0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1

Analysis

max time kernel
83s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/09/2024, 18:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Size

352KB
MD5

ef987ab821d03653f8793ae427424b00
SHA1

058e013fe4eb7e50a76450ddcfd6efaf7b4e825f
SHA256

0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1
SHA512

ffeb4ec7445bfcb6aae99af3706d67ffcf791e714ec6ab105892e4e601f30f3d126b2731a3e4e3b3b17dbfff067996055e94e2041e3281cce204f8658654e294
SSDEEP

6144:vIGEnprZkRs38t54c6rzNdfiIGEnprZkRs38t54c6rzNdfH:vxEnAR934GxEnAR934D

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\Shell.exe\""	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Shell.exe"	WlNLOGON.EXE

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WlNLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WlNLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Shell.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe

Executes dropped EXE 5 IoCs

pid	Process
2904	WlNLOGON.EXE
3036	Shell.exe
2748	CSRSS.EXE
336	SERVICES.EXE
2036	SMSS.EXE

Loads dropped DLL 8 IoCs

pid	Process
2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe

Modifies system executable filetype association 2 TTPs 62 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SMSS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Depkominfo = "C:\\Windows\\WlNLOGON.EXE"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	SERVICES.EXE

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\Desktop.ini	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
File opened for modification	C:\Windows\Desktop.ini	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\OEMLOGO.BMP	SMSS.EXE
File created	C:\Windows\SysWOW64\shell.exe	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\OEMINFO.ini	SMSS.EXE
File created	C:\Windows\SysWOW64\OEMLOGO.BMP	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
File created	C:\Windows\SysWOW64\OEMINFO.ini	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
File opened for modification	C:\Windows\SysWOW64\Telematika.scr	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
File created	C:\Windows\SysWOW64\Telematika.scr	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	WlNLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2664-0-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/files/0x0008000000016d0e-12.dat	upx
behavioral1/files/0x00060000000171a8-94.dat	upx
behavioral1/memory/2664-92-0x00000000035B0000-0x000000000365A000-memory.dmp	upx
behavioral1/files/0x00060000000173a9-104.dat	upx
behavioral1/files/0x00060000000174cc-107.dat	upx
behavioral1/files/0x000d000000018676-116.dat	upx
behavioral1/memory/2664-122-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/2904-135-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/2036-134-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/files/0x0005000000018683-132.dat	upx
behavioral1/memory/2664-147-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/3036-161-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/2036-175-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/336-173-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/2748-171-0x0000000000400000-0x00000000004AA000-memory.dmp	upx
behavioral1/memory/2904-153-0x0000000000400000-0x00000000004AA000-memory.dmp	upx

Drops file in Windows directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
File opened for modification	C:\Windows\Desktop.ini	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
File created	C:\Windows\msvbvm60.dll	WlNLOGON.EXE
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	CSRSS.EXE
File created	C:\Windows\msvbvm60.dll	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
File opened for modification	C:\Windows\msvbvm60.dll	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	SERVICES.EXE
File opened for modification	C:\Windows\120.0.0.1.htm	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
File opened for modification	C:\Windows\msvbvm60.dll	SMSS.EXE
File created	C:\Windows\WlNLOGON.EXE	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
File created	C:\Windows\Desktop.ini	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
File opened for modification	C:\Windows\msvbvm60.dll	WlNLOGON.EXE
File created	C:\Windows\msvbvm60.dll	CSRSS.EXE
File created	C:\Windows\msvbvm60.dll	SERVICES.EXE
File created	C:\Windows\msvbvm60.dll	SMSS.EXE
File opened for modification	C:\Windows\WlNLOGON.EXE	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
File created	C:\Windows\120.0.0.1.htm	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SERVICES.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMSS.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WlNLOGON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CSRSS.EXE

Modifies Control Panel 42 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s2359 = "Bengi"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s2359 = "Bengi"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	WlNLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s2359 = "Bengi"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s1159 = "Awan"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s2359 = "Bengi"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s1159 = "Awan"	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s2359 = "Bengi"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s1159 = "Awan"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s1159 = "Awan"	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International	WlNLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s1159 = "Awan"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	WlNLOGON.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\TELEMA~1.SCR"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s2359 = "Bengi"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International\s1159 = "Awan"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	SMSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\International	SMSS.EXE

