6dcf54625fee659e41e75ac47bbeeadf172b3447fcc9be02f7db87c1f654cc22

Analysis

max time kernel
129s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.9a80d24836f6176ed8ea905836958050.exe
Size

222KB
MD5

9a80d24836f6176ed8ea905836958050
SHA1

4a8b2388076edf92bb66cb65a6ab5f28a77a0710
SHA256

6dcf54625fee659e41e75ac47bbeeadf172b3447fcc9be02f7db87c1f654cc22
SHA512

cda3bf2aee167308148426d283b8eeec0fe1f7426bb338da96a6cae0addd073753cc38328d89cd3968079d4c320d92bc8205a2522c445b0762f7970d8b52269e
SSDEEP

3072:X/5F/E7tEf0h+p+tYlpJH7iXQNgggHlxDZiYLK5WplwS4or4wS4M:XhF4cE+wWJH7igNgjdFKs6or4qM

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	NEAS.9a80d24836f6176ed8ea905836958050.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.9a80d24836f6176ed8ea905836958050.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.9a80d24836f6176ed8ea905836958050.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.9a80d24836f6176ed8ea905836958050.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 11 IoCs

pid	Process
2592	xk.exe
2424	IExplorer.exe
1568	WINLOGON.EXE
1692	CSRSS.EXE
1416	xk.exe
2792	IExplorer.exe
2360	WINLOGON.EXE
2036	CSRSS.EXE
2872	SERVICES.EXE
1052	LSASS.EXE
1048	SMSS.EXE

