Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
22/08/2024, 03:44
Behavioral task
behavioral1
Sample
e45823752415d0fc61aea576488899b0N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
e45823752415d0fc61aea576488899b0N.exe
Resource
win10v2004-20240802-en
General
-
Target
e45823752415d0fc61aea576488899b0N.exe
-
Size
1.1MB
-
MD5
e45823752415d0fc61aea576488899b0
-
SHA1
e62349106b8a650b874fba96d20a6607a9da0623
-
SHA256
0f680e79b2be776b6f34c9fe86c8e9a40d88a6ea84c9bdb00822bb2ecebe031d
-
SHA512
bce79c2d6e85a68be1dcb048047ec71bc11c1b32b9b8ff8cf65a8a3baee9839e15ec59c385fc1a688894cc38e70c593062624e8da22112e8938c2e0feaedb0eb
-
SSDEEP
6144:mjmjqj9jCfj9j3j9jtj9jOj9j9j9jvj9jGj9jSj9jSj9jmj9jE:hf
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" e45823752415d0fc61aea576488899b0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" e45823752415d0fc61aea576488899b0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" SMSS.EXE -
Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 4k51k4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" e45823752415d0fc61aea576488899b0N.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" e45823752415d0fc61aea576488899b0N.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 4k51k4.exe -
Disables RegEdit via registry modification 16 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" e45823752415d0fc61aea576488899b0N.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" e45823752415d0fc61aea576488899b0N.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 63 IoCs
pid Process 1700 4k51k4.exe 692 IExplorer.exe 1488 WINLOGON.EXE 2784 CSRSS.EXE 1316 SERVICES.EXE 2520 LSASS.EXE 2980 SMSS.EXE 1808 4k51k4.exe 2404 4k51k4.exe 1868 IExplorer.exe 560 IExplorer.exe 2320 WINLOGON.EXE 2424 CSRSS.EXE 1840 SERVICES.EXE 2000 LSASS.EXE 1596 SMSS.EXE 2916 4k51k4.exe 2920 4k51k4.exe 2904 4k51k4.exe 3000 WINLOGON.EXE 2036 4k51k4.exe 1540 IExplorer.exe 2348 IExplorer.exe 2984 4k51k4.exe 2764 4k51k4.exe 2232 CSRSS.EXE 1208 WINLOGON.EXE 1136 IExplorer.exe 1132 IExplorer.exe 2500 IExplorer.exe 908 WINLOGON.EXE 780 CSRSS.EXE 2404 IExplorer.exe 560 WINLOGON.EXE 1756 WINLOGON.EXE 996 CSRSS.EXE 1708 WINLOGON.EXE 1840 CSRSS.EXE 696 SERVICES.EXE 1372 SERVICES.EXE 2744 SERVICES.EXE 2732 CSRSS.EXE 2736 CSRSS.EXE 2820 WINLOGON.EXE 2808 LSASS.EXE 2700 SERVICES.EXE 2692 LSASS.EXE 1244 CSRSS.EXE 2252 SERVICES.EXE 1260 LSASS.EXE 2848 LSASS.EXE 3040 SERVICES.EXE 3024 SMSS.EXE 1664 SMSS.EXE 2800 LSASS.EXE 2920 SERVICES.EXE 1956 SMSS.EXE 2576 SMSS.EXE 2532 LSASS.EXE 2708 SMSS.EXE 1496 LSASS.EXE 2144 SMSS.EXE 2164 SMSS.EXE -
Loads dropped DLL 64 IoCs
pid Process 2644 e45823752415d0fc61aea576488899b0N.exe 2644 e45823752415d0fc61aea576488899b0N.exe 2644 e45823752415d0fc61aea576488899b0N.exe 2644 e45823752415d0fc61aea576488899b0N.exe 2644 e45823752415d0fc61aea576488899b0N.exe 2644 e45823752415d0fc61aea576488899b0N.exe 2644 e45823752415d0fc61aea576488899b0N.exe 2644 e45823752415d0fc61aea576488899b0N.exe 2644 e45823752415d0fc61aea576488899b0N.exe 2644 e45823752415d0fc61aea576488899b0N.exe 2644 e45823752415d0fc61aea576488899b0N.exe 2644 e45823752415d0fc61aea576488899b0N.exe 2644 e45823752415d0fc61aea576488899b0N.exe 2644 e45823752415d0fc61aea576488899b0N.exe 1700 4k51k4.exe 1700 4k51k4.exe 1700 4k51k4.exe 1700 4k51k4.exe 1700 4k51k4.exe 1700 4k51k4.exe 1700 4k51k4.exe 1700 4k51k4.exe 1700 4k51k4.exe 1700 4k51k4.exe 1700 4k51k4.exe 1700 4k51k4.exe 2644 e45823752415d0fc61aea576488899b0N.exe 2644 e45823752415d0fc61aea576488899b0N.exe 1316 SERVICES.EXE 1316 SERVICES.EXE 2980 SMSS.EXE 2980 SMSS.EXE 2644 e45823752415d0fc61aea576488899b0N.exe 2644 e45823752415d0fc61aea576488899b0N.exe 2520 LSASS.EXE 1488 WINLOGON.EXE 1488 WINLOGON.EXE 2980 SMSS.EXE 2980 SMSS.EXE 2520 LSASS.EXE 2784 CSRSS.EXE 2784 CSRSS.EXE 1316 SERVICES.EXE 1316 SERVICES.EXE 1488 WINLOGON.EXE 2980 SMSS.EXE 2980 SMSS.EXE 1316 SERVICES.EXE 1316 SERVICES.EXE 692 IExplorer.exe 2520 LSASS.EXE 2784 CSRSS.EXE 692 IExplorer.exe 2520 LSASS.EXE 2784 CSRSS.EXE 2784 CSRSS.EXE 2980 SMSS.EXE 2980 SMSS.EXE 1316 SERVICES.EXE 2784 CSRSS.EXE 1488 WINLOGON.EXE 2784 CSRSS.EXE 1488 WINLOGON.EXE 