
Modifies Control Panel 32 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 4k51k4.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" LSASS.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" LSASS.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 4k51k4.exe Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" CSRSS.EXE Key created \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" SMSS.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 3c6bbb58c7266b0a1b1df8533187d470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3c6bbb58c7266b0a1b1df8533187d470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 3c6bbb58c7266b0a1b1df8533187d470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 3c6bbb58c7266b0a1b1df8533187d470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 3c6bbb58c7266b0a1b1df8533187d470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 3c6bbb58c7266b0a1b1df8533187d470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe -
Suspicious behavior: GetForegroundWindowSpam 7 IoCs
pid Process 2404 4k51k4.exe 2764 CSRSS.EXE 2732 WINLOGON.EXE 2904 IExplorer.exe 2292 SMSS.EXE 1692 LSASS.EXE 2064 SERVICES.EXE -
Suspicious use of SetWindowsHookEx 56 IoCs
pid Process 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 2404 4k51k4.exe 2904 IExplorer.exe 2732 WINLOGON.EXE 2764 CSRSS.EXE 2064 SERVICES.EXE 1692 LSASS.EXE 2292 SMSS.EXE 2452 4k51k4.exe 1668 IExplorer.exe 1448 4k51k4.exe 1780 WINLOGON.EXE 2060 IExplorer.exe 1784 WINLOGON.EXE 876 4k51k4.exe 2664 4k51k4.exe 2568 IExplorer.exe 752 WINLOGON.EXE 2648 CSRSS.EXE 2384 4k51k4.exe 2576 CSRSS.EXE 2552 CSRSS.EXE 2884 IExplorer.exe 1684 4k51k4.exe 2720 IExplorer.exe 1552 4k51k4.exe 584 SERVICES.EXE 2912 IExplorer.exe 1544 IExplorer.exe 2420 SERVICES.EXE 1712 WINLOGON.EXE 2340 LSASS.EXE 2468 SERVICES.EXE 444 WINLOGON.EXE 1876 SMSS.EXE 2416 LSASS.EXE 1204 LSASS.EXE 1420 SMSS.EXE 896 CSRSS.EXE 3032 WINLOGON.EXE 980 WINLOGON.EXE 1784 SERVICES.EXE 576 SMSS.EXE 2548 CSRSS.EXE 836 SERVICES.EXE 2880 CSRSS.EXE 2588 LSASS.EXE 2568 SERVICES.EXE 1636 LSASS.EXE 2940 SMSS.EXE 1760 LSASS.EXE 2768 SERVICES.EXE 1808 SMSS.EXE 2564 SMSS.EXE 2660 LSASS.EXE 1340 SMSS.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1048 wrote to memory of 2404 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 31 PID 1048 wrote to memory of 2404 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 31 PID 1048 wrote to memory of 2404 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 31 PID 1048 wrote to memory of 2404 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 31 PID 1048 wrote to memory of 2904 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 32 PID 1048 wrote to memory of 2904 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 32 PID 1048 wrote to memory of 2904 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 32 PID 1048 wrote to memory of 2904 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 32 PID 1048 wrote to memory of 2732 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 33 PID 1048 wrote to memory of 2732 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 33 PID 1048 wrote to memory of 2732 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 33 PID 1048 wrote to memory of 2732 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 33 PID 1048 wrote to memory of 2764 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 34 PID 1048 wrote to memory of 2764 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 34 PID 1048 wrote to memory of 2764 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 34 PID 1048 wrote to memory of 2764 