Loads dropped DLL 18 IoCs

pid	Process
1732	NEAS.9a80d24836f6176ed8ea905836958050.exe
1732	NEAS.9a80d24836f6176ed8ea905836958050.exe
1732	NEAS.9a80d24836f6176ed8ea905836958050.exe
1732	NEAS.9a80d24836f6176ed8ea905836958050.exe
1732	NEAS.9a80d24836f6176ed8ea905836958050.exe
1732	NEAS.9a80d24836f6176ed8ea905836958050.exe
1732	NEAS.9a80d24836f6176ed8ea905836958050.exe
1732	NEAS.9a80d24836f6176ed8ea905836958050.exe
1732	NEAS.9a80d24836f6176ed8ea905836958050.exe
1732	NEAS.9a80d24836f6176ed8ea905836958050.exe
1732	NEAS.9a80d24836f6176ed8ea905836958050.exe
1732	NEAS.9a80d24836f6176ed8ea905836958050.exe
1732	NEAS.9a80d24836f6176ed8ea905836958050.exe
1732	NEAS.9a80d24836f6176ed8ea905836958050.exe
1732	NEAS.9a80d24836f6176ed8ea905836958050.exe
1732	NEAS.9a80d24836f6176ed8ea905836958050.exe
1732	NEAS.9a80d24836f6176ed8ea905836958050.exe
1732	NEAS.9a80d24836f6176ed8ea905836958050.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.9a80d24836f6176ed8ea905836958050.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	NEAS.9a80d24836f6176ed8ea905836958050.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	C:\desktop.ini	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened for modification	F:\desktop.ini	NEAS.9a80d24836f6176ed8ea905836958050.exe
File created	F:\desktop.ini	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened for modification	C:\desktop.ini	NEAS.9a80d24836f6176ed8ea905836958050.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\N:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\Q:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\X:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\B:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\I:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\J:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\E:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\P:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\S:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\H:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\K:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\V:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\R:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\T:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\U:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\W:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\Y:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\G:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\L:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\O:	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened (read-only)	\??\Z:	NEAS.9a80d24836f6176ed8ea905836958050.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\shell.exe	NEAS.9a80d24836f6176ed8ea905836958050.exe
File created	C:\Windows\SysWOW64\Mig2.scr	NEAS.9a80d24836f6176ed8ea905836958050.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	NEAS.9a80d24836f6176ed8ea905836958050.exe
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	NEAS.9a80d24836f6176ed8ea905836958050.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	NEAS.9a80d24836f6176ed8ea905836958050.exe
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	NEAS.9a80d24836f6176ed8ea905836958050.exe
File created	C:\Windows\xk.exe	NEAS.9a80d24836f6176ed8ea905836958050.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\Desktop\	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	NEAS.9a80d24836f6176ed8ea905836958050.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DD-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063036-0000-0000-C000-000000000046}\ = "_TaskRequestItem"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FD-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063049-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046}\ = "OlkBusinessCardControlEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FD-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063049-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EB-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EC-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F8-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CF-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063104-0000-0000-C000-000000000046}\ = "AccountSelectorEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\ = "OlkCheckBoxEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F6-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F0-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063041-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063073-0000-0000-C000-000000000046}\ = "OutlookBarGroup"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F7-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F4-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303E-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063009-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C7-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063102-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303F-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063049-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063045-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}\ = "_NavigationModule"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063074-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EC-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A8-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A7-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E9-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063059-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063059-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305A-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F025-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F7-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\ = "UserProperties"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303B-0000-0000-C000-000000000046}\ = "Recipients"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063008-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DD-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1540	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1732	NEAS.9a80d24836f6176ed8ea905836958050.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1540	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1540	OUTLOOK.EXE
1540	OUTLOOK.EXE
1540	OUTLOOK.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1540	OUTLOOK.EXE
1540	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1732	NEAS.9a80d24836f6176ed8ea905836958050.exe
2592	xk.exe
2424	IExplorer.exe
1568	WINLOGON.EXE
1692	CSRSS.EXE
1416	xk.exe
2792	IExplorer.exe
2360	WINLOGON.EXE
2036	CSRSS.EXE
2872	SERVICES.EXE
1052	LSASS.EXE
1048	SMSS.EXE
1540	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 2592	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	28
PID 1732 wrote to memory of 2592	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	28
PID 1732 wrote to memory of 2592	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	28
PID 1732 wrote to memory of 2592	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	28
PID 1732 wrote to memory of 2424	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	29
PID 1732 wrote to memory of 2424	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	29
PID 1732 wrote to memory of 2424	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	29
PID 1732 wrote to memory of 2424	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	29
PID 1732 wrote to memory of 1568	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	30
PID 1732 wrote to memory of 1568	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	30
PID 1732 wrote to memory of 1568	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	30
PID 1732 wrote to memory of 1568	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	30
PID 1732 wrote to memory of 1692	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	31
PID 1732 wrote to memory of 1692	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	31
PID 1732 wrote to memory of 1692	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	31
PID 1732 wrote to memory of 1692	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	31
PID 1732 wrote to memory of 1416	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	32
PID 1732 wrote to memory of 1416	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	32
PID 1732 wrote to memory of 1416	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	32
PID 1732 wrote to memory of 1416	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	32
PID 1732 wrote to memory of 2792	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	33
PID 1732 wrote to memory of 2792	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	33
PID 1732 wrote to memory of 2792	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	33
PID 1732 wrote to memory of 2792	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	33
PID 1732 wrote to memory of 2360	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	34
PID 1732 wrote to memory of 2360	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	34
PID 1732 wrote to memory of 2360	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	34
PID 1732 wrote to memory of 2360	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	34
PID 1732 wrote to memory of 2036	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	35
PID 1732 wrote to memory of 2036	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	35
PID 1732 wrote to memory of 2036	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	35
PID 1732 wrote to memory of 2036	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	35
PID 1732 wrote to memory of 2872	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	36
PID 1732 wrote to memory of 2872	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	36
PID 1732 wrote to memory of 2872	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	36
PID 1732 wrote to memory of 2872	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	36
PID 1732 wrote to memory of 1052	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	37
PID 1732 wrote to memory of 1052	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	37
PID 1732 wrote to memory of 1052	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	37
PID 1732 wrote to memory of 1052	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	37
PID 1732 wrote to memory of 1048	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	38
PID 1732 wrote to memory of 1048	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	38
PID 1732 wrote to memory of 1048	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	38
PID 1732 wrote to memory of 1048	1732	NEAS.9a80d24836f6176ed8ea905836958050.exe	38

