0f680e79b2be776b6f34c9fe86c8e9a40d88a6ea84c9bdb00822bb2ecebe031d

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e45823752415d0fc61aea576488899b0N.exe
Size

1.1MB
MD5

e45823752415d0fc61aea576488899b0
SHA1

e62349106b8a650b874fba96d20a6607a9da0623
SHA256

0f680e79b2be776b6f34c9fe86c8e9a40d88a6ea84c9bdb00822bb2ecebe031d
SHA512

bce79c2d6e85a68be1dcb048047ec71bc11c1b32b9b8ff8cf65a8a3baee9839e15ec59c385fc1a688894cc38e70c593062624e8da22112e8938c2e0feaedb0eb
SSDEEP

6144:mjmjqj9jCfj9j3j9jtj9jOj9j9j9jvj9jGj9jSj9jSj9jmj9jE:hf

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 16 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	e45823752415d0fc61aea576488899b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	e45823752415d0fc61aea576488899b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	SMSS.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	e45823752415d0fc61aea576488899b0N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	e45823752415d0fc61aea576488899b0N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4k51k4.exe

Disables RegEdit via registry modification 16 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	e45823752415d0fc61aea576488899b0N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	e45823752415d0fc61aea576488899b0N.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 63 IoCs

pid	Process
1700	4k51k4.exe
692	IExplorer.exe
1488	WINLOGON.EXE
2784	CSRSS.EXE
1316	SERVICES.EXE
2520	LSASS.EXE
2980	SMSS.EXE
1808	4k51k4.exe
2404	4k51k4.exe
1868	IExplorer.exe
560	IExplorer.exe
2320	WINLOGON.EXE
2424	CSRSS.EXE
1840	SERVICES.EXE
2000	LSASS.EXE
1596	SMSS.EXE
2916	4k51k4.exe
2920	4k51k4.exe
2904	4k51k4.exe
3000	WINLOGON.EXE
2036	4k51k4.exe
1540	IExplorer.exe
2348	IExplorer.exe
2984	4k51k4.exe
2764	4k51k4.exe
2232	CSRSS.EXE
1208	WINLOGON.EXE
1136	IExplorer.exe
1132	IExplorer.exe
2500	IExplorer.exe
908	WINLOGON.EXE
780	CSRSS.EXE
2404	IExplorer.exe
560	WINLOGON.EXE
1756	WINLOGON.EXE
996	CSRSS.EXE
1708	WINLOGON.EXE
1840	CSRSS.EXE
696	SERVICES.EXE
1372	SERVICES.EXE
2744	SERVICES.EXE
2732	CSRSS.EXE
2736	CSRSS.EXE
2820	WINLOGON.EXE
2808	LSASS.EXE
2700	SERVICES.EXE
2692	LSASS.EXE
1244	CSRSS.EXE
2252	SERVICES.EXE
1260	LSASS.EXE
2848	LSASS.EXE
3040	SERVICES.EXE
3024	SMSS.EXE
1664	SMSS.EXE
2800	LSASS.EXE
2920	SERVICES.EXE
1956	SMSS.EXE
2576	SMSS.EXE
2532	LSASS.EXE
2708	SMSS.EXE
1496	LSASS.EXE
2144	SMSS.EXE
2164	SMSS.EXE

Loads dropped DLL 64 IoCs

pid	Process
2644	e45823752415d0fc61aea576488899b0N.exe
2644	e45823752415d0fc61aea576488899b0N.exe
2644	e45823752415d0fc61aea576488899b0N.exe
2644	e45823752415d0fc61aea576488899b0N.exe
2644	e45823752415d0fc61aea576488899b0N.exe
2644	e45823752415d0fc61aea576488899b0N.exe
2644	e45823752415d0fc61aea576488899b0N.exe
2644	e45823752415d0fc61aea576488899b0N.exe
2644	e45823752415d0fc61aea576488899b0N.exe
2644	e45823752415d0fc61aea576488899b0N.exe
2644	e45823752415d0fc61aea576488899b0N.exe
2644	e45823752415d0fc61aea576488899b0N.exe
2644	e45823752415d0fc61aea576488899b0N.exe
2644	e45823752415d0fc61aea576488899b0N.exe
1700	4k51k4.exe
1700	4k51k4.exe
1700	4k51k4.exe
1700	4k51k4.exe
1700	4k51k4.exe
1700	4k51k4.exe
1700	4k51k4.exe
1700	4k51k4.exe
1700	4k51k4.exe
1700	4k51k4.exe
1700	4k51k4.exe
1700	4k51k4.exe
2644	e45823752415d0fc61aea576488899b0N.exe
2644	e45823752415d0fc61aea576488899b0N.exe
1316	SERVICES.EXE
1316	SERVICES.EXE
2980	SMSS.EXE
2980	SMSS.EXE
2644	e45823752415d0fc61aea576488899b0N.exe
2644	e45823752415d0fc61aea576488899b0N.exe
2520	LSASS.EXE
1488	WINLOGON.EXE
1488	WINLOGON.EXE
2980	SMSS.EXE
2980	SMSS.EXE
2520	LSASS.EXE
2784	CSRSS.EXE
2784	CSRSS.EXE
1316	SERVICES.EXE
1316	SERVICES.EXE
1488	WINLOGON.EXE
2980	SMSS.EXE
2980	SMSS.EXE
1316	SERVICES.EXE
1316	SERVICES.EXE
692	IExplorer.exe
2520	LSASS.EXE
2784	CSRSS.EXE
692	IExplorer.exe
2520	LSASS.EXE
2784	CSRSS.EXE
2784	CSRSS.EXE
2980	SMSS.EXE
2980	SMSS.EXE
1316	SERVICES.EXE
2784	CSRSS.EXE
1488	WINLOGON.EXE
2784	CSRSS.EXE
1488	WINLOGON.EXE
2520	LSASS.EXE

