25aeb8acc6bae3bf19beb66c996f8763ecbc0f6595068f188e157d1880a35d28

Analysis

max time kernel
117s
max time network
130s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13-10-2023 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Size

164KB
MD5

a7d0433ce4435d2cc4b806da76dbe360
SHA1

991a569024b6320e0894e2f4459cb4b4b7a05390
SHA256

25aeb8acc6bae3bf19beb66c996f8763ecbc0f6595068f188e157d1880a35d28
SHA512

2890284e536bce55062d1a10eddb1f45a9ef52e81c8af75d1bec54299eff3a25aff44683b70daa66884a46db46daadb578c6fee7ef2e433084cb0c2639aedafe
SSDEEP

3072:Ax/5F/E7tEf0G+p+tYlpJH7iXQNgggHlxDZiYLK5Wph:AxhF4cX+wWJH7igNgjdFKs

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 11 IoCs

pid	Process
2928	xk.exe
1812	IExplorer.exe
2876	WINLOGON.EXE
2764	CSRSS.EXE
1392	xk.exe
1296	IExplorer.exe
1324	WINLOGON.EXE
1088	CSRSS.EXE
2992	SERVICES.EXE
1228	LSASS.EXE
2384	SMSS.EXE

Loads dropped DLL 18 IoCs

pid	Process
3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File created	C:\desktop.ini	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened for modification	F:\desktop.ini	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File created	F:\desktop.ini	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened (read-only)	\??\J:	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened (read-only)	\??\K:	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened (read-only)	\??\Q:	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened (read-only)	\??\T:	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened (read-only)	\??\U:	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened (read-only)	\??\Z:	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened (read-only)	\??\E:	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened (read-only)	\??\M:	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened (read-only)	\??\R:	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened (read-only)	\??\V:	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened (read-only)	\??\W:	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened (read-only)	\??\X:	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened (read-only)	\??\B:	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened (read-only)	\??\O:	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened (read-only)	\??\P:	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened (read-only)	\??\H:	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened (read-only)	\??\L:	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened (read-only)	\??\N:	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened (read-only)	\??\S:	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened (read-only)	\??\Y:	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened (read-only)	\??\G:	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\shell.exe	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\Mig2.scr	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File created	C:\Windows\xk.exe	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Control Panel\Desktop\	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302B-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063077-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063097-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FA-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063101-0000-0000-C000-000000000046}\ = "_Conversation"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D4-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D7-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063083-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305C-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302F-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304F-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046}\ = "UserProperty"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063035-0000-0000-C000-000000000046}\ = "_TaskItem"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063062-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F4-0000-0000-C000-000000000046}\ = "_OlkCategory"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CE-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}\ = "_Category"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E5-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EF-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}\ = "MAPIFolder"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E5-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307B-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307B-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EB-0000-0000-C000-000000000046}\ = "_OlkContactPhoto"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063002-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F4-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E4-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067353-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304D-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E6-0000-0000-C000-000000000046}\ = "OlkTextBoxEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DE-0000-0000-C000-000000000046}\ = "_OlkComboBox"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063035-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}\ = "ItemEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}\ = "StoresEvents_12"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\ = "_AppointmentItem"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063078-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063094-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063107-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FB-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063095-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063034-0000-0000-C000-000000000046}\ = "_MailItem"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1568	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1568	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1568	OUTLOOK.EXE
1568	OUTLOOK.EXE
1568	OUTLOOK.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1568	OUTLOOK.EXE
1568	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
2928	xk.exe
1812	IExplorer.exe
2876	WINLOGON.EXE
2764	CSRSS.EXE
1392	xk.exe
1296	IExplorer.exe
1324	WINLOGON.EXE
1088	CSRSS.EXE
2992	SERVICES.EXE
1228	LSASS.EXE
2384	SMSS.EXE
1568	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2928	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	28
PID 3068 wrote to memory of 2928	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	28
PID 3068 wrote to memory of 2928	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	28
PID 3068 wrote to memory of 2928	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	28
PID 3068 wrote to memory of 1812	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	29
PID 3068 wrote to memory of 1812	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	29
PID 3068 wrote to memory of 1812	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	29
PID 3068 wrote to memory of 1812	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	29
PID 3068 wrote to memory of 2876	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	30
PID 3068 wrote to memory of 2876	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	30
PID 3068 wrote to memory of 2876	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	30
PID 3068 wrote to memory of 2876	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	30
PID 3068 wrote to memory of 2764	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	31
PID 3068 wrote to memory of 2764	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	31
PID 3068 wrote to memory of 2764	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	31
PID 3068 wrote to memory of 2764	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	31
PID 3068 wrote to memory of 1392	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	32
PID 3068 wrote to memory of 1392	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	32
PID 3068 wrote to memory of 1392	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	32
PID 3068 wrote to memory of 1392	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	32
PID 3068 wrote to memory of 1296	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	33
PID 3068 wrote to memory of 1296	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	33
PID 3068 wrote to memory of 1296	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	33
PID 3068 wrote to memory of 1296	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	33
PID 3068 wrote to memory of 1324	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	34
PID 3068 wrote to memory of 1324	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	34
PID 3068 wrote to memory of 1324	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	34
PID 3068 wrote to memory of 1324	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	34
PID 3068 wrote to memory of 1088	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	35
PID 3068 wrote to memory of 1088	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	35
PID 3068 wrote to memory of 1088	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	35
PID 3068 wrote to memory of 1088	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	35
PID 3068 wrote to memory of 2992	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	36
PID 3068 wrote to memory of 2992	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	36
PID 3068 wrote to memory of 2992	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	36
PID 3068 wrote to memory of 2992	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	36
PID 3068 wrote to memory of 1228	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	37
PID 3068 wrote to memory of 1228	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	37
PID 3068 wrote to memory of 1228	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	37
PID 3068 wrote to memory of 1228	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	37
PID 3068 wrote to memory of 2384	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	38
PID 3068 wrote to memory of 2384	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	38
PID 3068 wrote to memory of 2384	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	38
PID 3068 wrote to memory of 2384	3068	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe	38

