Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
137s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
26/08/2024, 03:50
Behavioral task
behavioral1
Sample
d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe
Resource
win7-20240729-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral2
Sample
d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
23 signatures
150 seconds
General
-
Target
d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe
-
Size
91KB
-
MD5
a1251190bcef0dbe6e7dc45b5ee7feb3
-
SHA1
63b17ad4571ffc28b33f537c3e36f8cdeea7555e
-
SHA256
d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda
-
SHA512
693b25fba9a299fc93af7ffb8e489170beba9f53a23f2b463fac4f326155cc47117584164efffdecc40d707b899fcbfe5954bfff44a5bc24be0e4540c7e0c51e
-
SSDEEP
1536:yOcjUpkWb2TTgKwuPOcjUpkWb2TTgKwuu:yOcjWJu7tPOcjWJu7tu
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 16 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" SERVICES.EXE -
Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 4k51k4.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SMSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 4k51k4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" LSASS.EXE -
Disables RegEdit via registry modification 16 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 56 IoCs
pid Process 2728 4k51k4.exe 2776 IExplorer.exe 1084 WINLOGON.EXE 2424 CSRSS.EXE 1708 SERVICES.EXE 1188 LSASS.EXE 1660 SMSS.EXE 2492 4k51k4.exe 1284 IExplorer.exe 2008 4k51k4.exe 1808 WINLOGON.EXE 924 IExplorer.exe 2912 CSRSS.EXE 1736 SERVICES.EXE 2016 4k51k4.exe 1680 LSASS.EXE 2692 4k51k4.exe 2716 4k51k4.exe 2132 SMSS.EXE 2816 IExplorer.exe 2820 WINLOGON.EXE 2600 CSRSS.EXE 2180 IExplorer.exe 2648 IExplorer.exe 1308 WINLOGON.EXE 2040 WINLOGON.EXE 1388 WINLOGON.EXE 1316 SERVICES.EXE 1532 CSRSS.EXE 1040 CSRSS.EXE 2536 CSRSS.EXE 1852 SERVICES.EXE 2528 LSASS.EXE 2204 SERVICES.EXE 632 LSASS.EXE 2720 4k51k4.exe 1472 4k51k4.exe 2208 SERVICES.EXE 904 IExplorer.exe 872 IExplorer.exe 2484 SMSS.EXE 1524 SMSS.EXE 828 LSASS.EXE 2468 WINLOGON.EXE 2212 LSASS.EXE 2460 WINLOGON.EXE 2284 SMSS.EXE 2268 CSRSS.EXE 1952 SMSS.EXE 1572 CSRSS.EXE 2084 SERVICES.EXE 2844 SERVICES.EXE 2740 LSASS.EXE 2956 LSASS.EXE 2628 SMSS.EXE 2652 SMSS.EXE -
Loads dropped DLL 64 IoCs
pid Process 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 2728 4k51k4.exe 2728 4k51k4.exe 2728 4k51k4.exe 2728 4k51k4.exe 2776 IExplorer.exe 2776 IExplorer.exe 2728 4k51k4.exe 2728 4k51k4.exe 2728 4k51k4.exe 2728 4k51k4.exe 2728 4k51k4.exe 2728 4k51k4.exe 2728 4k51k4.exe 2728 4k51k4.exe 1708 SERVICES.EXE 2776 IExplorer.exe 1708 SERVICES.EXE 2776 IExplorer.exe 2776 IExplorer.exe 2776 IExplorer.exe 2424 CSRSS.EXE 1084 WINLOGON.EXE 2424 CSRSS.EXE 1084 WINLOGON.EXE 1084 WINLOGON.EXE 1708 SERVICES.EXE 1708 SERVICES.EXE 2776 IExplorer.exe 2776 IExplorer.exe 2424 CSRSS.EXE 2424 CSRSS.EXE 1708 SERVICES.EXE 1708 SERVICES.EXE 1084 WINLOGON.EXE 1084 WINLOGON.EXE 2776 IExplorer.exe 2776 IExplorer.exe 2424 CSRSS.EXE 1084 WINLOGON.EXE 1084 WINLOGON.EXE 1708 SERVICES.EXE 1708 SERVICES.EXE 1708 SERVICES.EXE 2424 CSRSS.EXE 2776 IExplorer.exe 1084 WINLOGON.EXE 1708 SERVICES.EXE 2424 CSRSS.EXE 1660 SMSS.EXE 1188 LSASS.EXE 1660 SMSS.EXE 1188 LSASS.EXE -
Modifies system executable filetype association 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe -
resource yara_rule behavioral1/memory/2528-0-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x0007000000016d7c-8.dat upx behavioral1/files/0x0007000000016e98-114.dat upx behavioral1/files/0x00050000000195f9-125.dat upx behavioral1/files/0x00050000000195fd-130.dat upx behavioral1/memory/2528-136-0x00000000005C0000-0x00000000005E3000-memory.dmp upx behavioral1/memory/2528-142-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x00050000000195ff-140.dat upx behavioral1/memory/2424-148-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x0005000000019601-151.dat upx behavioral1/memory/2728-153-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2776-160-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/files/0x0005000000019603-165.dat upx behavioral1/files/0x0005000000019615-174.dat upx behavioral1/memory/1084-179-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2528-187-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2424-218-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1708-236-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1284-235-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2492-233-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1660-264-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2008-269-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1284-259-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1808-278-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1188-257-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2912-310-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2728-319-0x0000000002510000-0x0000000002533000-memory.dmp