2520 LSASS.EXE -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" e45823752415d0fc61aea576488899b0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command e45823752415d0fc61aea576488899b0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" e45823752415d0fc61aea576488899b0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command e45823752415d0fc61aea576488899b0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" e45823752415d0fc61aea576488899b0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command e45823752415d0fc61aea576488899b0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" e45823752415d0fc61aea576488899b0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE -
resource yara_rule behavioral1/memory/2644-0-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x00070000000174f7-8.dat upx behavioral1/files/0x000800000001871a-112.dat upx behavioral1/files/0x00050000000193f7-116.dat upx behavioral1/files/0x00050000000194ab-128.dat upx behavioral1/memory/1488-138-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x00050000000194c1-139.dat upx behavioral1/memory/2784-148-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2644-141-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x00050000000194df-151.dat upx behavioral1/memory/1700-153-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x000500000001950e-161.dat upx behavioral1/memory/692-168-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x0005000000019516-173.dat upx behavioral1/memory/1488-176-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2784-227-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x000600000001939d-238.dat upx behavioral1/files/0x00050000000193da-242.dat upx behavioral1/files/0x0005000000019426-244.dat upx behavioral1/files/0x00090000000170da-237.dat upx behavioral1/memory/1808-270-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1316-267-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2404-265-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2520-272-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2000-312-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1596-319-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1840-305-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2424-298-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2320-291-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/560-284-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2404-279-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x00090000000170da-353.dat upx behavioral1/memory/2980-393-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x00050000000193da-357.dat upx behavioral1/files/0x00050000000193da-369.dat upx behavioral1/files/0x000600000001939d-366.dat upx behavioral1/files/0x00090000000170da-365.dat upx behavioral1/memory/1868-398-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2920-424-0x0000000000220000-0x0000000000230000-memory.dmp upx behavioral1/memory/1540-490-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1540-507-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1208-529-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1132-527-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2500-531-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/908-533-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2348-517-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1316-534-0x0000000002540000-0x0000000002563000-memory.dmp upx behavioral1/memory/560-550-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1756-559-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2404-557-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/780-554-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2764-524-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/908-520-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2984-513-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2904-510-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2036-501-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2520-566-0x00000000003D0000-0x00000000003F3000-memory.dmp upx behavioral1/memory/1840-564-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/996-567-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2232-495-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2764-494-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2984-493-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2980-492-0x0000000001D90000-0x0000000001DB3000-memory.dmp upx behavioral1/memory/2348-491-0x0000000000400000-0x0000000000423000-memory.dmp upx -