Modifies system executable filetype association 2 TTPs 64 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e45823752415d0fc61aea576488899b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	e45823752415d0fc61aea576488899b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e45823752415d0fc61aea576488899b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	e45823752415d0fc61aea576488899b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	e45823752415d0fc61aea576488899b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	e45823752415d0fc61aea576488899b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e45823752415d0fc61aea576488899b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2644-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x00070000000174f7-8.dat	upx
behavioral1/files/0x000800000001871a-112.dat	upx
behavioral1/files/0x00050000000193f7-116.dat	upx
behavioral1/files/0x00050000000194ab-128.dat	upx
behavioral1/memory/1488-138-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x00050000000194c1-139.dat	upx
behavioral1/memory/2784-148-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2644-141-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x00050000000194df-151.dat	upx
behavioral1/memory/1700-153-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x000500000001950e-161.dat	upx
behavioral1/memory/692-168-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x0005000000019516-173.dat	upx
behavioral1/memory/1488-176-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2784-227-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x000600000001939d-238.dat	upx
behavioral1/files/0x00050000000193da-242.dat	upx
behavioral1/files/0x0005000000019426-244.dat	upx
behavioral1/files/0x00090000000170da-237.dat	upx
behavioral1/memory/1808-270-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1316-267-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2404-265-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2520-272-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2000-312-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1596-319-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1840-305-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2424-298-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2320-291-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/560-284-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2404-279-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x00090000000170da-353.dat	upx
behavioral1/memory/2980-393-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/files/0x00050000000193da-357.dat	upx
behavioral1/files/0x00050000000193da-369.dat	upx
behavioral1/files/0x000600000001939d-366.dat	upx
behavioral1/files/0x00090000000170da-365.dat	upx
behavioral1/memory/1868-398-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2920-424-0x0000000000220000-0x0000000000230000-memory.dmp	upx
behavioral1/memory/1540-490-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1540-507-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1208-529-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1132-527-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2500-531-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/908-533-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2348-517-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1316-534-0x0000000002540000-0x0000000002563000-memory.dmp	upx
behavioral1/memory/560-550-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/1756-559-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2404-557-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/780-554-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2764-524-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/908-520-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2984-513-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2904-510-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2036-501-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2520-566-0x00000000003D0000-0x00000000003F3000-memory.dmp	upx
behavioral1/memory/1840-564-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/996-567-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2232-495-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2764-494-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2984-493-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2980-492-0x0000000001D90000-0x0000000001DB3000-memory.dmp	upx
behavioral1/memory/2348-491-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Adds Run key to start application 2 TTPs 40 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	e45823752415d0fc61aea576488899b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	e45823752415d0fc61aea576488899b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	e45823752415d0fc61aea576488899b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	e45823752415d0fc61aea576488899b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	e45823752415d0fc61aea576488899b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	LSASS.EXE