upx behavioral1/memory/1736-342-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1680-345-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2820-370-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2716-395-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2132-399-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2600-419-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1308-443-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2816-421-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1316-449-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1532-457-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1852-466-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2648-427-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2528-477-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2776-467-0x0000000002410000-0x0000000002433000-memory.dmp upx behavioral1/memory/1040-460-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2536-475-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/632-499-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2204-509-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2424-518-0x00000000003C0000-0x00000000003E3000-memory.dmp upx behavioral1/memory/2692-491-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1852-464-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1388-445-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/1388-436-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2040-433-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2268-583-0x0000000077A10000-0x0000000077B2F000-memory.dmp upx behavioral1/memory/2180-415-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2820-367-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2016-360-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2016-357-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/2716-356-0x0000000000400000-0x0000000000423000-memory.dmp upx behavioral1/memory/924-339-0x0000000000400000-0x0000000000423000-memory.dmp upx -
Adds Run key to start application 2 TTPs 40 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" CSRSS.EXE -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\desktop.ini 4k51k4.exe File created C:\desktop.ini 4k51k4.exe File opened for modification F:\desktop.ini 4k51k4.exe File created F:\desktop.ini 4k51k4.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: CSRSS.EXE File opened (read-only) \??\U: CSRSS.EXE File opened (read-only) \??\E: CSRSS.EXE File opened (read-only) \??\L: CSRSS.EXE File opened (read-only) \??\S: CSRSS.EXE File opened (read-only) \??\G: SMSS.EXE File opened (read-only) \??\V: SMSS.EXE File opened (read-only) \??\Q: IExplorer.exe File opened (read-only) \??\J: WINLOGON.EXE File opened (read-only) \??\J: CSRSS.EXE File opened (read-only) \??\N: CSRSS.EXE File opened (read-only) \??\K: 4k51k4.exe File opened (read-only) \??\B: SERVICES.EXE File opened (read-only) \??\Z: SERVICES.EXE File opened (read-only) \??\T: WINLOGON.EXE File opened (read-only) \??\X: 4k51k4.exe File opened (read-only) \??\W: IExplorer.exe File opened (read-only) \??\V: CSRSS.EXE File opened (read-only) \??\Z: IExplorer.exe File opened (read-only) \??\I: SERVICES.EXE File opened (read-only) \??\T: SERVICES.EXE File opened (read-only) \??\U: SERVICES.EXE File opened (read-only) \??\O: CSRSS.EXE File opened (read-only) \??\O: SMSS.EXE File opened (read-only) \??\B: LSASS.EXE File opened (read-only) \??\Q: LSASS.EXE File opened (read-only) \??\I: IExplorer.exe File opened (read-only) \??\L: IExplorer.exe File opened (read-only) \??\Y: IExplorer.exe File opened (read-only) \??\S: SERVICES.EXE File opened (read-only) \??\G: WINLOGON.EXE File opened (read-only) \??\M: WINLOGON.EXE File opened (read-only) \??\Z: LSASS.EXE File opened (read-only) \??\B: IExplorer.exe File opened (read-only) \??\U: IExplorer.exe File opened (read-only) \??\X: IExplorer.exe File opened (read-only) \??\T: SMSS.EXE File opened (read-only) \??\W: WINLOGON.EXE File opened (read-only) \??\H: CSRSS.EXE File opened (read-only) \??\H: 4k51k4.exe File opened (read-only) \??\Y: 4k51k4.exe File opened (read-only) \??\H: IExplorer.exe File opened (read-only) \??\I: WINLOGON.EXE File opened (read-only) \??\S: WINLOGON.EXE File opened (read-only) \??