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.9a80d24836f6176ed8ea905836958050.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.9a80d24836f6176ed8ea905836958050.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NEAS.9a80d24836f6176ed8ea905836958050.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.9a80d24836f6176ed8ea905836958050.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9a80d24836f6176ed8ea905836958050.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1732
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2592
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2424
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1568
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1692
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1416
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2792
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2360
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2036
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2872
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1052
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1048

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
a56bbbd189de5034025cc392d7f92c15

SHA1
6e4d90172a70a190ea91d0e46cd24e02079a0f1c

SHA256
461502fc734487c71f4a9446b8b5831446bbb052a3e00a179754ca207ab4e822

SHA512
b7cd01b2881d35cd1acf740d0460d4e58137a3622cdef2a9c4df7fcc97a914aff6c6bdfec2855ad0d27fe9865a61d5a9a5d9bfe569734f41f67f7d4eb1f190cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
ba7e5d3b036a59b99070279946ac2bc3

SHA1
b57059596e4b25c33c261c20f257922df5c3cb15

SHA256
3ffda659cca2b3f55a26101dbd24af783244290f5b5c2fe1a535a438a837649d

SHA512
21e36e1339cfa4326c3bf04639194fc7f170bde69f73d8277a1b42ce4283d6645b9ae8bef4aea97b5d898e4017a0b1c8c3422afeeec5ae43fa0af99c22ce83e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
235KB

MD5
82e9631e2a789ad37509e52daf9895cc

SHA1
896e11c9e3ee4ebf025d5e1d8f6db36d9025b26e

SHA256
fd13f2429096c3e0de8711eb13219167d7fdd1759a6db7b499556b216e9e1455

SHA512
792ce286157c5ef4e0d1994f5c4ebc3af512a9cbf01e0e888df33afef403040e6d2798a7b0344a63efce5c0b4f699aababdc8dfca9b0bfea5b6c99219f24f540

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
222KB

MD5
9d0ae1f1281b0e4471cdb9a3c6f2fea9

SHA1
3b2eb0e04c3eef417514aa9620e25df713d1c36a

SHA256
11476b06409b8a84fc299e3ee0d7b27e3d759eba1989c733609a28f3d10bf2b4

SHA512
ac3bffbecb0649da400f5e920ffb9b79799c5697380d81c47ee3c0f6fd507cb717e7765b43084035556e3edeb860810d50b8fc05bb90e08dc5a6bccae602f635

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
222KB

MD5
943e18283f02336d7a36f652e29d55dd

SHA1
9a76e8caf7b08a916f03fa5292b64afd159ef5fd

SHA256
6712ccf4ace99df5742f64cab914e5e4a6bc5ed03f6aedcb48384fcc16aa9511

SHA512
b4fa114fee3600a6895d002830eb2fad6b58778dd1d99fb8eb04b67331af256cae766ddb7cadeec61875b0216e8ed6b7c5fc54934bdb66b89bc0e6fceeb0bb05

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
222KB

MD5
8e8a09d9f311c23c7c604b0646232ad9

SHA1
75ce33803dad4197bf4daab4e1f74a39813f71a6

SHA256
3586b26d45393bede3bed0c9acb0a03f67916009d9811f0f15d4c1fc1646a26b

SHA512
23e1f59bb1090ca56421adb6a04614e4ff50f6b0358703df7a515738f6e2d3a59bbc6c99eabe2d4e9068e1d0b948a84aa2c016e13a6e722c251a6590d5b6d8c7

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
222KB

MD5
f68b9d987d8961fe08431fe0b1781b58

SHA1
beb6dc22fe4329a518976ca678501e1a3d0cf1bf

SHA256
3f6fe6715ea9c581b9be991c8a1d763d8bfa22666e415de8e3747f35344df18b

SHA512
8164374bf3fdcc6d21bdcc13683eebe188c9149a1ff90bd71f0ba830c6ace036fad252dc2f7715fc1b63431f092db29470c7c08a425d7c6da2e0ff9438298c6d

