3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42

Processes:

3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

Change Default File Association

T1042

Processes:

3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

Hidden Files and Directories

Modify Registry

Processes:

3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

Hidden Files and Directories

Modify Registry

Processes:

3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

Disables RegEdit via registry modification 2 IoCs

Processes:

3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 14 IoCs

Processes:

xk.exeIExplorer.exeWINLOGON.EXECSRSS.EXESERVICES.EXELSASS.EXESMSS.EXExk.exeIExplorer.exeWINLOGON.EXECSRSS.EXESERVICES.EXELSASS.EXESMSS.EXE

pid	process
972	xk.exe
2016	IExplorer.exe
1992	WINLOGON.EXE
1968	CSRSS.EXE
1772	SERVICES.EXE
1696	LSASS.EXE
1752	SMSS.EXE
1324	xk.exe
1984	IExplorer.exe
1252	WINLOGON.EXE
1636	CSRSS.EXE
1464	SERVICES.EXE
1340	LSASS.EXE
1032	SMSS.EXE

UPX packed file 53 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\xk.exe	upx
behavioral1/memory/972-61-0x0000000000400000-0x000000000042F000-memory.dmp	upx
\Windows\SysWOW64\IExplorer.exe	upx
\Windows\SysWOW64\IExplorer.exe	upx
C:\Windows\SysWOW64\IExplorer.exe	upx
behavioral1/memory/2016-68-0x0000000000400000-0x000000000042F000-memory.dmp	upx
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE	upx
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE	upx
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE	upx
behavioral1/memory/1992-75-0x0000000000400000-0x000000000042F000-memory.dmp	upx
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE	upx
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE	upx
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE	upx
behavioral1/memory/1968-82-0x0000000000400000-0x000000000042F000-memory.dmp	upx
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE	upx
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE	upx
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE	upx
behavioral1/memory/1772-89-0x0000000000400000-0x000000000042F000-memory.dmp	upx
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE	upx
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE	upx
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE	upx
behavioral1/memory/1696-96-0x0000000000400000-0x000000000042F000-memory.dmp	upx
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE	upx
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE	upx
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE	upx
behavioral1/memory/1752-103-0x0000000000400000-0x000000000042F000-memory.dmp	upx
C:\Windows\xk.exe	upx
behavioral1/memory/1324-109-0x0000000000400000-0x000000000042F000-memory.dmp	upx
\Windows\SysWOW64\IExplorer.exe	upx
\Windows\SysWOW64\IExplorer.exe	upx
C:\Windows\SysWOW64\IExplorer.exe	upx
behavioral1/memory/1984-116-0x0000000000400000-0x000000000042F000-memory.dmp	upx
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE	upx
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE	upx
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE	upx
behavioral1/memory/776-120-0x0000000000400000-0x000000000042F000-memory.dmp	upx
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE	upx
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE	upx
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE	upx
behavioral1/memory/1636-132-0x0000000000400000-0x000000000042F000-memory.dmp	upx
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE	upx
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE	upx
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE	upx
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE	upx
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE	upx
behavioral1/memory/1464-141-0x0000000000400000-0x000000000042F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE	upx
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE	upx
behavioral1/memory/1340-146-0x0000000000400000-0x000000000042F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE	upx
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE	upx
behavioral1/memory/1032-152-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/776-160-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Loads dropped DLL 24 IoCs

Processes:

3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

pid	process
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

Processes:

OUTLOOK.EXE

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

Processes:

3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

description	ioc	process
File opened for modification	C:\desktop.ini	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File created	C:\desktop.ini	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

description	ioc	process
File opened (read-only)	\??\O:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened (read-only)	\??\Q:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened (read-only)	\??\V:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened (read-only)	\??\W:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened (read-only)	\??\J:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened (read-only)	\??\F:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened (read-only)	\??\K:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened (read-only)	\??\M:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened (read-only)	\??\N:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened (read-only)	\??\R:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened (read-only)	\??\S:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened (read-only)	\??\Z:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened (read-only)	\??\E:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened (read-only)	\??\G:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened (read-only)	\??\I:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened (read-only)	\??\L:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened (read-only)	\??\P:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened (read-only)	\??\T:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened (read-only)	\??\U:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened (read-only)	\??\Y:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened (read-only)	\??\B:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened (read-only)	\??\X:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened (read-only)	\??\H:	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