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	4k51k4.exe
File created	C:\desktop.ini	4k51k4.exe
File opened for modification	F:\desktop.ini	4k51k4.exe
File created	F:\desktop.ini	4k51k4.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	CSRSS.EXE
File opened (read-only)	\??\L:	LSASS.EXE
File opened (read-only)	\??\Y:	SERVICES.EXE
File opened (read-only)	\??\O:	4k51k4.exe
File opened (read-only)	\??\X:	CSRSS.EXE
File opened (read-only)	\??\U:	WINLOGON.EXE
File opened (read-only)	\??\B:	4k51k4.exe
File opened (read-only)	\??\L:	CSRSS.EXE
File opened (read-only)	\??\Z:	CSRSS.EXE
File opened (read-only)	\??\O:	e45823752415d0fc61aea576488899b0N.exe
File opened (read-only)	\??\H:	IExplorer.exe
File opened (read-only)	\??\J:	LSASS.EXE
File opened (read-only)	\??\V:	SERVICES.EXE
File opened (read-only)	\??\N:	SMSS.EXE
File opened (read-only)	\??\R:	SMSS.EXE
File opened (read-only)	\??\W:	SERVICES.EXE
File opened (read-only)	\??\U:	4k51k4.exe
File opened (read-only)	\??\H:	4k51k4.exe
File opened (read-only)	\??\G:	SERVICES.EXE
File opened (read-only)	\??\H:	SERVICES.EXE
File opened (read-only)	\??\X:	SERVICES.EXE
File opened (read-only)	\??\E:	e45823752415d0fc61aea576488899b0N.exe
File opened (read-only)	\??\H:	WINLOGON.EXE
File opened (read-only)	\??\J:	IExplorer.exe
File opened (read-only)	\??\Y:	IExplorer.exe
File opened (read-only)	\??\E:	4k51k4.exe
File opened (read-only)	\??\E:	CSRSS.EXE
File opened (read-only)	\??\N:	e45823752415d0fc61aea576488899b0N.exe
File opened (read-only)	\??\P:	WINLOGON.EXE
File opened (read-only)	\??\M:	IExplorer.exe
File opened (read-only)	\??\S:	LSASS.EXE
File opened (read-only)	\??\R:	4k51k4.exe
File opened (read-only)	\??\Y:	4k51k4.exe
File opened (read-only)	\??\E:	SMSS.EXE
File opened (read-only)	\??\X:	SMSS.EXE
File opened (read-only)	\??\G:	CSRSS.EXE
File opened (read-only)	\??\L:	4k51k4.exe
File opened (read-only)	\??\H:	e45823752415d0fc61aea576488899b0N.exe
File opened (read-only)	\??\W:	e45823752415d0fc61aea576488899b0N.exe
File opened (read-only)	\??\X:	IExplorer.exe
File opened (read-only)	\??\X:	LSASS.EXE
File opened (read-only)	\??\Z:	LSASS.EXE
File opened (read-only)	\??\J:	4k51k4.exe
File opened (read-only)	\??\Z:	SMSS.EXE
File opened (read-only)	\??\I:	CSRSS.EXE
File opened (read-only)	\??\S:	CSRSS.EXE
File opened (read-only)	\??\W:	CSRSS.EXE
File opened (read-only)	\??\P:	e45823752415d0fc61aea576488899b0N.exe
File opened (read-only)	\??\K:	WINLOGON.EXE
File opened (read-only)	\??\M:	4k51k4.exe
File opened (read-only)	\??\G:	SMSS.EXE
File opened (read-only)	\??\J:	CSRSS.EXE
File opened (read-only)	\??\B:	WINLOGON.EXE
File opened (read-only)	\??\O:	WINLOGON.EXE
File opened (read-only)	\??\V:	LSASS.EXE
File opened (read-only)	\??\Q:	SERVICES.EXE
File opened (read-only)	\??\T:	e45823752415d0fc61aea576488899b0N.exe
File opened (read-only)	\??\E:	LSASS.EXE
File opened (read-only)	\??\T:	LSASS.EXE
File opened (read-only)	\??\N:	4k51k4.exe
File opened (read-only)	\??\E:	SERVICES.EXE
File opened (read-only)	\??\J:	SERVICES.EXE
File opened (read-only)	\??\Y:	WINLOGON.EXE
File opened (read-only)	\??\K:	4k51k4.exe

Drops file in System32 directory 52 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	e45823752415d0fc61aea576488899b0N.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	e45823752415d0fc61aea576488899b0N.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	4k51k4.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	e45823752415d0fc61aea576488899b0N.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	4k51k4.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	4k51k4.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	4k51k4.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\MrHelloween.scr	e45823752415d0fc61aea576488899b0N.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	SMSS.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	WINLOGON.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	SMSS.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	SMSS.EXE
File created	C:\Windows\SysWOW64\shell.exe	e45823752415d0fc61aea576488899b0N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	WINLOGON.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	WINLOGON.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	e45823752415d0fc61aea576488899b0N.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	CSRSS.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	IExplorer.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File created	C:\Windows\4k51k4.exe	WINLOGON.EXE
File created	C:\Windows\4k51k4.exe	CSRSS.EXE
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	4k51k4.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	WINLOGON.EXE
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\4k51k4.exe	SMSS.EXE
File created	C:\Windows\4k51k4.exe	LSASS.EXE
File opened for modification	C:\Windows\4k51k4.exe	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	e45823752415d0fc61aea576488899b0N.exe
File created	C:\Windows\4k51k4.exe	4k51k4.exe
File opened for modification	C:\Windows\4k51k4.exe	SERVICES.EXE
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\4k51k4.exe	e45823752415d0fc61aea576488899b0N.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	LSASS.EXE
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	SMSS.EXE
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\4k51k4.exe	CSRSS.EXE
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\4k51k4.exe	SERVICES.EXE
File created	C:\Windows\4k51k4.exe	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4k51k4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4k51k4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4k51k4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e45823752415d0fc61aea576488899b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4k51k4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4k51k4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4k51k4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4k51k4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4k51k4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IExplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LSASS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WINLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4k51k4.exe

Modifies Control Panel 32 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\	e45823752415d0fc61aea576488899b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	e45823752415d0fc61aea576488899b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	4k51k4.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	e45823752415d0fc61aea576488899b0N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	4k51k4.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\	WINLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	WINLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	IExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\	LSASS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	e45823752415d0fc61aea576488899b0N.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	4k51k4.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	e45823752415d0fc61aea576488899b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e45823752415d0fc61aea576488899b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	e45823752415d0fc61aea576488899b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	e45823752415d0fc61aea576488899b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e45823752415d0fc61aea576488899b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	e45823752415d0fc61aea576488899b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	e45823752415d0fc61aea576488899b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	e45823752415d0fc61aea576488899b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	e45823752415d0fc61aea576488899b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	WINLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e45823752415d0fc61aea576488899b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	LSASS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	e45823752415d0fc61aea576488899b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	e45823752415d0fc61aea576488899b0N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2644	e45823752415d0fc61aea576488899b0N.exe