Adds Run key to start application 2 TTPs 40 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" e45823752415d0fc61aea576488899b0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" e45823752415d0fc61aea576488899b0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" e45823752415d0fc61aea576488899b0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" e45823752415d0fc61aea576488899b0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" e45823752415d0fc61aea576488899b0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" LSASS.EXE -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\desktop.ini 4k51k4.exe File created C:\desktop.ini 4k51k4.exe File opened for modification F:\desktop.ini 4k51k4.exe File created F:\desktop.ini 4k51k4.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: CSRSS.EXE File opened (read-only) \??\L: LSASS.EXE File opened (read-only) \??\Y: SERVICES.EXE File opened (read-only) \??\O: 4k51k4.exe File opened (read-only) \??\X: CSRSS.EXE File opened (read-only) \??\U: WINLOGON.EXE File opened (read-only) \??\B: 4k51k4.exe File opened (read-only) \??\L: CSRSS.EXE File opened (read-only) \??\Z: CSRSS.EXE File opened (read-only) \??\O: e45823752415d0fc61aea576488899b0N.exe File opened (read-only) \??\H: IExplorer.exe File opened (read-only) \??\J: LSASS.EXE File opened (read-only) \??\V: SERVICES.EXE File opened (read-only) \??\N: SMSS.EXE File opened (read-only) \??\R: SMSS.EXE File opened (read-only) \??\W: SERVICES.EXE File opened (read-only) \??\U: 4k51k4.exe File opened (read-only) \??\H: 4k51k4.exe File opened (read-only) \??\G: SERVICES.EXE File opened (read-only) \??\H: SERVICES.EXE File opened (read-only) \??\X: SERVICES.EXE File opened (read-only) \??\E: e45823752415d0fc61aea576488899b0N.exe File opened (read-only) \??\H: WINLOGON.EXE File opened (read-only) \??\J: IExplorer.exe File opened (read-only) \??\Y: IExplorer.exe File opened (read-only) \??\E: 4k51k4.exe File opened (read-only) \??\E: CSRSS.EXE File opened (read-only) \??\N: e45823752415d0fc61aea576488899b0N.exe File opened (read-only) \??\P: WINLOGON.EXE File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\S: LSASS.EXE File opened (read-only) \??\R: 4k51k4.exe File opened (read-only) \??\Y: 4k51k4.exe File opened (read-only) \??\E: SMSS.EXE File opened (read-only) \??\X: SMSS.EXE File opened (read-only) \??\G: CSRSS.EXE File opened (read-only) \??\L: 4k51k4.exe File opened (read-only) \??\H: e45823752415d0fc61aea576488899b0N.exe File opened (read-only) \??\W: e45823752415d0fc61aea576488899b0N.exe File opened (read-only) \??\X: IExplorer.exe File opened (read-only) \??\X: LSASS.EXE File opened (read-only) \??\Z: LSASS.EXE File opened (read-only) \??\J: 4k51k4.exe File opened (read-only) \??\Z: SMSS.EXE File opened (read-only) \??\I: CSRSS.EXE File opened (read-only) \??\S: CSRSS.EXE File opened (read-only) \??\W: CSRSS.EXE File opened (read-only) \??\P: e45823752415d0fc61aea576488899b0N.exe File opened (read-only) \??\K: WINLOGON.EXE File opened (read-only) \??\M: 4k51k4.exe File opened (read-only) \??\G: SMSS.EXE File opened (read-only) \??\J: CSRSS.EXE File opened (read-only) \??\B: WINLOGON.EXE File opened (read-only) \??\O: WINLOGON.EXE File opened (read-only) \??\V: LSASS.EXE File opened (read-only) \??\Q: SERVICES.EXE File opened (read-only) \??\T: e45823752415d0fc61aea576488899b0N.exe File opened (read-only) \??\E: LSASS.EXE File opened (read-only) \??\T: LSASS.EXE File opened (read-only) \??\N: 4k51k4.exe File opened (read-only) \??\E: SERVICES.EXE File opened (read-only) \??\J: SERVICES.EXE File opened (read-only) \??\Y: WINLOGON.EXE File opened (read-only) \??\K: 4k51k4.exe -