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	WlNLOGON.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	Shell.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	CSRSS.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	SERVICES.EXE
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	SMSS.EXE

Modifies Internet Explorer start page 1 TTPs 6 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	Shell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	CSRSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	SERVICES.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	SMSS.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\start page = "C:\\Windows\\\\120.0.0.1.htm"	WlNLOGON.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	SMSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	Shell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	SERVICES.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	WlNLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}	WlNLOGON.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	Shell.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	SMSS.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
2036	SMSS.EXE
2036	SMSS.EXE
2036	SMSS.EXE
2036	SMSS.EXE
2036	SMSS.EXE
2036	SMSS.EXE
2036	SMSS.EXE
2036	SMSS.EXE
2036	SMSS.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
2904	WlNLOGON.EXE
3036	Shell.exe
2748	CSRSS.EXE
336	SERVICES.EXE
2036	SMSS.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2904	2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe	31
PID 2664 wrote to memory of 2904	2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe	31
PID 2664 wrote to memory of 2904	2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe	31
PID 2664 wrote to memory of 2904	2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe	31
PID 2664 wrote to memory of 3036	2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe	32
PID 2664 wrote to memory of 3036	2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe	32
PID 2664 wrote to memory of 3036	2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe	32
PID 2664 wrote to memory of 3036	2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe	32
PID 2664 wrote to memory of 2748	2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe	33
PID 2664 wrote to memory of 2748	2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe	33
PID 2664 wrote to memory of 2748	2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe	33
PID 2664 wrote to memory of 2748	2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe	33
PID 2664 wrote to memory of 336	2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe	34
PID 2664 wrote to memory of 336	2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe	34
PID 2664 wrote to memory of 336	2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe	34
PID 2664 wrote to memory of 336	2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe	34
PID 2664 wrote to memory of 2036	2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe	35
PID 2664 wrote to memory of 2036	2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe	35
PID 2664 wrote to memory of 2036	2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe	35
PID 2664 wrote to memory of 2036	2664	0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe	35

C:\Users\Admin\AppData\Local\Temp\0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe
"C:\Users\Admin\AppData\Local\Temp\0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1N.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Drops file in Drivers directory
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\WlNLOGON.EXE
  C:\Windows\WlNLOGON.EXE
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2904
- C:\Windows\SysWOW64\Shell.exe
  C:\Windows\system32\Shell.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3036
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2748
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:336
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
352KB

MD5
b3c3c43e599abde5a40dcfdfa0554ae2

SHA1
889dbc78e875ae60b9c7a13b8bdc8f7165f5afac

SHA256
fec636d11ec39b89d4a1477ec1d1574b68ce222b95556a77f0015628e9c4c87c

SHA512
772bfc0284df98488acd2a01ae50026f33008c9fc1adf92ab6f72c1b6ce302e2d9163be76912f1d09619a3c58912a8ffa143a6f78db2cfe8b2ad7ce8b46161d0

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
352KB

MD5
ef987ab821d03653f8793ae427424b00

SHA1
058e013fe4eb7e50a76450ddcfd6efaf7b4e825f

SHA256
0893c0766146663bbb65722ead7e5a33ad6ae46e90ed06245f0c924728c54aa1

SHA512
ffeb4ec7445bfcb6aae99af3706d67ffcf791e714ec6ab105892e4e601f30f3d126b2731a3e4e3b3b17dbfff067996055e94e2041e3281cce204f8658654e294

Download Submit
C:\Windows\Desktop.ini

Filesize
65B

MD5
990a0bd866566534e37192439277e040

SHA1
90abfe04350a375df3beddd411256143e606461b

SHA256
ee3aaf1bcc2539bdddb6f25f4d0902cd023d83d902196d1bf2fcd37a73469038

SHA512
e598c68ae8f1a62cbc870fb7cf2c634ba24d1f1bfa62428a23aac7c914b3a775fa06564b6e084eaf9215086da433a80e49f2cbe81ca990414df3e57716dea4b7