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 34 PID 1048 wrote to memory of 2064 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 35 PID 1048 wrote to memory of 2064 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 35 PID 1048 wrote to memory of 2064 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 35 PID 1048 wrote to memory of 2064 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 35 PID 1048 wrote to memory of 1692 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 36 PID 1048 wrote to memory of 1692 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 36 PID 1048 wrote to memory of 1692 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 36 PID 1048 wrote to memory of 1692 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 36 PID 1048 wrote to memory of 2292 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 37 PID 1048 wrote to memory of 2292 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 37 PID 1048 wrote to memory of 2292 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 37 PID 1048 wrote to memory of 2292 1048 3c6bbb58c7266b0a1b1df8533187d470N.exe 37 PID 2404 wrote to memory of 2452 2404 4k51k4.exe 38 PID 2404 wrote to memory of 2452 2404 4k51k4.exe 38 PID 2404 wrote to memory of 2452 2404 4k51k4.exe 38 PID 2404 wrote to memory of 2452 2404 4k51k4.exe 38 PID 2404 wrote to memory of 1668 2404 4k51k4.exe 39 PID 2404 wrote to memory of 1668 2404 4k51k4.exe 39 PID 2404 wrote to memory of 1668 2404 4k51k4.exe 39 PID 2404 wrote to memory of 1668 2404 4k51k4.exe 39 PID 2904 wrote to memory of 1448 2904 IExplorer.exe 40 PID 2904 wrote to memory of 1448 2904 IExplorer.exe 40 PID 2904 wrote to memory of 1448 2904 IExplorer.exe 40 PID 2904 wrote to memory of 1448 2904 IExplorer.exe 40 PID 2404 wrote to memory of 1780 2404 4k51k4.exe 41 PID 2404 wrote to memory of 1780 2404 4k51k4.exe 41 PID 2404 wrote to memory of 1780 2404 4k51k4.exe 41 PID 2404 wrote to memory of 1780 2404 4k51k4.exe 41 PID 2904 wrote to memory of 2060 2904 IExplorer.exe 42 PID 2904 wrote to memory of 2060 2904 IExplorer.exe 42 PID 2904 wrote to memory of 2060 2904 IExplorer.exe 42 PID 2904 wrote to memory of 2060 2904 IExplorer.exe 42 PID 2732 wrote to memory of 876 2732 WINLOGON.EXE 43 PID 2732 wrote to memory of 876 2732 WINLOGON.EXE 43 PID 2732 wrote to memory of 876 2732 WINLOGON.EXE 43 PID 2732 wrote to memory of 876 2732 WINLOGON.EXE 43 PID 2904 wrote to memory of 1784 2904 IExplorer.exe 73 PID 2904 wrote to memory of 1784 2904 IExplorer.exe 73 PID 2904 wrote to memory of 1784 2904 IExplorer.exe 73 PID 2904 wrote to memory of 1784 2904 IExplorer.exe 73 PID 2904 wrote to memory of 2648 2904 IExplorer.exe 45 PID 2904 wrote to memory of 2648 2904 IExplorer.exe 45 PID 2904 wrote to memory of 2648 2904 IExplorer.exe 45 PID 2904 wrote to memory of 2648 2904 IExplorer.exe 45 PID 2764 wrote to memory of 2664 2764 CSRSS.EXE 46 PID 2764 wrote to memory of 2664 2764 CSRSS.EXE 46 PID 2764 wrote to memory of 2664 2764 CSRSS.EXE 46 PID 2764 wrote to memory of 2664 2764 CSRSS.EXE 46 -
System policy modification 1 TTPs 40 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 3c6bbb58c7266b0a1b1df8533187d470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 3c6bbb58c7266b0a1b1df8533187d470N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 3c6bbb58c7266b0a1b1df8533187d470N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SERVICES.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c6bbb58c7266b0a1b1df8533187d470N.exe"C:\Users\Admin\AppData\Local\Temp\3c6bbb58c7266b0a1b1df8533187d470N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1048 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2404 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2452