Drops file in System32 directory 52 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\IExplorer.exe e45823752415d0fc61aea576488899b0N.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr e45823752415d0fc61aea576488899b0N.exe File created C:\Windows\SysWOW64\IExplorer.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe 4k51k4.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr SERVICES.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe e45823752415d0fc61aea576488899b0N.exe File created C:\Windows\SysWOW64\IExplorer.exe 4k51k4.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe 4k51k4.exe File opened for modification C:\Windows\SysWOW64\shell.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\MrHelloween.scr 4k51k4.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr LSASS.EXE File opened for modification C:\Windows\SysWOW64\MrHelloween.scr IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\MrHelloween.scr e45823752415d0fc61aea576488899b0N.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe SMSS.EXE File created C:\Windows\SysWOW64\IExplorer.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\shell.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\shell.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\shell.exe WINLOGON.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\shell.exe SMSS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\MrHelloween.scr SMSS.EXE File created C:\Windows\SysWOW64\shell.exe e45823752415d0fc61aea576488899b0N.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe WINLOGON.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe WINLOGON.EXE File created C:\Windows\SysWOW64\IExplorer.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe e45823752415d0fc61aea576488899b0N.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr CSRSS.EXE File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe -
Drops file in Windows directory 34 IoCs
description ioc Process File created C:\Windows\4k51k4.exe WINLOGON.EXE File created C:\Windows\4k51k4.exe CSRSS.EXE File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe 4k51k4.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe WINLOGON.EXE File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe SMSS.EXE File created C:\Windows\4k51k4.exe LSASS.EXE File opened for modification C:\Windows\4k51k4.exe IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe e45823752415d0fc61aea576488899b0N.exe File created C:\Windows\4k51k4.exe 4k51k4.exe File opened for modification C:\Windows\4k51k4.exe SERVICES.EXE File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe e45823752415d0fc61aea576488899b0N.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe LSASS.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe SMSS.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe CSRSS.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe SERVICES.EXE File created C:\Windows\4k51k4.exe IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e45823752415d0fc61aea576488899b0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe -
Modifies Control Panel 32 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" SMSS.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ e45823752415d0fc61aea576488899b0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" e45823752415d0fc61aea576488899b0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 4k51k4.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" CSRSS.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" e45823752415d0fc61aea576488899b0N.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 4k51k4.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SERVICES.EXE Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" e45823752415d0fc61aea576488899b0N.exe Key created \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" 4k51k4.