\U: WINLOGON.EXE File opened (read-only) \??\M: CSRSS.EXE File opened (read-only) \??\Y: LSASS.EXE File opened (read-only) \??\Q: 4k51k4.exe File opened (read-only) \??\G: IExplorer.exe File opened (read-only) \??\N: SERVICES.EXE File opened (read-only) \??\P: CSRSS.EXE File opened (read-only) \??\M: SERVICES.EXE File opened (read-only) \??\Z: WINLOGON.EXE File opened (read-only) \??\I: CSRSS.EXE File opened (read-only) \??\S: LSASS.EXE File opened (read-only) \??\K: SMSS.EXE File opened (read-only) \??\Z: SMSS.EXE File opened (read-only) \??\Q: WINLOGON.EXE File opened (read-only) \??\T: IExplorer.exe File opened (read-only) \??\N: WINLOGON.EXE File opened (read-only) \??\P: SMSS.EXE File opened (read-only) \??\S: 4k51k4.exe File opened (read-only) \??\M: IExplorer.exe File opened (read-only) \??\R: 4k51k4.exe -
Drops file in System32 directory 50 IoCs
description ioc Process File created C:\Windows\SysWOW64\shell.exe d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe LSASS.EXE File created C:\Windows\SysWOW64\IExplorer.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe SMSS.EXE File created C:\Windows\SysWOW64\MrHelloween.scr d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\MrHelloween.scr LSASS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr SERVICES.EXE File created C:\Windows\SysWOW64\IExplorer.exe d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr 4k51k4.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe SERVICES.EXE File created C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe File created C:\Windows\SysWOW64\IExplorer.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe LSASS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\IExplorer.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\shell.exe SMSS.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe 4k51k4.exe File opened for modification C:\Windows\SysWOW64\shell.exe WINLOGON.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe 4k51k4.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe LSASS.EXE File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\MrHelloween.scr CSRSS.EXE File created C:\Windows\SysWOW64\IExplorer.exe CSRSS.EXE File opened for modification C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File created C:\Windows\SysWOW64\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\SysWOW64\IExplorer.exe IExplorer.exe File opened for modification C:\Windows\SysWOW64\shell.exe SERVICES.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe WINLOGON.EXE File opened for modification C:\Windows\SysWOW64\MrHelloween.scr SMSS.EXE File created C:\Windows\SysWOW64\IExplorer.exe 4k51k4.exe File opened for modification C:\Windows\SysWOW64\shell.exe IExplorer.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\4k51k4.exe CSRSS.EXE File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe SERVICES.EXE File created C:\Windows\4k51k4.exe WINLOGON.EXE File opened for modification C:\Windows\4k51k4.exe SMSS.EXE File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe WINLOGON.EXE File created C:\Windows\4k51k4.exe SMSS.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe 4k51k4.exe File created C:\Windows\4k51k4.exe IExplorer.exe File created C:\Windows\4k51k4.exe CSRSS.EXE File created C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\4k51k4.exe LSASS.EXE File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File opened for modification C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe LSASS.EXE File created C:\Windows\msvbvm60.dll IExplorer.exe File created C:\Windows\4k51k4.exe d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe File created C:\Windows\4k51k4.exe 4k51k4.exe File created C:\Windows\4k51k4.exe SERVICES.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 57 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IExplorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4k51k4.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CSRSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LSASS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SMSS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SERVICES.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINLOGON.EXE -