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe

C:\Users\Admin\AppData\Local\Temp\a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a7d0433ce4435d2cc4b806da76dbe360exe_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3068
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2928
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1812
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2876
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2764
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1392
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1296
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1324
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1088
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2992
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1228
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2384

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
164KB

MD5
cc0c7fa483bbd8e7592bd4aec33f10b0

SHA1
b2452fb6c1d13255d2b3b80dd5987cf78ecda642

SHA256
f8aa40794555761d80c250ecd5b55045fb458c087bb3d44784cfca578e0e341c

SHA512
b8e4478917bd9172a810e5a4885218e936c9eb9a3f0124f5c6ca506bd61dcf0c54b702575dc26c71b4bada168609f10aa61e555327cf7399b212346883a60464

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
164KB

MD5
cc0c7fa483bbd8e7592bd4aec33f10b0

SHA1
b2452fb6c1d13255d2b3b80dd5987cf78ecda642

SHA256
f8aa40794555761d80c250ecd5b55045fb458c087bb3d44784cfca578e0e341c

SHA512
b8e4478917bd9172a810e5a4885218e936c9eb9a3f0124f5c6ca506bd61dcf0c54b702575dc26c71b4bada168609f10aa61e555327cf7399b212346883a60464

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
164KB

MD5
9a2596b19b7e6145c2e3cd24d28cf23d

SHA1
751f1798a734839cdc83fd9e08c57432cdd22474

SHA256
a396a6672e93e6891ba85616ba59b5fdf949b6ccf497b3f2b1b942a70d45dfde

SHA512
8d4882a9655029184b5dddba5d725c05e9d88b44a2c39029a193ac1c7ccd82d16001e6dee8acc1dd592ac16ce210e552b31ce5a333b9a82d47579f30c3dbbc02

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
164KB

MD5
ed8bfa6395964f3539c9b91dc301566a

SHA1
796942c18bdf0bdf17bb226e7e79125f7894da8c

SHA256
4219032ce15ae08230f9ec6ffe3070645272f9966b47a4abe239af35bfc6ce72

SHA512
98f0f93f779245805e4d15903a4a92f31c29533a12bd7695895830420266cad5a37eb2c0785a25a89e1c610f6f082255c9f98899901ae88a269816169982b7f1

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
164KB

MD5
0930a9f7245fda149795c7a8e6b96bad

SHA1
61c3fe727c14ab7ec5b7f7df23e2940224a69b1c

SHA256
15fa56546dfa709bb38e7c85a4ec2faf91da723d5b3445669e7be93cc20f3b8f

SHA512
df8f442a8ceaa996ee0fe0d71f0da4a986847b6850563f77b43d8649575fd8c198f18da4cc0a4441b8a20fb7dd58c61c675f421c51e9c85a4a953a66c1327747