Suspicious behavior: GetForegroundWindowSpam 7 IoCs

pid	Process
1700	4k51k4.exe
2784	CSRSS.EXE
1488	WINLOGON.EXE
1316	SERVICES.EXE
2980	SMSS.EXE
692	IExplorer.exe
2520	LSASS.EXE

Suspicious use of SetWindowsHookEx 63 IoCs

pid	Process
2644	e45823752415d0fc61aea576488899b0N.exe
1700	4k51k4.exe
692	IExplorer.exe
1488	WINLOGON.EXE
2784	CSRSS.EXE
1316	SERVICES.EXE
2520	LSASS.EXE
2980	SMSS.EXE
1808	4k51k4.exe
2404	4k51k4.exe
560	IExplorer.exe
2320	WINLOGON.EXE
2424	CSRSS.EXE
1840	SERVICES.EXE
2000	LSASS.EXE
1596	SMSS.EXE
1868	IExplorer.exe
2916	4k51k4.exe
3000	WINLOGON.EXE
2920	4k51k4.exe
2904	4k51k4.exe
2036	4k51k4.exe
1540	IExplorer.exe
2984	4k51k4.exe
2348	IExplorer.exe
2764	4k51k4.exe
2232	CSRSS.EXE
1208	WINLOGON.EXE
1136	IExplorer.exe
1132	IExplorer.exe
2500	IExplorer.exe
908	WINLOGON.EXE
560	WINLOGON.EXE
1708	WINLOGON.EXE
1756	WINLOGON.EXE
2404	IExplorer.exe
780	CSRSS.EXE
996	CSRSS.EXE
1840	CSRSS.EXE
696	SERVICES.EXE
2820	WINLOGON.EXE
2736	CSRSS.EXE
2700	SERVICES.EXE
2744	SERVICES.EXE
2692	LSASS.EXE
2808	LSASS.EXE
1244	CSRSS.EXE
2252	SERVICES.EXE
2732	CSRSS.EXE
2848	LSASS.EXE
3040	SERVICES.EXE
1260	LSASS.EXE
3024	SMSS.EXE
2800	LSASS.EXE
2920	SERVICES.EXE
1664	SMSS.EXE
1956	SMSS.EXE
2576	SMSS.EXE
2532	LSASS.EXE
2708	SMSS.EXE
1496	LSASS.EXE
2144	SMSS.EXE
2164	SMSS.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 1700	2644	e45823752415d0fc61aea576488899b0N.exe	30
PID 2644 wrote to memory of 1700	2644	e45823752415d0fc61aea576488899b0N.exe	30
PID 2644 wrote to memory of 1700	2644	e45823752415d0fc61aea576488899b0N.exe	30
PID 2644 wrote to memory of 1700	2644	e45823752415d0fc61aea576488899b0N.exe	30
PID 2644 wrote to memory of 692	2644	e45823752415d0fc61aea576488899b0N.exe	31
PID 2644 wrote to memory of 692	2644	e45823752415d0fc61aea576488899b0N.exe	31
PID 2644 wrote to memory of 692	2644	e45823752415d0fc61aea576488899b0N.exe	31
PID 2644 wrote to memory of 692	2644	e45823752415d0fc61aea576488899b0N.exe	31
PID 2644 wrote to memory of 1488	2644	e45823752415d0fc61aea576488899b0N.exe	32
PID 2644 wrote to memory of 1488	2644	e45823752415d0fc61aea576488899b0N.exe	32
PID 2644 wrote to memory of 1488	2644	e45823752415d0fc61aea576488899b0N.exe	32
PID 2644 wrote to memory of 1488	2644	e45823752415d0fc61aea576488899b0N.exe	32
PID 2644 wrote to memory of 2784	2644	e45823752415d0fc61aea576488899b0N.exe	33
PID 2644 wrote to memory of 2784	2644	e45823752415d0fc61aea576488899b0N.exe	33
PID 2644 wrote to memory of 2784	2644	e45823752415d0fc61aea576488899b0N.exe	33
PID 2644 wrote to memory of 2784	2644	e45823752415d0fc61aea576488899b0N.exe	33
PID 2644 wrote to memory of 1316	2644	e45823752415d0fc61aea576488899b0N.exe	34
PID 2644 wrote to memory of 1316	2644	e45823752415d0fc61aea576488899b0N.exe	34
PID 2644 wrote to memory of 1316	2644	e45823752415d0fc61aea576488899b0N.exe	34
PID 2644 wrote to memory of 1316	2644	e45823752415d0fc61aea576488899b0N.exe	34
PID 2644 wrote to memory of 2520	2644	e45823752415d0fc61aea576488899b0N.exe	35
PID 2644 wrote to memory of 2520	2644	e45823752415d0fc61aea576488899b0N.exe	35
PID 2644 wrote to memory of 2520	2644	e45823752415d0fc61aea576488899b0N.exe	35
PID 2644 wrote to memory of 2520	2644	e45823752415d0fc61aea576488899b0N.exe	35
PID 2644 wrote to memory of 2980	2644	e45823752415d0fc61aea576488899b0N.exe	36
PID 2644 wrote to memory of 2980	2644	e45823752415d0fc61aea576488899b0N.exe	36
PID 2644 wrote to memory of 2980	2644	e45823752415d0fc61aea576488899b0N.exe	36
PID 2644 wrote to memory of 2980	2644	e45823752415d0fc61aea576488899b0N.exe	36
PID 2644 wrote to memory of 1808	2644	e45823752415d0fc61aea576488899b0N.exe	37
PID 2644 wrote to memory of 1808	2644	e45823752415d0fc61aea576488899b0N.exe	37
PID 2644 wrote to memory of 1808	2644	e45823752415d0fc61aea576488899b0N.exe	37
PID 2644 wrote to memory of 1808	2644	e45823752415d0fc61aea576488899b0N.exe	37
PID 1700 wrote to memory of 2404	1700	4k51k4.exe	64
PID 1700 wrote to memory of 2404	1700	4k51k4.exe	64
PID 1700 wrote to memory of 2404	1700	4k51k4.exe	64
PID 1700 wrote to memory of 2404	1700	4k51k4.exe	64
PID 2644 wrote to memory of 1868	2644	e45823752415d0fc61aea576488899b0N.exe	39
PID 2644 wrote to memory of 1868	2644	e45823752415d0fc61aea576488899b0N.exe	39
PID 2644 wrote to memory of 1868	2644	e45823752415d0fc61aea576488899b0N.exe	39
PID 2644 wrote to memory of 1868	2644	e45823752415d0fc61aea576488899b0N.exe	39
PID 1700 wrote to memory of 560	1700	4k51k4.exe	66
PID 1700 wrote to memory of 560	1700	4k51k4.exe	66
PID 1700 wrote to memory of 560	1700	4k51k4.exe	66
PID 1700 wrote to memory of 560	1700	4k51k4.exe	66
PID 1700 wrote to memory of 2320	1700	4k51k4.exe	41
PID 1700 wrote to memory of 2320	1700	4k51k4.exe	41
PID 1700 wrote to memory of 2320	1700	4k51k4.exe	41
PID 1700 wrote to memory of 2320	1700	4k51k4.exe	41
PID 1700 wrote to memory of 2424	1700	4k51k4.exe	42
PID 1700 wrote to memory of 2424	1700	4k51k4.exe	42
PID 1700 wrote to memory of 2424	1700	4k51k4.exe	42
PID 1700 wrote to memory of 2424	1700	4k51k4.exe	42
PID 1700 wrote to memory of 1840	1700	4k51k4.exe	67
PID 1700 wrote to memory of 1840	1700	4k51k4.exe	67
PID 1700 wrote to memory of 1840	1700	4k51k4.exe	67
PID 1700 wrote to memory of 1840	1700	4k51k4.exe	67
PID 1700 wrote to memory of 2000	1700	4k51k4.exe	44
PID 1700 wrote to memory of 2000	1700	4k51k4.exe	44
PID 1700 wrote to memory of 2000	1700	4k51k4.exe	44
PID 1700 wrote to memory of 2000	1700	4k51k4.exe	44
PID 1700 wrote to memory of 1596	1700	4k51k4.exe	45
PID 1700 wrote to memory of 1596	1700	4k51k4.exe	45
PID 1700 wrote to memory of 1596	1700	4k51k4.exe	45
PID 1700 wrote to memory of 1596	1700	4k51k4.exe	45