Download Submit
C:\Windows\MSVBVM60.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\OEMINFO.ini

Filesize
462B

MD5
45d327d7d806625d696945dea064d7a2

SHA1
81a36b2a66c8dcce870a82409c6f772cc06addf0

SHA256
e022ef7261dfe3e79b78e4bff605ae3f0480cd54d80b7c3358bd9091a0f0f04a

SHA512
8b78bb4fa2c05d509cf171525b0ba7bf735a8890854f0ef16b29c9456ff547ccd86423068f61c21b8f35a0797ee44f9a8697861c34f133c6c26dfcf99e8f849c

Download Submit
C:\Windows\SysWOW64\OEMLOGO.BMP

Filesize
40KB

MD5
4de286f5923036648db750d58ba496e8

SHA1
0252d5d6c7a3b7dfa71fca4b30a53522fd7c6f67

SHA256
eb79555170611879e79b4cdba59bdf679e63df9d7927d01354e5cf859274c58c

SHA512
069daaa01a04add11a9e5fc0988b5d42e6ad50011fa148df41ffb3a905ffc170ab65ba66f4ad921306503d8792dd192c173c532232fc7ef146c09aa76ddf548f

Download Submit
C:\Windows\SysWOW64\shell.exe

Filesize
352KB

MD5
a5ed68a9332235179b9503da763039dd

SHA1
cf964d038741a8188d6d2247cb0b82e1a8cbf702

SHA256
01b120b1f958f8028cd46cfc69f712615adca723f267b44e66d516dd36ffd17d

SHA512
d1f7ac218db93433c90204c596e61b2198bd3db6201bd3c710567ca4ad02cbe5f5ec16de0a69020a9679c36646be14f4a2437a42ac14d74c6c0f905200c66674

Download Submit
C:\Windows\WlNLOGON.EXE

Filesize
352KB

MD5
49508c5cc93ffe2edcd5bdd5709e7e91

SHA1
2ae49cf3df5d98867f8c298ff03f0c421c55e89c

SHA256
c0874ccd540481486f71f72e9f4c183756285b8d9efbc2b17478ab270ed4de52

SHA512
f15ba03b20dfb38e33b07b1e0c4366a795a2297b2b002f8fefd0caa823c1d24fc2aba782e5153b800a5fee3e4589644821bfd7e1aeecdf27c1134aef6ddef376

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
352KB

MD5
90c099d5259059ba3fae0b6ca92a8b44

SHA1
31af232e84222622ebebff8533464650b218b90c

SHA256
21853cf39b9d2313da57cf27e1d376d83b3c51da7ed172077215da4f94492560

SHA512
6f39546b5a43101d0ad688ef7e52c0d4d4109d998dc2459887fef9fe4bb540f26e63ae70e829d5a2161d1e4221b10c8c86487d94a5ca910771cd62b97992899c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
352KB

MD5
fb1b12851f9006680afcb678a3b71413

SHA1
a1f7a83740fb97ff2b5020ee74871f4d4f7a8c66

SHA256
fe3b35db2451e0c7792efaee88c8dad75d35f2aa9a0f5b25e9b7fe15c29b5d0b

SHA512
02f2e0c0ecf05306c638ae6e8bcdc36d865d21b3d38413e66ce5d88021ad6e4622a613c5817cfc0690021a88c5a991ba4bf4187a6007ec05a0c169e60d365a5f

Download Submit
memory/336-173-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2036-134-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2036-175-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2664-0-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2664-133-0x00000000035B0000-0x000000000365A000-memory.dmp

Filesize
680KB

Download
memory/2664-122-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2664-92-0x00000000035B0000-0x000000000365A000-memory.dmp

Filesize
680KB

Download
memory/2664-147-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2664-93-0x00000000035B0000-0x000000000365A000-memory.dmp

Filesize
680KB

Download
memory/2748-171-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2904-135-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/2904-152-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2904-153-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download
memory/3036-161-0x0000000000400000-0x00000000004AA000-memory.dmp

Filesize
680KB

Download