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
164KB

MD5
207bcb321e02781e83874b7943a7df4e

SHA1
bfc60d79592c9d8e4c7443db08ab36cad0e87717

SHA256
552aa4d96a54f27648e6aacc4fd132ff016fd0aa439d38a98939f11e47475e46

SHA512
4f774ec4b6264472a4eea0cdb83c6b54ffd40c9daba49cdd3718ecffcf2adccadd5f15d32cd2d4d620dce73c824701ea29c96968c502495506b22bb690b8d661

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
164KB

MD5
ffa2f2c2c4073970570495c0af65a5ab

SHA1
00afec566a683e578f33441d33486dffa8788ec3

SHA256
12e95c4877786b5e016c5ebdbcdd94512a693e1cae4216148a2f0f3b22c1d0b5

SHA512
263500b79d373ad49876fe8263788ec961e2e23db6826e93d7df5dcac97327e7ff301c42aaae20bfba7b2c6ca1e45eb58692a606c2c88d9a351d630729033c38

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
164KB

MD5
a7d0433ce4435d2cc4b806da76dbe360

SHA1
991a569024b6320e0894e2f4459cb4b4b7a05390

SHA256
25aeb8acc6bae3bf19beb66c996f8763ecbc0f6595068f188e157d1880a35d28

SHA512
2890284e536bce55062d1a10eddb1f45a9ef52e81c8af75d1bec54299eff3a25aff44683b70daa66884a46db46daadb578c6fee7ef2e433084cb0c2639aedafe

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
164KB

MD5
207bcb321e02781e83874b7943a7df4e

SHA1
bfc60d79592c9d8e4c7443db08ab36cad0e87717

SHA256
552aa4d96a54f27648e6aacc4fd132ff016fd0aa439d38a98939f11e47475e46

SHA512
4f774ec4b6264472a4eea0cdb83c6b54ffd40c9daba49cdd3718ecffcf2adccadd5f15d32cd2d4d620dce73c824701ea29c96968c502495506b22bb690b8d661

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
164KB

MD5
ae9a0277cc10f4034cd7dc56d8b395e3

SHA1
b687f27df8a61908e958977e6daaeb90775351f1

SHA256
f22067f3b1a82fc83827da2f442fc5a6cf20ddf4e67dfe1a7174b5e7262707d7

SHA512
06a1ef0ebdceb421eef1a82069a1e8c5da93995c6a8a96ba4122ba06c5997ef86e7b0a19e4e2a61e8ec9f79ee8e1e8406d945fb416796c9807f8f83e042e553a

Download Submit
C:\Windows\xk.exe

Filesize
164KB

MD5
d44c81f6580d92ee8a9bf19166e682ef

SHA1
0c445f4aa2c37786b58a647509cd89c7ea6eea76

SHA256
e152618541dd446e92ad3379eee3345e7a609e48a2cbc6b52122a25485f61d53

SHA512
2882d6268637b8ce7785fa270e34243685dd834d087de25292c0e8b68d060e15f73ad5944b5004a380a38f7c188ddd8fd80eafa2156c5878b5ea142c4a09d176

Download Submit
C:\Windows\xk.exe

Filesize
164KB

MD5
8ee48ebdbe083195c5b73accc984d9aa

SHA1
434a72db97a2d7193deb9a962a0e3c55b32cf784

SHA256
d7e749863ccd39679781213a5dda4381c7d77aafb884501ad5e83629b6c4df18

SHA512
0a7ffc836949aec9d0bf9017306e50d3180fd0952404c0d4d53e3dc7b2ff9bf5d75224eed04866a403654822cf9ac7c9fe1bea9f3127cb44d60ed8b4b2360795

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
164KB

MD5
cc0c7fa483bbd8e7592bd4aec33f10b0

SHA1
b2452fb6c1d13255d2b3b80dd5987cf78ecda642

SHA256
f8aa40794555761d80c250ecd5b55045fb458c087bb3d44784cfca578e0e341c

SHA512
b8e4478917bd9172a810e5a4885218e936c9eb9a3f0124f5c6ca506bd61dcf0c54b702575dc26c71b4bada168609f10aa61e555327cf7399b212346883a60464