System policy modification 1 TTPs 40 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	IExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	e45823752415d0fc61aea576488899b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	e45823752415d0fc61aea576488899b0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	IExplorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	e45823752415d0fc61aea576488899b0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	e45823752415d0fc61aea576488899b0N.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	e45823752415d0fc61aea576488899b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE

C:\Users\Admin\AppData\Local\Temp\e45823752415d0fc61aea576488899b0N.exe
"C:\Users\Admin\AppData\Local\Temp\e45823752415d0fc61aea576488899b0N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2644
- C:\Windows\4k51k4.exe
  C:\Windows\4k51k4.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1700
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2404
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:560
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2320
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2424
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1840
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2000
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1596
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:692
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2764
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2404
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2820
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1244
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3040
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2532
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2144
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1488
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2904
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1132
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1756
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2736
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2252
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2800
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2708
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2784
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2984
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2500
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:560
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1840
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2744
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2848
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2576
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:1316
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2916
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2348
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:908
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:996
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1372
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2692
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3024
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2520
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2036
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1136
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1708
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2732
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2920
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1496
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2164
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - System policy modification
  PID:2980
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2920
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1540
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1208
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:780
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:696
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2808
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1664
- C:\Windows\4k51k4.exe
  C:\Windows\4k51k4.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1808
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1868
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3000
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2232
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2700
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1260
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4k51k4.exe