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1668
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1780
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2576
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2468
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2416
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1420
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2904 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1448
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2060
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1784
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2648
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:584
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2340
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1876
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2732 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:876
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2884
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:980
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2880
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2768
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2660
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1340
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2764 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2664
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2568
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:752
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2552
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2420
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1204
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:576
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2064 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1684
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1544
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:444
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:896
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1784
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2588
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1808
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1692 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2384
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2720
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1712
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1540
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2568
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1760
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2564
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2292 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1552
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2912
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3032
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2548
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:836
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1636
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2940
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD5f764cdc9b19fce5af2ed578d970f6025
SHA16ea5e9f976de65e1d43cb2296a5f364c835c421a
SHA25604522ccf984cd3758ead25974b94f67c05e7a635054d9e486b15121cfef98638
SHA512f91e352570a2300c52e6f34eaa7c6442425c9a2e693b7827647310a462ea02712bac21dbba24d76baebe6f56db1d7b51a492bb8d4af0b866051e1dc42d87fad0
-
Filesize
46KB
MD502c930d618ed34a4840b4d206f34cc0b
SHA1e9b8e7fa611b941e22fe9d689ab3e47c27c906d0
SHA25653bc886ab478aabb0a8eabaa68812598bbfed715abffaf7400ec2816567dcf31
SHA5121c957ba3e31b6f0a2b375cb0bb590ae94ff4271f876745e38f896b16311ba6d563bbef0ad60a3ee73518f27b90d66f403ee12c70a76657115862eb551be37d6b
-
Filesize
46KB
MD58167e8cc32b5437aeb77c18de8ba1eb8
SHA1101223048fb4bc6a8778c3c5fea97fc5eccd1304
SHA2564358a7edb9bce5a4a8b6755aa7187a279d2418f3c7b9259202978125569e2aea
SHA512b594606b3e61de155073f3fcb6e58a2b4b77bfa7f7e2e09a40ea7c9fd17ef06eb7f4761e79152a5903b5fb6270b744065af56247d545c9aea97564e0ace37695
-
Filesize
46KB
MD5618633d1c3f1b3e7484d47f62e8e4c56
SHA11efea9ff7cc6b680d5e861e2514e20d480c8a19b
SHA256faf966d26aedae08a1d7d85447f3d2dff67fd591caa56d61ed1ae27e213d5014
SHA5125bd69f73c7e3650beef4d0a4d79a2083ce34bb218dea0b23448ac8c6e5b00672be61274043cf046e628346bb6d5848836c42eb676b513c25e7809ce80b688356
-
Filesize
442B
MD5001424d7974b9a3995af292f6fcfe171
SHA1f8201d49d594d712c8450679c856c2e8307d2337
SHA256660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d
SHA51266ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657
-
Filesize
46KB
MD53c6bbb58c7266b0a1b1df8533187d470
SHA10e82d8f9897323b1c67259c56f4f8487d69183a5
SHA256239fabb87b36ee738861f1db61884c8669ee56002ac5b9be88833b4516fa6f74
SHA512a62dc930819ee9b265ec705a434e4513c7dc610f44dc24a0b4ac2fc20dce9f67e7d4bca46393b370fb2397a4fd8429272b60bf5516c67f562584460561640e93
-
Filesize
46KB
MD56e6cc57e4b3d1cea0478124a47ecbd8a
SHA10fbe1486edfbc917ccef984b326bf70583929408
SHA25670d898699ca900a4f1bdd3520443f2d3e25711b2e4dfa57c3a3710c2d7d8739c
SHA5129036279a4fb710799d8a15ca49a6193d01f78089cb943d6f9f922d38ef6c4d9c94f4a7a13acec33d8512b542be2e1caa3df9487308bc5076f45dbcd1f1a36d74
-
Filesize
46KB
MD521931e928956a44580b0f879a56a3658
SHA1298f02e4e25dbf4d4add587cb7e3cbc95012731e
SHA2569c72b7eb111b9a1dd91fe5b5ef34014a40cb8a56755ee5963169ee18be0370c3
SHA5121806ad734be48c777b2c326bcb732e24193cbf6ea1cf46054ce8c3e444a5c50ffe5ac567b6b6f5aa96e8d5008045bb39484e1d941eb2dd5eb31fdeada9cd10a4
-
Filesize
46KB
MD507eec8113a19d0805bd2909f6b96b765
SHA1317df3332e437e03ce6d2b83b6a6efb43a9e38ab
SHA256e170937745cd2cbce32250a87e4886e67b3ee3bf4dc2517dc272c48488ccc968
SHA5121f984bbd16ae2b673c092e4dcf36a55cfc5fdc4a8cac50e1ec373609ad96253e473542dba7e75a120e3431f3706d18da92ad79c6c93e597304d6992390896731
-
Filesize
46KB
MD5c4e6821a7d54259093d876b77d8a1458
SHA15aa5d1b26e849e8aa7bff1d7c253a0956f1472dd
SHA2566adccac6207294e6bc54f045d6546b76045f1ca676008c3656b900506d1e7a01
SHA5123e6fb8a878dbe061c99f0c744a4b4714bcb31beb151899444f029851e30f4e23f0c74cbeda9aa90fd5da1056b5b382c8705618adf088e6979e26a77330e46d6e
-
Filesize
46KB
MD5a0b1bdc22f17e7775e92dce7495dd124
SHA197880771a2d95ac3b835fad51c5d380136c24475
SHA2565da1a7e1dc18b0a625fb46654ca4db0accddbdf9287c931be4c69fe8fb4a6eb3
SHA5128a2ecd153bce157f997509a72a227c17b92807923be5c2ea0032b674742456c357de5ddd8c89d1e136d721b3496e7bf3a63c262a35a91b2560878fcae7a46990
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
46KB
MD53f33ab31fb741e3fa02f0e19d28e4416
SHA1ac38ace44fa0bf0eb2a9e879a35020c6a8cbfc80
SHA25645598a165719bf0a9de7f52d25196570dd7216a90cdd749614a8d7094e1c8208
SHA51248f9564cb78075ac334e7c0a6832e066f86d2a67b9930c19dccc9010510195788ec9ed7ec058151b3093ae735cdd2c9326735297c11a40b389e0e32220c53f4e
-
Filesize
46KB
MD5f75c08d14a3cbd6c7b56ced6ffaa2e91
SHA16e43d7ca850bc54281fcf6f925fb579329ec08f9
SHA256597bf55a171cca4d8dc37c6fde126aae0fc5977716da58ae710c4049cb598ccd
SHA512e204ff5265c4e6c0ce66c835eb88c08637d644169d6b3c1d06b3af82b2ad5511d00bebeb74560884f37bd1dfb3e44c9d74c839059a5234090f33e83759a8b11d
-
Filesize
46KB