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
164KB

MD5
cc0c7fa483bbd8e7592bd4aec33f10b0

SHA1
b2452fb6c1d13255d2b3b80dd5987cf78ecda642

SHA256
f8aa40794555761d80c250ecd5b55045fb458c087bb3d44784cfca578e0e341c

SHA512
b8e4478917bd9172a810e5a4885218e936c9eb9a3f0124f5c6ca506bd61dcf0c54b702575dc26c71b4bada168609f10aa61e555327cf7399b212346883a60464

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
164KB

MD5
cc0c7fa483bbd8e7592bd4aec33f10b0

SHA1
b2452fb6c1d13255d2b3b80dd5987cf78ecda642

SHA256
f8aa40794555761d80c250ecd5b55045fb458c087bb3d44784cfca578e0e341c

SHA512
b8e4478917bd9172a810e5a4885218e936c9eb9a3f0124f5c6ca506bd61dcf0c54b702575dc26c71b4bada168609f10aa61e555327cf7399b212346883a60464

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
164KB

MD5
cc0c7fa483bbd8e7592bd4aec33f10b0

SHA1
b2452fb6c1d13255d2b3b80dd5987cf78ecda642

SHA256
f8aa40794555761d80c250ecd5b55045fb458c087bb3d44784cfca578e0e341c

SHA512
b8e4478917bd9172a810e5a4885218e936c9eb9a3f0124f5c6ca506bd61dcf0c54b702575dc26c71b4bada168609f10aa61e555327cf7399b212346883a60464

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
164KB

MD5
9a2596b19b7e6145c2e3cd24d28cf23d

SHA1
751f1798a734839cdc83fd9e08c57432cdd22474

SHA256
a396a6672e93e6891ba85616ba59b5fdf949b6ccf497b3f2b1b942a70d45dfde

SHA512
8d4882a9655029184b5dddba5d725c05e9d88b44a2c39029a193ac1c7ccd82d16001e6dee8acc1dd592ac16ce210e552b31ce5a333b9a82d47579f30c3dbbc02

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
164KB

MD5
9a2596b19b7e6145c2e3cd24d28cf23d

SHA1
751f1798a734839cdc83fd9e08c57432cdd22474

SHA256
a396a6672e93e6891ba85616ba59b5fdf949b6ccf497b3f2b1b942a70d45dfde

SHA512
8d4882a9655029184b5dddba5d725c05e9d88b44a2c39029a193ac1c7ccd82d16001e6dee8acc1dd592ac16ce210e552b31ce5a333b9a82d47579f30c3dbbc02

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
164KB

MD5
ed8bfa6395964f3539c9b91dc301566a

SHA1
796942c18bdf0bdf17bb226e7e79125f7894da8c

SHA256
4219032ce15ae08230f9ec6ffe3070645272f9966b47a4abe239af35bfc6ce72

SHA512
98f0f93f779245805e4d15903a4a92f31c29533a12bd7695895830420266cad5a37eb2c0785a25a89e1c610f6f082255c9f98899901ae88a269816169982b7f1

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
164KB

MD5
ed8bfa6395964f3539c9b91dc301566a

SHA1
796942c18bdf0bdf17bb226e7e79125f7894da8c

SHA256
4219032ce15ae08230f9ec6ffe3070645272f9966b47a4abe239af35bfc6ce72

SHA512
98f0f93f779245805e4d15903a4a92f31c29533a12bd7695895830420266cad5a37eb2c0785a25a89e1c610f6f082255c9f98899901ae88a269816169982b7f1

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
164KB

MD5
0930a9f7245fda149795c7a8e6b96bad

SHA1
61c3fe727c14ab7ec5b7f7df23e2940224a69b1c

SHA256
15fa56546dfa709bb38e7c85a4ec2faf91da723d5b3445669e7be93cc20f3b8f

SHA512
df8f442a8ceaa996ee0fe0d71f0da4a986847b6850563f77b43d8649575fd8c198f18da4cc0a4441b8a20fb7dd58c61c675f421c51e9c85a4a953a66c1327747

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
164KB

MD5
0930a9f7245fda149795c7a8e6b96bad

SHA1
61c3fe727c14ab7ec5b7f7df23e2940224a69b1c

SHA256
15fa56546dfa709bb38e7c85a4ec2faf91da723d5b3445669e7be93cc20f3b8f

SHA512
df8f442a8ceaa996ee0fe0d71f0da4a986847b6850563f77b43d8649575fd8c198f18da4cc0a4441b8a20fb7dd58c61c675f421c51e9c85a4a953a66c1327747