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command e45823752415d0fc61aea576488899b0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" e45823752415d0fc61aea576488899b0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile e45823752415d0fc61aea576488899b0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command e45823752415d0fc61aea576488899b0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" e45823752415d0fc61aea576488899b0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell e45823752415d0fc61aea576488899b0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command e45823752415d0fc61aea576488899b0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" e45823752415d0fc61aea576488899b0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile e45823752415d0fc61aea576488899b0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" e45823752415d0fc61aea576488899b0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" e45823752415d0fc61aea576488899b0N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command e45823752415d0fc61aea576488899b0N.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2644 e45823752415d0fc61aea576488899b0N.exe -
Suspicious behavior: GetForegroundWindowSpam 7 IoCs
pid Process 1700 4k51k4.exe 2784 CSRSS.EXE 1488 WINLOGON.EXE 1316 SERVICES.EXE 2980 SMSS.EXE 692 IExplorer.exe 2520 LSASS.EXE -
Suspicious use of SetWindowsHookEx 63 IoCs
pid Process 2644 e45823752415d0fc61aea576488899b0N.exe 1700 4k51k4.exe 692 IExplorer.exe 1488 WINLOGON.EXE 2784 CSRSS.EXE 1316 SERVICES.EXE 2520 LSASS.EXE 2980 SMSS.EXE 1808 4k51k4.exe 2404 4k51k4.exe 560 IExplorer.exe 2320 WINLOGON.EXE 2424 CSRSS.EXE 1840 SERVICES.EXE 2000 LSASS.EXE 1596 SMSS.EXE 1868 IExplorer.exe 2916 4k51k4.exe 3000 WINLOGON.EXE 2920 4k51k4.exe 2904 4k51k4.exe 2036 4k51k4.exe 1540 IExplorer.exe 2984 4k51k4.exe 2348 IExplorer.exe 2764 4k51k4.exe 2232 CSRSS.EXE 1208 WINLOGON.EXE 1136 IExplorer.exe 1132 IExplorer.exe 2500 IExplorer.exe 908 WINLOGON.EXE 560 WINLOGON.EXE 1708 WINLOGON.EXE 1756 WINLOGON.EXE 2404 IExplorer.exe 780 CSRSS.EXE 996 CSRSS.EXE 1840 CSRSS.EXE 696 SERVICES.EXE 2820 WINLOGON.EXE 2736 CSRSS.EXE 2700 SERVICES.EXE 2744 SERVICES.EXE 2692 LSASS.EXE 2808 LSASS.EXE 1244 CSRSS.EXE 2252 SERVICES.EXE 2732 CSRSS.EXE 2848 LSASS.EXE 3040 SERVICES.EXE 1260 LSASS.EXE 3024 SMSS.EXE 2800 LSASS.EXE 2920 SERVICES.EXE 1664 SMSS.EXE 1956 SMSS.EXE 2576 SMSS.EXE 2532 LSASS.EXE 2708 SMSS.EXE 1496 LSASS.EXE 2144 SMSS.EXE 2164 SMSS.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2644 wrote to memory of 1700 2644 e45823752415d0fc61aea576488899b0N.exe 30 PID 2644 wrote to memory of 1700 2644 e45823752415d0fc61aea576488899b0N.exe 30 PID 2644 wrote to memory of 1700 2644 e45823752415d0fc61aea576488899b0N.exe 30 PID 2644 wrote to memory of 1700 2644 e45823752415d0fc61aea576488899b0N.exe 30 PID 2644 wrote to memory of 692 2644 e45823752415d0fc61aea576488899b0N.exe 31 PID 2644 wrote to memory of 692 2644 e45823752415d0fc61aea576488899b0N.exe 31 PID 2644 wrote to memory of 692 2644 e45823752415d0fc61aea576488899b0N.exe 31 PID 2644 wrote to memory of 692 2644 e45823752415d0fc61aea576488899b0N.exe 31 PID 2644 wrote to memory of 1488 2644 e45823752415d0fc61aea576488899b0N.exe 32 PID 2644 wrote to memory of 1488 2644 e45823752415d0fc61aea576488899b0N.exe 32 PID 2644 wrote to memory of 1488 2644 e45823752415d0fc61aea576488899b0N.exe 32 PID 2644 wrote to memory of 1488 2644 e45823752415d0fc61aea576488899b0N.exe 32 PID 2644 wrote to memory of 2784 2644 e45823752415d0fc61aea576488899b0N.exe 33 PID 2644 wrote to memory of 2784 2644 e45823752415d0fc61aea576488899b0N.exe 33 PID 2644 wrote to memory of 2784 2644 e45823752415d0fc61aea576488899b0N.exe 33 PID 2644 wrote to memory of 2784 2644 e45823752415d0fc61aea576488899b0N.exe 33 PID 2644 wrote to memory of 1316 2644 e45823752415d0fc61aea576488899b0N.exe 34 PID 2644 wrote to memory of 1316 2644 e45823752415d0fc61aea576488899b0N.exe 34 PID 2644 wrote to memory of 1316 2644 e45823752415d0fc61aea576488899b0N.exe 34 PID 2644 wrote to memory of 1316 2644 e45823752415d0fc61aea576488899b0N.exe 34 PID 2644 wrote to memory of 2520 2644 e45823752415d0fc61aea576488899b0N.exe 35 PID 2644 wrote to memory of 2520 2644 e45823752415d0fc61aea576488899b0N.exe 35 PID 2644 wrote to memory of 2520 2644 e45823752415d0fc61aea576488899b0N.exe 35 PID 2644 wrote