MD525190205cfaaee856eba253ff214e045
SHA1834bd2087bac9fc0c38b252056a2faafe7191675
SHA2567be4767a246772ef4d28ceff926315d7467050708d26b1a8cf0ff6a8001fa234
SHA512f23910b619106bdcf093ee035c2e68fb98e286350f955882fafd25ea25e9034c1e9b9aca6e2e19cc1ea66212a898170ce536af4acaef24e9bbaab50e7bd29c9b
-
Filesize
46KB
MD51ede227c92724f7b9b81dc776e17d2f4
SHA1f3922402bff932bc6202b5fff0a9a8c6ebc6dbf0
SHA2561ce26b054c81ec164705c4b03807bbe4d12853c59ac79c15c2f6c17c82488d2b
SHA512d1f75bf522300eff6a3c5a6c31e3237ab5f404485c4c77336c0c0d90dbfc741b620b604505f07a3bd6047d68c83c62a6e0951a90a26bd0f59b6885169fa965af
-
Filesize
46KB
MD5f1252110a1345b35918b69f7f4840463
SHA1282973147876e1c644d4c61364e6d52ade49d986
SHA256c05e387495762e46cbda1a3bbaf4225909afe509f98b01f12a0957872e7d7d01
SHA5125b28c633ab4027a269aa6c1393f5af30f98c98b4e6e7e162c7697a0ffd10df355ab2e17954e5167242f7909de11ab5a1bbc1e1d1f9b613923fca065c4d67356f
-
Filesize
46KB
MD59134bb6a59cf913df83b207dc1c618c4
SHA1cce603ee355f443a8518b144ff3deb280bc2eed3
SHA2561ed564f682035d931d28b200cb1fac63874f345f3ab1907734c71324b7e0b326
SHA512c33e83969521c5dfde45ae6c4b1873dcc9f57c8b1abffe66247e662005c68786537d2e80732a0f16861651b939baf34bc33b51a63b563db89170b4a87115ce45
-
Filesize
46KB
MD5a6315bb05e8bd15250e41754f5a1b968
SHA1340edce97cdbb5128bab7ab2e7637e42fac9d6a9
SHA256c1a1dfe87b65a05c0054f9b7637b1e8cea92c94f81423103800bcce096075636
SHA512cb287d1166221d4499e9b4ee03b67d119c91df5327df718ff8f3dae23cfe49d87486023a8aa9f2817d3efbd23608742d0a4f38096f7cc13d94df84a7dc928104
-
Filesize
46KB
MD5da8879a911e126a0425af7af2d054cea
SHA1675993b465682becb8603f7a899da294505b55d2
SHA256b64f3a075b008ffaec9506c80fc7cf192e987b1457782f75a8ac347f4ee178aa
SHA5121c848da2eb9e77b088038b389dd0198b0da069390bec77c0a3772eef2d10e8a6ee7843fcce0b6250bb8214119d8fd6b188f76ef634abfe01a2ed9b4e2f66f348
-
Filesize
46KB
MD564d1d041fb0e97c51b39e8528c2ee6b1
SHA1e8a830840aa14d78a838d8982f8bb17609465920
SHA256ca56b28256a3a5ff4981601f8d8762ca5e901475d64bb8655b5a11c1338dbaa8
SHA512d3243bad580981965c1ffd007b85a26c85f0b431e128faebec1bb76ed0c03c77412d4f1c2bf8e5b78f8988833eacc15f0fbc13e8e5b6a88464fb739e558f907b
-
Filesize
46KB
MD5fa112a622191fd696ebe2cc2417fbc8a
SHA1d82315df78bc99aa8c49c40d0c6a4e6df54a4d43
SHA2562d850ee1d7eb1eed440193649b1a42b7b4d65fa76e0c3a8fe00979418648dc49
SHA512ef3f77096ecdd505150a6ff165c17d4636f9218e081040aff10e96178f59591e01ad9878c8f3b6a8f459ebe697093cfc7d5627b7821d69abebe967310661a29b
-
Filesize
46KB
MD5503f4e36ea3d1fd2d7ef623023269ea0
SHA11604e55a4fe7897c801be7b6b5417c83f20cc459
SHA256c18b536a7a94207e4bb73cc4af121f33cf184c7c6cff5ff23a63639c394ad8b0
SHA512de3f1a477606651841dc7b3cbde28d9b6e485110d139870a0fd52dd17d7cfcb68e5f3c9b1cc727c381711ec9c4970864652f61acfc3ba8b751d7da99c8bff334
-
Filesize
46KB
MD5a8344be2bf59dda53f9a10ec68081808
SHA1ebb0f5cb18d1878d637ffdfc15280057fe88677f
SHA256d90d4f2ddfbe36ffadf78c1e7af3838c840cff1c599c2f8673e65be591885eee
SHA512003b6a5e70ea4eb50614514c05c43c0155a9ffe5d8627a3a4c1ea1c19565f1dc823c0216693e2182a99f3959da5341d25a8131d52ee0668e2f2588fb70cffc37
-
Filesize
46KB
MD5a901f497613084e157d392e3116e7486
SHA1415022ed8f251e5984c1482d296376e1f8b7b1e0
SHA256308efa70366d5136b9221c18651b3e48650356dae709dddb3516a6c98164056a
SHA512a2f524a7d500cdd7b2a7422a26f4173d01548ee12ab93f362ead5fc6a91f077f702de936b99d244805170b21b6e2e4428134a5b574bd6f447cb922dec4b350a5
-
Filesize
46KB
MD55d4e11cc0e1463b8f2775c5d5191c48a
SHA14cb0790d08b008021ac237afec6a6e91a23d308d
SHA256b90dc77c2d6a2fbf40a27c90462b15d7812a705181ff7abe0cf977b95cd2c3f9
SHA51293cd4c08efc8f14f4c1693ab95abad66eb6b6f11e44bc548c72541d248baf6df59975df49f6c679fa25c1648bdb4f1e0577fc84cd7f30708e63cf16230e236f9