Modifies Control Panel 32 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" SMSS.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ CSRSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" CSRSS.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 4k51k4.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ IExplorer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" CSRSS.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ LSASS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" WINLOGON.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ SMSS.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ 4k51k4.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR" WINLOGON.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" CSRSS.EXE Key created \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ SERVICES.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" LSASS.EXE -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile SERVICES.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command LSASS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command SMSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 4k51k4.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" CSRSS.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command IExplorer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 4k51k4.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe -
Suspicious behavior: GetForegroundWindowSpam 7 IoCs
pid Process 2728 4k51k4.exe 2424 CSRSS.EXE 1084 WINLOGON.EXE 2776 IExplorer.exe 1708 SERVICES.EXE 1188 LSASS.EXE 1660 SMSS.EXE -
Suspicious use of SetWindowsHookEx 56 IoCs
pid Process 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 2728 4k51k4.exe 2776 IExplorer.exe 1084 WINLOGON.EXE 2424 CSRSS.EXE 1708 SERVICES.EXE 1188 LSASS.EXE 1660 SMSS.EXE 2492 4k51k4.exe 1284 IExplorer.exe 2008 4k51k4.exe 1808 WINLOGON.EXE 2912 CSRSS.EXE 924 IExplorer.exe 1736 SERVICES.EXE 1680 LSASS.EXE 2016 4k51k4.exe 2820 WINLOGON.EXE 2716 4k51k4.exe 2692 4k51k4.exe 2132 SMSS.EXE 2180 IExplorer.exe 2600 CSRSS.EXE 2816 IExplorer.exe 2648 IExplorer.exe 1308 WINLOGON.EXE 2040 WINLOGON.EXE 1388 WINLOGON.EXE 1316 SERVICES.EXE 1532 CSRSS.EXE 1040 CSRSS.EXE 1852 SERVICES.EXE 2536 CSRSS.EXE 2528 LSASS.EXE 2204 SERVICES.EXE 632 LSASS.EXE 2720 4k51k4.exe 1472 4k51k4.exe 2208 SERVICES.EXE 904 IExplorer.exe 872 IExplorer.exe 2484 SMSS.EXE 828 LSASS.EXE 2468 WINLOGON.EXE 2212 LSASS.EXE 2460 WINLOGON.EXE 1524 SMSS.EXE 2284 SMSS.EXE 1952 SMSS.EXE 1572 CSRSS.EXE 2084 SERVICES.EXE 2844 SERVICES.EXE 2740 LSASS.EXE 2956 LSASS.EXE 2628 SMSS.EXE 2652 SMSS.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2528 wrote to memory of 2728 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 30 PID 2528 wrote to memory of 2728 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 30 PID 2528 wrote to memory of 2728 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 30 PID 2528 wrote to memory of 2728 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 30 PID 2528 wrote to memory of 2776 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 31 PID 2528 wrote to memory of 2776 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 31 PID 2528 wrote to memory of 2776 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 31 PID 2528 wrote to memory of 2776 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 31 PID 2528 wrote to memory of 1084 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 32 PID 2528 wrote to memory of 1084 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 32 PID 2528 wrote to memory of 1084 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 32 PID 2528 wrote to memory of 1084 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 32 PID 2528 wrote to memory of 2424 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 33 PID 2528 wrote to memory of 2424 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 33 PID 2528 wrote to memory of 2424 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 33 PID 2528 wrote to memory of 2424 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 33 PID 2528 wrote to memory of 1708 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 34 PID 2528 wrote to memory of 1708 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 34 PID 2528 wrote to memory of 1708 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 34 PID 2528 wrote to memory of 1708 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 34 PID 2528 wrote to memory of 1188 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 35 PID 2528 wrote to memory of 1188 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 35 PID 2528 wrote to memory of 1188 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 35 PID 2528 wrote to memory of 1188 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 35 PID 2528 wrote to memory of 1660 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 36 PID 2528 wrote to memory of 1660 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 36 PID 2528 