f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Size

352KB
MD5

91c5cc26bc07591bc884074fa73211bd
SHA1

6f2b48d9d87664ab4e6daac0524d83b2aabc63c0
SHA256

f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1
SHA512

024ca3f46cb026ed9b3f10a9c058606db49853bd86b4dd4523a2376503fa2360477ab44699cba811e61fc42f31210cf3a493b25320a26f005358aa246e2da96d
SSDEEP

6144:vIGEnprZkRs38t54c6rzNdfsIGEnprZkRs38t54c6rzNdfW:vxEnAR934YxEnAR934S

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	SERVICES.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WlNLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WlNLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CSRSS.EXE

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe

Executes dropped EXE 5 IoCs

pid	Process
984	WlNLOGON.EXE
2028	Shell.exe
1904	CSRSS.EXE
2804	SERVICES.EXE
1940	SMSS.EXE

Loads dropped DLL 8 IoCs

pid	Process
2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe

Modifies system executable filetype association 2 TTPs 62 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2848-0-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/files/0x00080000000190ce-12.dat	upx
behavioral1/memory/2028-108-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/1904-119-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/files/0x0005000000019426-115.dat	upx
behavioral1/memory/2804-130-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/2028-158-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/2804-162-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/1904-160-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/2848-152-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/2848-149-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/984-155-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/1940-150-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/files/0x0005000000019442-147.dat	upx
behavioral1/memory/2848-138-0x0000000002920000-0x00000000029CA000-memory.dmp	upx
behavioral1/files/0x0005000000019438-126.dat	upx
behavioral1/files/0x0005000000019397-104.dat	upx
behavioral1/memory/2848-93-0x0000000002920000-0x00000000029CA000-memory.dmp	upx
behavioral1/files/0x000500000001936b-92.dat	upx

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SERVICES.EXE

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Desktop.ini	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
File created	C:\Windows\Desktop.ini	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\OEMINFO.ini	SMSS.EXE
File created	C:\Windows\SysWOW64\OEMLOGO.BMP	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WlNLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\OEMLOGO.BMP	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\Telematika.scr	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
File created	C:\Windows\SysWOW64\OEMINFO.ini	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
File created	C:\Windows\SysWOW64\Telematika.scr	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
File created	C:\Windows\SysWOW64\shell.exe	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\msvbvm60.dll	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
File opened for modification	C:\Windows\msvbvm60.dll	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
File opened for modification	C:\Windows\	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
File created	C:\Windows\msvbvm60.dll	WlNLOGON.EXE
File created	C:\Windows\msvbvm60.dll	CSRSS.EXE
File opened for modification	C:\Windows\msvbvm60.dll	SERVICES.EXE
File created	C:\Windows\WlNLOGON.EXE	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
File opened for modification	C:\Windows\msvbvm60.dll	WlNLOGON.EXE
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	CSRSS.EXE
File created	C:\Windows\msvbvm60.dll	SERVICES.EXE
File opened for modification	C:\Windows\WlNLOGON.EXE	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
File opened for modification	C:\Windows\120.0.0.1.htm	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	SMSS.EXE
File created	C:\Windows\120.0.0.1.htm	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
File opened for modification	C:\Windows\Desktop.ini	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
File created	C:\Windows\Desktop.ini	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
File opened for modification	C:\Windows\msvbvm60.dll	SMSS.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WlNLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe

Modifies Control Panel 42 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\s2359 = "Bengi"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\s1159 = "Awan"	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\s2359 = "Bengi"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\s2359 = "Bengi"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\s2359 = "Bengi"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\s2359 = "Bengi"	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\s1159 = "Awan"	WlNLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\s1159 = "Awan"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\s1159 = "Awan"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\s1159 = "Awan"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\	WlNLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\s2359 = "Bengi"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\s1159 = "Awan"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WlNLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International	CSRSS.EXE

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	WlNLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	SMSS.EXE

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	SMSS.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	WlNLOGON.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
1940	SMSS.EXE
1940	SMSS.EXE
1940	SMSS.EXE
1940	SMSS.EXE
1940	SMSS.EXE
1940	SMSS.EXE
1940	SMSS.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
984	WlNLOGON.EXE
2028	Shell.exe
1904	CSRSS.EXE
2804	SERVICES.EXE
1940	SMSS.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 984	2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe	31
PID 2848 wrote to memory of 984	2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe	31
PID 2848 wrote to memory of 984	2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe	31
PID 2848 wrote to memory of 984	2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe	31
PID 2848 wrote to memory of 2028	2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe	32
PID 2848 wrote to memory of 2028	2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe	32
PID 2848 wrote to memory of 2028	2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe	32
PID 2848 wrote to memory of 2028	2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe	32
PID 2848 wrote to memory of 1904	2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe	33
PID 2848 wrote to memory of 1904	2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe	33
PID 2848 wrote to memory of 1904	2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe	33
PID 2848 wrote to memory of 1904	2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe	33
PID 2848 wrote to memory of 2804	2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe	34
PID 2848 wrote to memory of 2804	2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe	34
PID 2848 wrote to memory of 2804	2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe	34
PID 2848 wrote to memory of 2804	2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe	34
PID 2848 wrote to memory of 1940	2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe	35
PID 2848 wrote to memory of 1940	2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe	35
PID 2848 wrote to memory of 1940	2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe	35
PID 2848 wrote to memory of 1940	2848	f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe	35

C:\Users\Admin\AppData\Local\Temp\f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe
"C:\Users\Admin\AppData\Local\Temp\f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Drops file in Drivers directory
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\WlNLOGON.EXE
  C:\Windows\WlNLOGON.EXE
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:984
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2028
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1904
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2804
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
352KB