Drops file in System32 directory 20 IoCs

Processes:

OUTLOOK.EXE3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

description	ioc	process
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\Mig2.scr	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\shell.exe	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE

Drops file in Windows directory 5 IoCs

Processes:

3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exeOUTLOOK.EXE

description	ioc	process
File opened for modification	C:\Windows\xk.exe	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File created	C:\Windows\xk.exe	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

Processes:

3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Control Panel\Desktop\	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

Processes:

OUTLOOK.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE

Modifies registry class 64 IoCs

Processes:

OUTLOOK.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DD-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\ = "_ToOrFromRuleCondition"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063043-0000-0000-C000-000000000046}\ = "Action"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}\ = "MAPIFolder"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046}\ = "_NavigationModules"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063071-0000-0000-C000-000000000046}\ = "OutlookBarStorage"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063071-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E9-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063045-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C5-0000-0000-C000-000000000046}\ = "_Account"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C5-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063024-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063107-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063049-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304D-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F025-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DA-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046}\ = "OlkCategoryEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302B-0000-0000-C000-000000000046}\ = "ItemEvents_10"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063105-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063107-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F025-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}\ = "_NavigationModule"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E5-0000-0000-C000-000000000046}\ = "_Column"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300B-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300C-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B0-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063044-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302D-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F9-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303F-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D2-0000-0000-C000-000000000046}\ = "_Table"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307F-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F7-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309B-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067366-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E4-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E4-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063036-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063022-0000-0000-C000-000000000046}\ = "_JournalItem"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FA-0000-0000-C000-000000000046}\ = "_AddressRuleCondition"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309E-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063036-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\ = "UserProperties"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063062-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063104-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}\ = "_Columns"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

OUTLOOK.EXE

pid process

240 OUTLOOK.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

pid process

776 3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OUTLOOK.EXE

pid process

240 OUTLOOK.EXE
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

OUTLOOK.EXE

pid process

240 OUTLOOK.EXE
240 OUTLOOK.EXE
240 OUTLOOK.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

OUTLOOK.EXE

pid process

240 OUTLOOK.EXE
240 OUTLOOK.EXE

pid	process
240	OUTLOOK.EXE

pid	process
240	OUTLOOK.EXE

pid	process
240	OUTLOOK.EXE
240	OUTLOOK.EXE
240	OUTLOOK.EXE

pid	process
240	OUTLOOK.EXE
240	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

Processes:

3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exexk.exeIExplorer.exeWINLOGON.EXECSRSS.EXESERVICES.EXELSASS.EXESMSS.EXExk.exeIExplorer.exeWINLOGON.EXECSRSS.EXESERVICES.EXELSASS.EXESMSS.EXEOUTLOOK.EXE

pid	process
776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
972	xk.exe
2016	IExplorer.exe
1992	WINLOGON.EXE
1968	CSRSS.EXE
1772	SERVICES.EXE
1696	LSASS.EXE
1752	SMSS.EXE
1324	xk.exe
1984	IExplorer.exe
1252	WINLOGON.EXE
1636	CSRSS.EXE
1464	SERVICES.EXE
1340	LSASS.EXE
1032	SMSS.EXE
240	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