wrote to memory of 1660 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 36 PID 2528 wrote to memory of 1660 2528 d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe 36 PID 2728 wrote to memory of 2492 2728 4k51k4.exe 37 PID 2728 wrote to memory of 2492 2728 4k51k4.exe 37 PID 2728 wrote to memory of 2492 2728 4k51k4.exe 37 PID 2728 wrote to memory of 2492 2728 4k51k4.exe 37 PID 2728 wrote to memory of 1284 2728 4k51k4.exe 38 PID 2728 wrote to memory of 1284 2728 4k51k4.exe 38 PID 2728 wrote to memory of 1284 2728 4k51k4.exe 38 PID 2728 wrote to memory of 1284 2728 4k51k4.exe 38 PID 2776 wrote to memory of 2008 2776 IExplorer.exe 39 PID 2776 wrote to memory of 2008 2776 IExplorer.exe 39 PID 2776 wrote to memory of 2008 2776 IExplorer.exe 39 PID 2776 wrote to memory of 2008 2776 IExplorer.exe 39 PID 2728 wrote to memory of 1808 2728 4k51k4.exe 40 PID 2728 wrote to memory of 1808 2728 4k51k4.exe 40 PID 2728 wrote to memory of 1808 2728 4k51k4.exe 40 PID 2728 wrote to memory of 1808 2728 4k51k4.exe 40 PID 2776 wrote to memory of 924 2776 IExplorer.exe 41 PID 2776 wrote to memory of 924 2776 IExplorer.exe 41 PID 2776 wrote to memory of 924 2776 IExplorer.exe 41 PID 2776 wrote to memory of 924 2776 IExplorer.exe 41 PID 2728 wrote to memory of 2912 2728 4k51k4.exe 42 PID 2728 wrote to memory of 2912 2728 4k51k4.exe 42 PID 2728 wrote to memory of 2912 2728 4k51k4.exe 42 PID 2728 wrote to memory of 2912 2728 4k51k4.exe 42 PID 2728 wrote to memory of 1736 2728 4k51k4.exe 43 PID 2728 wrote to memory of 1736 2728 4k51k4.exe 43 PID 2728 wrote to memory of 1736 2728 4k51k4.exe 43 PID 2728 wrote to memory of 1736 2728 4k51k4.exe 43 PID 1708 wrote to memory of 2016 1708 SERVICES.EXE 44 PID 1708 wrote to memory of 2016 1708 SERVICES.EXE 44 PID 1708 wrote to memory of 2016 1708 SERVICES.EXE 44 PID 1708 wrote to memory of 2016 1708 SERVICES.EXE 44 PID 1084 wrote to memory of 2692 1084 WINLOGON.EXE 45 PID 1084 wrote to memory of 2692 1084 WINLOGON.EXE 45 PID 1084 wrote to memory of 2692 1084 WINLOGON.EXE 45 PID 1084 wrote to memory of 2692 1084 WINLOGON.EXE 45 -
System policy modification 1 TTPs 40 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4k51k4.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer WINLOGON.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" IExplorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" WINLOGON.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SMSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" SERVICES.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" LSASS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" CSRSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" LSASS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" SMSS.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 4k51k4.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" CSRSS.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" IExplorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" SERVICES.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" SMSS.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe"C:\Users\Admin\AppData\Local\Temp\d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2528 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2728 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2492
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1284
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1808
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2912
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1736
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1680
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2132
-
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2776 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2008
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:924
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2820
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2600
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1316
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2528
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2484
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1084 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2692
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2180
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1308
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1532
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2204
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:828
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2284