to memory of 2520 2644 e45823752415d0fc61aea576488899b0N.exe 35 PID 2644 wrote to memory of 2980 2644 e45823752415d0fc61aea576488899b0N.exe 36 PID 2644 wrote to memory of 2980 2644 e45823752415d0fc61aea576488899b0N.exe 36 PID 2644 wrote to memory of 2980 2644 e45823752415d0fc61aea576488899b0N.exe 36 PID 2644 wrote to memory of 2980 2644 e45823752415d0fc61aea576488899b0N.exe 36 PID 2644 wrote to memory of 1808 2644 e45823752415d0fc61aea576488899b0N.exe 37 PID 2644 wrote to memory of 1808 2644 e45823752415d0fc61aea576488899b0N.exe 37 PID 2644 wrote to memory of 1808 2644 e45823752415d0fc61aea576488899b0N.exe 37 PID 2644 wrote to memory of 1808 2644 e45823752415d0fc61aea576488899b0N.exe 37 PID 1700 wrote to memory of 2404 1700 4k51k4.exe 64 PID 1700 wrote to memory of 2404 1700 4k51k4.exe 64 PID 1700 wrote to memory of 2404 1700 4k51k4.exe 64 PID 1700 wrote to memory of 2404 1700 4k51k4.exe 64 PID 2644 wrote to memory of 1868 2644 e45823752415d0fc61aea576488899b0N.exe 39 PID 2644 wrote to memory of 1868 2644 e45823752415d0fc61aea576488899b0N.exe 39 PID 2644 wrote to memory of 1868 2644 e45823752415d0fc61aea576488899b0N.exe 39 PID 2644 wrote to memory of 1868 2644 e45823752415d0fc61aea576488899b0N.exe 39 PID 1700 wrote to memory of 560 1700 4k51k4.exe 66 PID 1700 wrote to memory of 560 1700 4k51k4.exe 66 PID 1700 wrote to memory of 560 1700 4k51k4.exe 66 PID 1700 wrote to memory of 560 1700 4k51k4.exe 66 PID 1700 wrote to memory of 2320 1700 4k51k4.exe 41 PID 1700 wrote to memory of 2320 1700 4k51k4.exe 41 PID 1700 wrote to memory of 2320 1700 4k51k4.exe 41 PID 1700 wrote to memory of 2320 1700 4k51k4.exe 41 PID 1700 wrote to memory of 2424 1700 4k51k4.exe 42 PID 1700 wrote to memory of 2424 1700 4k51k4.exe 42 PID 1700 wrote to memory of 2424 1700 4k51k4.exe 42 PID 1700 wrote to memory of 2424 1700 4k51k4.exe 42 PID 1700 wrote to memory of 1840 1700 4k51k4.exe 67 PID 1700 wrote to memory of 1840 1700 4k51k4.exe 67 PID 1700 wrote to memory of 1840 1700 4k51k4.exe 67 PID 1700 wrote to memory of 1840 1700 4k51k4.exe 67 PID 1700 wrote to memory of 2000 1700 4k51k4.exe 44 PID 1700 wrote to memory of 2000 1700 4k51k4.exe 44 PID 1700 wrote to memory of 2000 1700 4k51k4.exe 44 PID 1700 wrote to memory of 2000 1700 4k51k4.exe 44 PID 1700 wrote to memory of 1596 1700 4k51k4.exe 45 PID 1700 wrote to memory of 1596 1700 4k51k4.exe 45 PID 1700 wrote to memory of 1596 1700 4k51k4.exe 45 PID 1700 wrote to memory of 1596 1700 4k51k4.exe 45 -
System policy modification 1 TTPs 40 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System e45823752415d0fc61aea576488899b0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer e45823752415d0fc61aea576488899b0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" e45823752415d0fc61aea576488899b0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" e45823752415d0fc61aea576488899b0N.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" e45823752415d0fc61aea576488899b0N.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\e45823752415d0fc61aea576488899b0N.exe"C:\Users\Admin\AppData\Local\Temp\e45823752415d0fc61aea576488899b0N.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2644 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1700 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2404
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:560
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2320
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2424
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1840
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2000
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1596
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:692 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2764
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2404
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2820
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1244
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3040
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2532
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2144