Filesize
1.1MB

MD5
85190f5f5e1eaa0d54840c0e1f2e5fa9

SHA1
4df198ff46de76084678bc5a6a4edc5d58ffdca1

SHA256
36935cbd7717d76a571d5f9704d7b780960a66e53943fb92407724022e6f8618

SHA512
3b3b49127044e07316ca460879646cfb4fa070819bfc92c3caa14e7cd1ea1d34837c07342fe509de93e1ee4bd8459000a6d36a968ccad04b1f46c66b437e3b22

Download Submit
C:\4k51k4.exe

Filesize
1.1MB

MD5
04d20f63de221078df64af3cdbe3365f

SHA1
cb6e81d39f0e94dac1c298d2e51893ca0cdec52c

SHA256
325caf9128970c1c3e30859322f35518db54db9807441ba234953eb37586d55e

SHA512
904d1f05db2ce5e646223819f66d81c5358603217385823b50788336d901b89c0cb2fcac31556143d1c5ce8940bc2dbb3c8233e3458e79fb0a99de1ba3267891

Download Submit
C:\4k51k4.exe

Filesize
1.1MB

MD5
dd22211487bce49de07e3864f78dacc4

SHA1
9a748354cf796bb45f56145c14ed0007df76fcfe

SHA256
2924d240075fd5e1a6931f30128a4e429e58f04fa5e6f16a1d0921a634687209

SHA512
bc9930811b23033a57e91571126037500397f8f88cbca383a49b2a5b43ea7100b164bb5e73269cf262e7f5d1f5d98c14e70c000abdd1cf8407e34aaafb2f2e65

Download Submit
C:\Puisi.txt

Filesize
442B

MD5
001424d7974b9a3995af292f6fcfe171

SHA1
f8201d49d594d712c8450679c856c2e8307d2337

SHA256
660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d

SHA512
66ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
1.1MB

MD5
e45823752415d0fc61aea576488899b0

SHA1
e62349106b8a650b874fba96d20a6607a9da0623

SHA256
0f680e79b2be776b6f34c9fe86c8e9a40d88a6ea84c9bdb00822bb2ecebe031d

SHA512
bce79c2d6e85a68be1dcb048047ec71bc11c1b32b9b8ff8cf65a8a3baee9839e15ec59c385fc1a688894cc38e70c593062624e8da22112e8938c2e0feaedb0eb

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
1.1MB

MD5
6b17679a1d4df4dde49a86a4d2b694f9

SHA1
f666112ea31d97baafce7c48bcf1b1218bfeaa89

SHA256
3729be789abb1630fc1367df392c453172a7668148575f7841736802f633dcd5

SHA512
3295278109af647a50b16ec253a2f720695c548505fd408c438cabba7f5938b5ad12a43672cf42a063a80156b89271ddb1c6e1c17098b1d02a2a31fc1ce9ee39

Download Submit
C:\Windows\4k51k4.exe

Filesize
1.1MB

MD5
f65a623d041d52f2bef13680c9dd9d18

SHA1
f218624762a6df1a5ca0a1069cb4faea83a85b4c

SHA256
a8b82a1043bc7fba50fbd2d86c09f619fd61a220a776d5309ed726e85bccb1c3

SHA512
850c3c42d02dfbef0a59f44065b6ac27c6d14662d3601e30ef49bf23b5e1dc605b3456b46aebbffc5106c25df8cff53110b53728eb808fe47619e7f16ac90e69

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\MrHelloween.scr

Filesize
1.1MB

MD5
1aa1f6b54fb0662de42ca29b1eade565

SHA1
5be432d70a4f5c5b12fdfc74cec8335531d9c1f9

SHA256
f44babca094824a5140d60efcd0381f75fa3d906702e4ab3e5500a631395ff83

SHA512
1f25f22fc23a2e07fe8e06097ab37d99564da7b005527efd094e8ffd05a868e7e6be2730649b49fa83ef7d6602db2c62a4999a3c8851240c69e41988d4f56125

Download Submit
C:\Windows\SysWOW64\MrHelloween.scr

Filesize
1.1MB

MD5
174b5db0767f84d852cde8e00b46d628

SHA1
7b701301f89d0873976e79a8fe0713f273aebda1

SHA256
6049217cbf1a320880004e41cd283c74a2b3de30d2880c1e046d7405570b3ece

SHA512
69672d990bb17c2d6ef318d71cf791fdded73728559e577ec503e65de35acdd4eaa00c70f8996e20c0bb44387f68b0c1fdaf0faf10b8f02cacc87da0d4021084

Download Submit
C:\Windows\SysWOW64\MrHelloween.scr

Filesize
1.1MB

MD5
0cdf9b3d99af8a9a7c76be2b2e2f4817

SHA1
f453b555c30a44ab116e29d4d2dc3258010c1670

SHA256
af2493a2cc3590906eb8c10d091b75ac82658a31b11dfd7e3b2ed3c057444d2b

SHA512
9349e7c5ec36fddec1725aa62d97e34d6281e9924f2f2f5c2b1912e214d07b76caf26b27cc49a6b96fbb254e461d41952dbc178a002c61e6ae238bd91c93d5b2