MD5
1ca61307f42edebc4b96a5c2c6a4309d

SHA1
3b7c270f2f0791ac85219adcd318012086517fcc

SHA256
bac22f886dc79fbbd8dd1d232ff0096b93cd9f77e1ff1c219bc0ebf732fe33a2

SHA512
f0e32fbcb2d163f3ebd671cbd145a1cb4b34cf66608eb61849d054a8c334e1cb7ba27a0cb46c26c22575c6a427f091429c6a895218f5e299b07be784ba3938d7

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
352KB

MD5
3ae451ef38d0978021a76cbd46c3e425

SHA1
33c196d650b2882ff7d04fa28108d172c437f7eb

SHA256
2a548edb6448c0140fd619a1ef0287dcf92b538e30bb9697a0da7ae51968b02f

SHA512
7bc0dc4bc496247a176404f3fd456c706e1c0d1d72e5153d5d3b38e9cf3fe95efe36c4db03a29efb83bd9435c1bf9158a45850a9879b40d5a6e7f8f4f30eeda1

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
352KB

MD5
91c5cc26bc07591bc884074fa73211bd

SHA1
6f2b48d9d87664ab4e6daac0524d83b2aabc63c0

SHA256
f23abab413c87d2d1463ee4648ec590b6d620afe1799d2831b8c657cf96d39c1

SHA512
024ca3f46cb026ed9b3f10a9c058606db49853bd86b4dd4523a2376503fa2360477ab44699cba811e61fc42f31210cf3a493b25320a26f005358aa246e2da96d

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.exe

Filesize
352KB

MD5
6a145e443795d0f65381a98efc567f54

SHA1
79f0cbbd24e529a834104f33175f7f9adf1dee5f

SHA256
32cea11ceb73981f17938ed882e383dd4e99297cc9c455f9b06b6e00476c6611

SHA512
40cb67f5ac9b89e21301c6b7c96d5432ca8786fd418fb24d8f0341eb783dbd4fe103c697645fa673e128020e0bfc67be796a9dfec43e1cd261b7cba9396f2bb7

Download Submit
C:\Windows\Desktop.ini

Filesize
65B

MD5
990a0bd866566534e37192439277e040

SHA1
90abfe04350a375df3beddd411256143e606461b

SHA256
ee3aaf1bcc2539bdddb6f25f4d0902cd023d83d902196d1bf2fcd37a73469038

SHA512
e598c68ae8f1a62cbc870fb7cf2c634ba24d1f1bfa62428a23aac7c914b3a775fa06564b6e084eaf9215086da433a80e49f2cbe81ca990414df3e57716dea4b7

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\OEMINFO.ini

Filesize
462B

MD5
45d327d7d806625d696945dea064d7a2

SHA1
81a36b2a66c8dcce870a82409c6f772cc06addf0

SHA256
e022ef7261dfe3e79b78e4bff605ae3f0480cd54d80b7c3358bd9091a0f0f04a

SHA512
8b78bb4fa2c05d509cf171525b0ba7bf735a8890854f0ef16b29c9456ff547ccd86423068f61c21b8f35a0797ee44f9a8697861c34f133c6c26dfcf99e8f849c

Download Submit
C:\Windows\SysWOW64\OEMLOGO.BMP

Filesize
40KB

MD5
4de286f5923036648db750d58ba496e8

SHA1
0252d5d6c7a3b7dfa71fca4b30a53522fd7c6f67

SHA256
eb79555170611879e79b4cdba59bdf679e63df9d7927d01354e5cf859274c58c

SHA512
069daaa01a04add11a9e5fc0988b5d42e6ad50011fa148df41ffb3a905ffc170ab65ba66f4ad921306503d8792dd192c173c532232fc7ef146c09aa76ddf548f

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
352KB

MD5
dfa647a1493a0b85e45dd29914d3072b

SHA1
13cae1e49bb39019de4dd2032690bf669de3d3a7

SHA256
9c01529a2fef32a7656093e9b36bd13456fae557c17cdac230801859c0895cc9

SHA512
206520cf4186d3251f25494e28e20893d29604ab94d58dd12d603c2cd45db6a356bdfac474dcf6a35e3619bb7f04ceea3c22a1b3ce1fe86b163bfdd2b88856e1

Download Submit
C:\Windows\WlNLOGON.EXE

Filesize
352KB

MD5
058eb6eecd9bba400bb969b239eb8734

SHA1
e6604d72799d2588fd053c6295b1a4ad6be813f5

SHA256
c118905c10041121416ec3f3f54df55de3724dbaa3837af6cf136e317d8a0ea5

SHA512
036039e5bcf766b4a114645ae51dc452e27f6a4bfd96a7a9d26b113888c67cafc6ea8bbffa2b794757839db53828beebeb9decad7a5edf2535306cf427bd5740

Download Submit
memory/984-155-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/984-154-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1904-119-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1904-160-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/1940-150-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2028-158-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2028-108-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2804-130-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2804-162-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2848-149-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2848-141-0x0000000002920000-0x00000000029CA000-memory.dmp

Filesize
680KB

Download
memory/2848-138-0x0000000002920000-0x00000000029CA000-memory.dmp

Filesize
680KB

Download
memory/2848-127-0x0000000002920000-0x00000000029CA000-memory.dmp

Filesize
680KB

Download
memory/2848-152-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2848-105-0x0000000002920000-0x00000000029CA000-memory.dmp

Filesize
680KB

Download
memory/2848-0-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2848-93-0x0000000002920000-0x00000000029CA000-memory.dmp

Filesize
680KB

Download
memory/2848-116-0x0000000002920000-0x00000000029CA000-memory.dmp

Filesize
680KB

Download
memory/2848-95-0x0000000002920000-0x00000000029CA000-memory.dmp

Filesize
680KB

Download