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1488 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2904
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1132
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1756
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2736
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2252
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2800
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2708
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2784 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2984
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2500
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:560
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1840
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2744
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2848
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2576
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1316 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2916
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2348
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:908
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:996
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1372
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2692
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3024
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2520 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2036
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1136
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1708
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2732
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2920
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1496
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2164
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2980 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2920
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1540
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1208
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:780
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:696
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2808
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1664
-
-
-
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1808
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1868
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3000
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2232
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2700
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1260
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1956
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD585190f5f5e1eaa0d54840c0e1f2e5fa9
SHA14df198ff46de76084678bc5a6a4edc5d58ffdca1
SHA25636935cbd7717d76a571d5f9704d7b780960a66e53943fb92407724022e6f8618
SHA5123b3b49127044e07316ca460879646cfb4fa070819bfc92c3caa14e7cd1ea1d34837c07342fe509de93e1ee4bd8459000a6d36a968ccad04b1f46c66b437e3b22
-
Filesize
1.1MB
MD504d20f63de221078df64af3cdbe3365f
SHA1cb6e81d39f0e94dac1c298d2e51893ca0cdec52c
SHA256325caf9128970c1c3e30859322f35518db54db9807441ba234953eb37586d55e
SHA512904d1f05db2ce5e646223819f66d81c5358603217385823b50788336d901b89c0cb2fcac31556143d1c5ce8940bc2dbb3c8233e3458e79fb0a99de1ba3267891
-
Filesize
1.1MB
MD5dd22211487bce49de07e3864f78dacc4
SHA19a748354cf796bb45f56145c14ed0007df76fcfe
SHA2562924d240075fd5e1a6931f30128a4e429e58f04fa5e6f16a1d0921a634687209
SHA512bc9930811b23033a57e91571126037500397f8f88cbca383a49b2a5b43ea7100b164bb5e73269cf262e7f5d1f5d98c14e70c000abdd1cf8407e34aaafb2f2e65
-
Filesize
442B
MD5001424d7974b9a3995af292f6fcfe171
SHA1f8201d49d594d712c8450679c856c2e8307d2337
SHA256660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d
SHA51266ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657
-
Filesize
1.1MB
MD5e45823752415d0fc61aea576488899b0
SHA1e62349106b8a650b874fba96d20a6607a9da0623
SHA2560f680e79b2be776b6f34c9fe86c8e9a40d88a6ea84c9bdb00822bb2ecebe031d