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
1.1MB

MD5
3d2ba7f997767dc67df088efbc59bce9

SHA1
4e1341c6c3ef9dddde1fb1a0fcec853ebf5f1135

SHA256
f47b1b2e6cf8dbd003cace0e3ba492aa3e8e555d8e26f369deeb98b3b41e487c

SHA512
574a63f454897281035cb75585921ad2770e6025f9ee6b2d72c24d83f71f5ceb1d0ad234a2cb608f06ab8ca0903fc13c2883318b96c178bbf7a2ebe5cb3ba183

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
1.1MB

MD5
1c7de98e56a29a9b4742038937095b67

SHA1
f1614f53952b069d25efd01aef5e81ed6d496c67

SHA256
6bdb9d5f1d3ae44aa191572c5faabec6c3924bacfc1691e8115ee8ba2e3fa059

SHA512
14a8e8acac175e283f716bca299b5634cda48139f12a2598caac396c004725ecd2e265cdcd3031e8eab703ef16953f63313749fcf3b2af828d0c7c498ffaedfc

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
1.1MB

MD5
020489d1a32b2d22846222e482a709d4

SHA1
e1a410ab5e7b91e271350811b4db944e798ab1c5

SHA256
df038daa13076e727f5247e5238ff286c7bebbdfb857dea1d1008ddcf8e1aa8c

SHA512
ca460e270975ce719a0c39c9fb613760c11419c254df6e0f0a8a8319a9191ee4fcd39a3edc0f9ebcef26efcc21a58a1c281c609e3f27536acb50c69fd2188bbb

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
1.1MB

MD5
d51a6aef55a92d1e10b51f5272de7b78

SHA1
afea95de04b59375f17f807856c5748411b6c0f4

SHA256
1779d96f83cfa6ca9da8abbe3d79c1946d925d8aac96dcb76ec809dd2c683392

SHA512
46d97aab9c80eefe41417d2c7b33fae3fc1d79370c5b0b89bb13b9b0fe5b16594d839030d634200d92988aad8f6eed802261941273f79af8e84bcdc1d8596cb5

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
1.1MB

MD5
755ee9f6801937197c8f06fc665a03cb

SHA1
d843d6247d1dca1707353a7585c1b94c3e5970b7

SHA256
e8d576188a6c6f14a9a572f049178d054efa7e9b9546e4165eefb71a67c1ee4b

SHA512
b14a202460ca2dd2f5640604700b2b8c84b316437d13ebeac023f0ff25e6401fd6e560f1e3e48c8f86d684bd86404d7f7aaef73c9cea1edc1e5480f41a40aa45

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
1.1MB

MD5
a912b59c24d9ee6efa6b80a422d8e784

SHA1
2fde69173e3e04e9c2b6f75e220a2c6c29800e21

SHA256
7d75c02fc70712130d544c5b6f60def88d74621427efff74bf2f537e7b5ec263

SHA512
54c15241c0e8ffc3459b93e6d442d874e4c5b4fbd0213a3aa28a9ff62fbf302468abaeeb7897c393b8158d9940f7b31e33b20f7cef3d6d16c26ee77ebe247c23

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
1.1MB

MD5
53f2cea11ce0b9e19d7bf99507f1b92a

SHA1
0f00bd1040cf46c95ed5b793765daf3a7e4b44f2

SHA256
013e53e86ff231c82dfe7da550758cc31c5eb0b21e30b9ca5ffd155a859dfe52

SHA512
a6b45b562337018fa41a7d2c88b15f9747c28aa10e228fe44e0dd03b524db53c5aa42205fdc4b535308b1ec76fbbe28f474fbe2eb9b364ba5ba6d81e1d3ec3cb

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
1.1MB

MD5
d2dc36efeca6269f2365c6a3119e9302

SHA1
34f8231bac7e4666dde8dfb6268b61c177483c44

SHA256
8e8d93a4bb61b651daa16f992b1f9047de903df6438f2170beca98e3f33d305b

SHA512
85d7b0099c8734a04b13296396a686283b982b57fcd83f4581ab9b2ca0ff2207d17df1666390fe570db2fafe311be00b7bd5d77d1de3338343f487c08f8905c5

Download Submit
memory/560-550-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/560-284-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/692-471-0x0000000001E00000-0x0000000001E23000-memory.dmp

Filesize
140KB

Download
memory/692-572-0x0000000001E00000-0x0000000001E23000-memory.dmp

Filesize
140KB

Download
memory/692-168-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/780-554-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/908-520-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/908-533-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/996-567-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1132-527-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1208-529-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1316-534-0x0000000002540000-0x0000000002563000-memory.dmp

Filesize
140KB

Download
memory/1316-563-0x0000000002540000-0x0000000002563000-memory.dmp

Filesize
140KB

Download
memory/1316-267-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1488-176-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1488-521-0x0000000001CD0000-0x0000000001CF3000-memory.dmp

Filesize
140KB

Download
memory/1488-580-0x0000000001CD0000-0x0000000001CF3000-memory.dmp

Filesize
140KB

Download
memory/1488-138-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1540-490-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1540-507-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1596-319-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1700-350-0x00000000027D0000-0x00000000027F3000-memory.dmp