description	pid	process	target process
PID 776 wrote to memory of 972	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	xk.exe
PID 776 wrote to memory of 972	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	xk.exe
PID 776 wrote to memory of 972	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	xk.exe
PID 776 wrote to memory of 972	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	xk.exe
PID 776 wrote to memory of 2016	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	IExplorer.exe
PID 776 wrote to memory of 2016	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	IExplorer.exe
PID 776 wrote to memory of 2016	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	IExplorer.exe
PID 776 wrote to memory of 2016	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	IExplorer.exe
PID 776 wrote to memory of 1992	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	WINLOGON.EXE
PID 776 wrote to memory of 1992	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	WINLOGON.EXE
PID 776 wrote to memory of 1992	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	WINLOGON.EXE
PID 776 wrote to memory of 1992	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	WINLOGON.EXE
PID 776 wrote to memory of 1968	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	CSRSS.EXE
PID 776 wrote to memory of 1968	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	CSRSS.EXE
PID 776 wrote to memory of 1968	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	CSRSS.EXE
PID 776 wrote to memory of 1968	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	CSRSS.EXE
PID 776 wrote to memory of 1772	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	SERVICES.EXE
PID 776 wrote to memory of 1772	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	SERVICES.EXE
PID 776 wrote to memory of 1772	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	SERVICES.EXE
PID 776 wrote to memory of 1772	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	SERVICES.EXE
PID 776 wrote to memory of 1696	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	LSASS.EXE
PID 776 wrote to memory of 1696	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	LSASS.EXE
PID 776 wrote to memory of 1696	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	LSASS.EXE
PID 776 wrote to memory of 1696	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	LSASS.EXE
PID 776 wrote to memory of 1752	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	SMSS.EXE
PID 776 wrote to memory of 1752	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	SMSS.EXE
PID 776 wrote to memory of 1752	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	SMSS.EXE
PID 776 wrote to memory of 1752	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	SMSS.EXE
PID 776 wrote to memory of 1324	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	xk.exe
PID 776 wrote to memory of 1324	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	xk.exe
PID 776 wrote to memory of 1324	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	xk.exe
PID 776 wrote to memory of 1324	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	xk.exe
PID 776 wrote to memory of 1984	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	IExplorer.exe
PID 776 wrote to memory of 1984	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	IExplorer.exe
PID 776 wrote to memory of 1984	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	IExplorer.exe
PID 776 wrote to memory of 1984	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	IExplorer.exe
PID 776 wrote to memory of 1252	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	WINLOGON.EXE
PID 776 wrote to memory of 1252	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	WINLOGON.EXE
PID 776 wrote to memory of 1252	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	WINLOGON.EXE
PID 776 wrote to memory of 1252	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	WINLOGON.EXE
PID 776 wrote to memory of 1636	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	CSRSS.EXE
PID 776 wrote to memory of 1636	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	CSRSS.EXE
PID 776 wrote to memory of 1636	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	CSRSS.EXE
PID 776 wrote to memory of 1636	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	CSRSS.EXE
PID 776 wrote to memory of 1464	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	SERVICES.EXE
PID 776 wrote to memory of 1464	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	SERVICES.EXE
PID 776 wrote to memory of 1464	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	SERVICES.EXE
PID 776 wrote to memory of 1464	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	SERVICES.EXE
PID 776 wrote to memory of 1340	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	LSASS.EXE
PID 776 wrote to memory of 1340	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	LSASS.EXE
PID 776 wrote to memory of 1340	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	LSASS.EXE
PID 776 wrote to memory of 1340	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	LSASS.EXE
PID 776 wrote to memory of 1032	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	SMSS.EXE
PID 776 wrote to memory of 1032	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	SMSS.EXE
PID 776 wrote to memory of 1032	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	SMSS.EXE
PID 776 wrote to memory of 1032	776	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe	SMSS.EXE

System policy modification 1 TTPs 4 IoCs

Modify Registry

Processes:

3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe

outlook_win_path 1 IoCs

Processes:

OUTLOOK.EXE

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE

C:\Users\Admin\AppData\Local\Temp\3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe
"C:\Users\Admin\AppData\Local\Temp\3880f8fe33d6d52589a613b5d764e1d864c6ceeac2abd5ac7911176ce6315a42.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:776

C:\Windows\xk.exe
C:\Windows\xk.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:972

C:\Windows\SysWOW64\IExplorer.exe
C:\Windows\system32\IExplorer.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1992

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1968

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1772

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1696

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1752

C:\Windows\xk.exe
C:\Windows\xk.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1324

C:\Windows\SysWOW64\IExplorer.exe
C:\Windows\system32\IExplorer.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1252

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1464

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1340

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1032

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- outlook_win_path
PID:240

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Hidden Files and Directories

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Hidden Files and Directories