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
164KB

MD5
207bcb321e02781e83874b7943a7df4e

SHA1
bfc60d79592c9d8e4c7443db08ab36cad0e87717

SHA256
552aa4d96a54f27648e6aacc4fd132ff016fd0aa439d38a98939f11e47475e46

SHA512
4f774ec4b6264472a4eea0cdb83c6b54ffd40c9daba49cdd3718ecffcf2adccadd5f15d32cd2d4d620dce73c824701ea29c96968c502495506b22bb690b8d661

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
164KB

MD5
207bcb321e02781e83874b7943a7df4e

SHA1
bfc60d79592c9d8e4c7443db08ab36cad0e87717

SHA256
552aa4d96a54f27648e6aacc4fd132ff016fd0aa439d38a98939f11e47475e46

SHA512
4f774ec4b6264472a4eea0cdb83c6b54ffd40c9daba49cdd3718ecffcf2adccadd5f15d32cd2d4d620dce73c824701ea29c96968c502495506b22bb690b8d661

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
164KB

MD5
ffa2f2c2c4073970570495c0af65a5ab

SHA1
00afec566a683e578f33441d33486dffa8788ec3

SHA256
12e95c4877786b5e016c5ebdbcdd94512a693e1cae4216148a2f0f3b22c1d0b5

SHA512
263500b79d373ad49876fe8263788ec961e2e23db6826e93d7df5dcac97327e7ff301c42aaae20bfba7b2c6ca1e45eb58692a606c2c88d9a351d630729033c38

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
164KB

MD5
ffa2f2c2c4073970570495c0af65a5ab

SHA1
00afec566a683e578f33441d33486dffa8788ec3

SHA256
12e95c4877786b5e016c5ebdbcdd94512a693e1cae4216148a2f0f3b22c1d0b5

SHA512
263500b79d373ad49876fe8263788ec961e2e23db6826e93d7df5dcac97327e7ff301c42aaae20bfba7b2c6ca1e45eb58692a606c2c88d9a351d630729033c38

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
164KB

MD5
207bcb321e02781e83874b7943a7df4e

SHA1
bfc60d79592c9d8e4c7443db08ab36cad0e87717

SHA256
552aa4d96a54f27648e6aacc4fd132ff016fd0aa439d38a98939f11e47475e46

SHA512
4f774ec4b6264472a4eea0cdb83c6b54ffd40c9daba49cdd3718ecffcf2adccadd5f15d32cd2d4d620dce73c824701ea29c96968c502495506b22bb690b8d661

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
164KB

MD5
207bcb321e02781e83874b7943a7df4e

SHA1
bfc60d79592c9d8e4c7443db08ab36cad0e87717

SHA256
552aa4d96a54f27648e6aacc4fd132ff016fd0aa439d38a98939f11e47475e46

SHA512
4f774ec4b6264472a4eea0cdb83c6b54ffd40c9daba49cdd3718ecffcf2adccadd5f15d32cd2d4d620dce73c824701ea29c96968c502495506b22bb690b8d661

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
164KB

MD5
ae9a0277cc10f4034cd7dc56d8b395e3

SHA1
b687f27df8a61908e958977e6daaeb90775351f1

SHA256
f22067f3b1a82fc83827da2f442fc5a6cf20ddf4e67dfe1a7174b5e7262707d7

SHA512
06a1ef0ebdceb421eef1a82069a1e8c5da93995c6a8a96ba4122ba06c5997ef86e7b0a19e4e2a61e8ec9f79ee8e1e8406d945fb416796c9807f8f83e042e553a

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
164KB

MD5
ae9a0277cc10f4034cd7dc56d8b395e3

SHA1
b687f27df8a61908e958977e6daaeb90775351f1

SHA256
f22067f3b1a82fc83827da2f442fc5a6cf20ddf4e67dfe1a7174b5e7262707d7

SHA512
06a1ef0ebdceb421eef1a82069a1e8c5da93995c6a8a96ba4122ba06c5997ef86e7b0a19e4e2a61e8ec9f79ee8e1e8406d945fb416796c9807f8f83e042e553a

Download Submit
memory/1568-272-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1568-273-0x0000000073C4D000-0x0000000073C58000-memory.dmp

Filesize
44KB

Download
memory/1568-373-0x0000000074111000-0x0000000074112000-memory.dmp

Filesize
4KB

Download
memory/1568-399-0x0000000073C4D000-0x0000000073C58000-memory.dmp

Filesize
44KB

Download