Filesize
140KB

Download
memory/1700-346-0x00000000027D0000-0x00000000027F3000-memory.dmp

Filesize
140KB

Download
memory/1700-341-0x00000000027D0000-0x00000000027F3000-memory.dmp

Filesize
140KB

Download
memory/1700-419-0x00000000027D0000-0x00000000027F3000-memory.dmp

Filesize
140KB

Download
memory/1700-428-0x00000000027D0000-0x00000000027F3000-memory.dmp

Filesize
140KB

Download
memory/1700-342-0x00000000027D0000-0x00000000027F3000-memory.dmp

Filesize
140KB

Download
memory/1700-343-0x00000000027D0000-0x00000000027F3000-memory.dmp

Filesize
140KB

Download
memory/1700-344-0x00000000027D0000-0x00000000027F3000-memory.dmp

Filesize
140KB

Download
memory/1700-345-0x00000000027D0000-0x00000000027F3000-memory.dmp

Filesize
140KB

Download
memory/1700-433-0x00000000027D0000-0x00000000027F3000-memory.dmp

Filesize
140KB

Download
memory/1700-347-0x00000000027D0000-0x00000000027F3000-memory.dmp

Filesize
140KB

Download
memory/1700-348-0x00000000027D0000-0x00000000027F3000-memory.dmp

Filesize
140KB

Download
memory/1700-349-0x00000000027D0000-0x00000000027F3000-memory.dmp

Filesize
140KB

Download
memory/1700-429-0x00000000027D0000-0x00000000027F3000-memory.dmp

Filesize
140KB

Download
memory/1700-430-0x00000000027D0000-0x00000000027F3000-memory.dmp

Filesize
140KB

Download
memory/1700-431-0x00000000027D0000-0x00000000027F3000-memory.dmp

Filesize
140KB

Download
memory/1700-264-0x00000000027D0000-0x00000000027F3000-memory.dmp

Filesize
140KB

Download
memory/1700-432-0x00000000027D0000-0x00000000027F3000-memory.dmp

Filesize
140KB

Download
memory/1700-153-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1708-570-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1756-559-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1808-269-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1808-270-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1840-564-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1840-305-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1868-398-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2000-312-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2036-501-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2036-500-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2232-495-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2320-291-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2348-491-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2348-517-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2404-265-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2404-557-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2404-279-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2404-278-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2424-298-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2500-531-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2520-566-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2520-496-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2520-489-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2520-544-0x00000000003D0000-0x00000000003F3000-memory.dmp

Filesize
140KB

Download
memory/2520-272-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2644-395-0x0000000000510000-0x0000000000533000-memory.dmp

Filesize
140KB

Download
memory/2644-472-0x0000000000510000-0x0000000000533000-memory.dmp

Filesize
140KB

Download
memory/2644-394-0x0000000000510000-0x0000000000533000-memory.dmp

Filesize
140KB

Download
memory/2644-418-0x0000000000510000-0x0000000000533000-memory.dmp

Filesize
140KB

Download
memory/2644-113-0x0000000000510000-0x0000000000533000-memory.dmp

Filesize
140KB

Download
memory/2644-147-0x0000000000510000-0x0000000000533000-memory.dmp

Filesize
140KB

Download
memory/2644-170-0x0000000000510000-0x0000000000533000-memory.dmp

Filesize
140KB

Download
memory/2644-421-0x0000000000510000-0x0000000000533000-memory.dmp

Filesize
140KB

Download
memory/2644-392-0x0000000000510000-0x0000000000533000-memory.dmp

Filesize
140KB

Download
memory/2644-266-0x0000000000510000-0x0000000000533000-memory.dmp

Filesize
140KB

Download
memory/2644-169-0x0000000000510000-0x0000000000533000-memory.dmp

Filesize
140KB

Download
memory/2644-396-0x0000000000510000-0x0000000000533000-memory.dmp

Filesize
140KB

Download
memory/2644-118-0x0000000000510000-0x0000000000533000-memory.dmp

Filesize
140KB

Download
memory/2644-573-0x0000000000510000-0x0000000000533000-memory.dmp

Filesize
140KB

Download
memory/2644-228-0x0000000000510000-0x0000000000533000-memory.dmp

Filesize
140KB

Download
memory/2644-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2644-134-0x0000000000510000-0x0000000000533000-memory.dmp

Filesize
140KB

Download
memory/2644-141-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2732-642-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2764-523-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2764-494-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2764-524-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2784-227-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2784-148-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2784-535-0x00000000031F0000-0x0000000003213000-memory.dmp

Filesize
140KB

Download
memory/2784-565-0x00000000031F0000-0x0000000003213000-memory.dmp

Filesize
140KB

Download
memory/2784-536-0x00000000031F0000-0x0000000003213000-memory.dmp

Filesize
140KB

Download
memory/2800-644-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2904-509-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2904-510-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2916-427-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2920-436-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2920-435-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2920-425-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2920-424-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2980-571-0x0000000001D90000-0x0000000001DB3000-memory.dmp

Filesize
140KB

Download
memory/2980-492-0x0000000001D90000-0x0000000001DB3000-memory.dmp

Filesize
140KB

Download
memory/2980-393-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2984-493-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2984-512-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2984-513-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3000-474-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3000-423-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3024-645-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download