SHA512bce79c2d6e85a68be1dcb048047ec71bc11c1b32b9b8ff8cf65a8a3baee9839e15ec59c385fc1a688894cc38e70c593062624e8da22112e8938c2e0feaedb0eb
-
Filesize
1.1MB
MD56b17679a1d4df4dde49a86a4d2b694f9
SHA1f666112ea31d97baafce7c48bcf1b1218bfeaa89
SHA2563729be789abb1630fc1367df392c453172a7668148575f7841736802f633dcd5
SHA5123295278109af647a50b16ec253a2f720695c548505fd408c438cabba7f5938b5ad12a43672cf42a063a80156b89271ddb1c6e1c17098b1d02a2a31fc1ce9ee39
-
Filesize
1.1MB
MD5f65a623d041d52f2bef13680c9dd9d18
SHA1f218624762a6df1a5ca0a1069cb4faea83a85b4c
SHA256a8b82a1043bc7fba50fbd2d86c09f619fd61a220a776d5309ed726e85bccb1c3
SHA512850c3c42d02dfbef0a59f44065b6ac27c6d14662d3601e30ef49bf23b5e1dc605b3456b46aebbffc5106c25df8cff53110b53728eb808fe47619e7f16ac90e69
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
1.1MB
MD51aa1f6b54fb0662de42ca29b1eade565
SHA15be432d70a4f5c5b12fdfc74cec8335531d9c1f9
SHA256f44babca094824a5140d60efcd0381f75fa3d906702e4ab3e5500a631395ff83
SHA5121f25f22fc23a2e07fe8e06097ab37d99564da7b005527efd094e8ffd05a868e7e6be2730649b49fa83ef7d6602db2c62a4999a3c8851240c69e41988d4f56125
-
Filesize
1.1MB
MD5174b5db0767f84d852cde8e00b46d628
SHA17b701301f89d0873976e79a8fe0713f273aebda1
SHA2566049217cbf1a320880004e41cd283c74a2b3de30d2880c1e046d7405570b3ece
SHA51269672d990bb17c2d6ef318d71cf791fdded73728559e577ec503e65de35acdd4eaa00c70f8996e20c0bb44387f68b0c1fdaf0faf10b8f02cacc87da0d4021084
-
Filesize
1.1MB
MD50cdf9b3d99af8a9a7c76be2b2e2f4817
SHA1f453b555c30a44ab116e29d4d2dc3258010c1670
SHA256af2493a2cc3590906eb8c10d091b75ac82658a31b11dfd7e3b2ed3c057444d2b
SHA5129349e7c5ec36fddec1725aa62d97e34d6281e9924f2f2f5c2b1912e214d07b76caf26b27cc49a6b96fbb254e461d41952dbc178a002c61e6ae238bd91c93d5b2
-
Filesize
1.1MB
MD53d2ba7f997767dc67df088efbc59bce9
SHA14e1341c6c3ef9dddde1fb1a0fcec853ebf5f1135
SHA256f47b1b2e6cf8dbd003cace0e3ba492aa3e8e555d8e26f369deeb98b3b41e487c
SHA512574a63f454897281035cb75585921ad2770e6025f9ee6b2d72c24d83f71f5ceb1d0ad234a2cb608f06ab8ca0903fc13c2883318b96c178bbf7a2ebe5cb3ba183
-
Filesize
1.1MB
MD51c7de98e56a29a9b4742038937095b67
SHA1f1614f53952b069d25efd01aef5e81ed6d496c67
SHA2566bdb9d5f1d3ae44aa191572c5faabec6c3924bacfc1691e8115ee8ba2e3fa059
SHA51214a8e8acac175e283f716bca299b5634cda48139f12a2598caac396c004725ecd2e265cdcd3031e8eab703ef16953f63313749fcf3b2af828d0c7c498ffaedfc
-
Filesize
1.1MB
MD5020489d1a32b2d22846222e482a709d4
SHA1e1a410ab5e7b91e271350811b4db944e798ab1c5
SHA256df038daa13076e727f5247e5238ff286c7bebbdfb857dea1d1008ddcf8e1aa8c
SHA512ca460e270975ce719a0c39c9fb613760c11419c254df6e0f0a8a8319a9191ee4fcd39a3edc0f9ebcef26efcc21a58a1c281c609e3f27536acb50c69fd2188bbb
-
Filesize
1.1MB
MD5d51a6aef55a92d1e10b51f5272de7b78
SHA1afea95de04b59375f17f807856c5748411b6c0f4
SHA2561779d96f83cfa6ca9da8abbe3d79c1946d925d8aac96dcb76ec809dd2c683392
SHA51246d97aab9c80eefe41417d2c7b33fae3fc1d79370c5b0b89bb13b9b0fe5b16594d839030d634200d92988aad8f6eed802261941273f79af8e84bcdc1d8596cb5
-
Filesize
1.1MB
MD5755ee9f6801937197c8f06fc665a03cb
SHA1d843d6247d1dca1707353a7585c1b94c3e5970b7
SHA256e8d576188a6c6f14a9a572f049178d054efa7e9b9546e4165eefb71a67c1ee4b
SHA512b14a202460ca2dd2f5640604700b2b8c84b316437d13ebeac023f0ff25e6401fd6e560f1e3e48c8f86d684bd86404d7f7aaef73c9cea1edc1e5480f41a40aa45
-
Filesize
1.1MB
MD5a912b59c24d9ee6efa6b80a422d8e784
SHA12fde69173e3e04e9c2b6f75e220a2c6c29800e21
SHA2567d75c02fc70712130d544c5b6f60def88d74621427efff74bf2f537e7b5ec263
SHA51254c15241c0e8ffc3459b93e6d442d874e4c5b4fbd0213a3aa28a9ff62fbf302468abaeeb7897c393b8158d9940f7b31e33b20f7cef3d6d16c26ee77ebe247c23
-
Filesize
1.1MB
MD553f2cea11ce0b9e19d7bf99507f1b92a
SHA10f00bd1040cf46c95ed5b793765daf3a7e4b44f2
SHA256013e53e86ff231c82dfe7da550758cc31c5eb0b21e30b9ca5ffd155a859dfe52
SHA512a6b45b562337018fa41a7d2c88b15f9747c28aa10e228fe44e0dd03b524db53c5aa42205fdc4b535308b1ec76fbbe28f474fbe2eb9b364ba5ba6d81e1d3ec3cb
-
Filesize
1.1MB
MD5d2dc36efeca6269f2365c6a3119e9302
SHA134f8231bac7e4666dde8dfb6268b61c177483c44
SHA2568e8d93a4bb61b651daa16f992b1f9047de903df6438f2170beca98e3f33d305b
SHA51285d7b0099c8734a04b13296396a686283b982b57fcd83f4581ab9b2ca0ff2207d17df1666390fe570db2fafe311be00b7bd5d77d1de3338343f487c08f8905c5