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2424 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2716
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2648
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1388
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2536
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2208
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2212
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1952
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1708 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2016
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2816
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2040
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1040
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1852
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:632
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1524
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1188 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1472
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:904
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2468
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2268
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2084
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2740
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2628
-
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1660 -
C:\Windows\4k51k4.exeC:\Windows\4k51k4.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2720
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:872
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2460
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1572
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2844
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2956
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2652
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
442B
MD5001424d7974b9a3995af292f6fcfe171
SHA1f8201d49d594d712c8450679c856c2e8307d2337
SHA256660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d
SHA51266ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657
-
Filesize
91KB
MD5a1251190bcef0dbe6e7dc45b5ee7feb3
SHA163b17ad4571ffc28b33f537c3e36f8cdeea7555e
SHA256d9091b79d5200bafbd337473096b1b08bec7ca87527d817ebb12f6be645d0dda
SHA512693b25fba9a299fc93af7ffb8e489170beba9f53a23f2b463fac4f326155cc47117584164efffdecc40d707b899fcbfe5954bfff44a5bc24be0e4540c7e0c51e
-
Filesize
91KB
MD520b553f5da2ce9c5515f43250666440b
SHA1c064ff2af4dd75fdfd21d83b64674618b70dfffc
SHA25611d1ebafad7f72adf9cb11c35c44937cdde428b3f21440619a4332ba4aa35ec0
SHA512ab3cd61fc708b9a07265a96259a29c86662ad14e8d9c55aa5180735e8e2aa52cc99160d1e7d1b04162580f5b8c66a1701fafd66f3a359a222df581adaadfa677
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
91KB
MD5a73b24d10386a8312d12e393c39d2783
SHA1dbe5ef597866ddd9521bd1ff1405cdf34d38d297
SHA25657696460c35bb992e39784171908ce436cd2b63605bcf0dcb974addd922f86ae
SHA5120c869055372c7811cc8f5273dcf2b9a5ebc8794767c2a36a14a2af7c54205ca47e52e5395b5382faf4935061031833002e7c95ee3e35efb243a987f25b3431ef
-
Filesize
91KB
MD584e13ee7a891b130f64b0a73654cb675
SHA1d7f73afec54f22fb9d46d94a56f8e02b351e72d1
SHA256650b86dd7d8f93f667fabc36851dd1a746613ec024c66c0e75b11be47ce67073
SHA5127b7cea426f1c4f817036e0fa2ce3b7743e9d7e3df04d334367aad33a7ed72b97a32e395b2384507f6fe6a2b9344818a6eae0450283f24d7060a9f8b08f7b2f4c
-
Filesize
91KB
MD5bf22e0ba0c0490bafffa1ca8a75d5634
SHA128caecbc8db15955a1e36780e18d07b42175bc3c
SHA25684fdca8d2825a31f180b58d66141f5dfaa84c1f7224d39c5ce5dd1b0bbb9b761
SHA51299c75a9c6ea45a1611cadb2811aa9a5d559463eb6ed5bcb6bd150f46f2bc01dd623351cb7dfa152b608b1aba2fe6232641a699eb4501fc2480bb67b8c5988ffe
-
Filesize
91KB
MD599d0cb1787b484d45e1992addba46fba
SHA1a791911de84b8d5b838f9b538e6f48f54960c810
SHA25656eaee05a45a3a5cfa7e11ea1c5cdb2f5fa064f74581e81b65b930b36e728ea4
SHA5127cf8744ac2eba21a1f7d53eb534de44f4ba7f2090bdfedabe25099741018d6f31867b5568680e5c4086573986647a28a934d0475ead817d20110e684be864825
-
Filesize
91KB
MD579320b044d7fcd94ac05eacaf40f3907
SHA1b853274c7e9341f2cc54bbe8e1e87f29645ff9fc
SHA256d77234211c00c67d817dfdb5d71337b0094a0232fff4582a04c303caeae5d083
SHA51244112c75591b0d70a50cb08f4d0dcc1f4867a3003f55d6d51172bd88d96a6c9890e3c303d9ee2001b151d25578ba8d72d9f2381a15c356074197ccc6c527a03f
-
Filesize
91KB
MD56fe020f61cbeeac5abcd9ea3f66f911e
SHA1925633189ff9ad1ce3dfe745deca121fc33d33fd
SHA256848a80816de11fb72f2b7112a1f1bbdc81e2d49f049c4c387bb41b63f5a83bf5
SHA512512e5a9619256897c0780fbf0e9c6a0d4878f8343729f42c1dce5cfd372f320aa74d839155287a42fc1b4d9853b2dc702221d5b9b52b72dd121acd4886bbbf2c