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
222KB

MD5
65ddd58b1c0d8a8d63fdef882a67039c

SHA1
6d3f8f9689c296e213454b5132a868585ea0e21a

SHA256
068fb56530e50a729d24a661da7d92403252a909a8b23dfc6ea88a1596385ef0

SHA512
3f04006f513f3f30e9a13aeb69c261e39435aee63b86829f9465f1e1f51bb4d5cdd2c0992908589ec908549e31baad25e08572d434d6102d761a2c2793802b6b

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
222KB

MD5
5ee65066efde97955dcfdc70123caf64

SHA1
af39e5af739cad2101b2868cfdcc677f80782490

SHA256
4dcb3db618d4eb928f807ab25632ff29e990a648f4962ed23946778ab05f3493

SHA512
4d0e6055e0bef05b97c0f27c9d3bba8fb80626992763d04ecb025ca2bea9f0ac95eec9d24b980adbe004561d48e88c0b681238d0f41f9f85eb70bd8bab388834

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
222KB

MD5
258b84a4c1af516d463323bcc90aa94a

SHA1
751bf1eb8759e9cc35ca28f7fe83afa1409435dc

SHA256
0c53524cc55785d6a648dfa7e3b08a6ecb6f2247cd3a8983c2dc54f1a2d0733b

SHA512
fd8cd36d813dc58d98ed01e895f08daba22eb2241dc7c533fac48ac9fe027615ff858c47b4a32b9366072bf5011f9114a636ab1a17f079e5139c156fee9f7c85

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
222KB

MD5
9a80d24836f6176ed8ea905836958050

SHA1
4a8b2388076edf92bb66cb65a6ab5f28a77a0710

SHA256
6dcf54625fee659e41e75ac47bbeeadf172b3447fcc9be02f7db87c1f654cc22

SHA512
cda3bf2aee167308148426d283b8eeec0fe1f7426bb338da96a6cae0addd073753cc38328d89cd3968079d4c320d92bc8205a2522c445b0762f7970d8b52269e

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
222KB

MD5
369aec65b1f1b5f1ab99a1aeaa605d2b

SHA1
13950269735d4d7bfbf9d0f38bcfcf0de8145a15

SHA256
78f2efb4befca097a9220b9f6ac09ae4c3ea96fa9e8d3034d5d03765044e307a

SHA512
05c6a4e5f09d21f9f6ec17e607a0edf83469df290802df8b8fbc544e315c95892e0ddc63c7b1b93f0f81e7b6c1e02d92029d4a42c9512793c2a12000cc99c46d

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
222KB

MD5
a5f0b996282bd727c2ca5e592b24812d

SHA1
1785005081e7517eae9fa8a8550948fb9e90c8f5

SHA256
e476755ae3067216ae43ead2e1802a28a2ce513d4c753ab6f150f867e9ccc9b7

SHA512
ad9aa7ef5ceb336eaf96c93f69a0e3c98728e77589d5e38d65a1db7e5109d67d5d6e19105cc6b59a5c868c6324d7ab83b693c342e9d01ec9908813deeb4244e3

Download Submit
C:\Windows\xk.exe

Filesize
222KB

MD5
9547a90a9f47f6c1280a5a8525d935e9

SHA1
e1cc7a519d567e99f78b768066c62db2e7b34333

SHA256
aea48c0be1670a8c796075406ce1dc59cbac4f0d1874688e169dbd1027a97b77

SHA512
d53ab65fe51a757a0907910343e2ba87c2b4dd63168833d440dec372ab1ace33f6cd943d293759ac7c84954feb74839b496e3bc01cca4dd5d48040831624f991

Download Submit
C:\Windows\xk.exe

Filesize
222KB

MD5
35a15732cc7f12b7f69a247045d5c7a0

SHA1
329a5fd2ed4c4657e44a7f71df6b4ec1762151f9

SHA256
3bf020094e9c38fd5184a9691dc27c3ba6bec63ea227d59f80a174d7314e6fa6

SHA512
ed2973c75ef4fc659bb27e278a98fee8819e26065905ef12e78991ac5118c167b622217baaf25921b868ac9df5e6750a19050645071f637cd1b6e8c011801efa

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
222KB

MD5
9d0ae1f1281b0e4471cdb9a3c6f2fea9

SHA1
3b2eb0e04c3eef417514aa9620e25df713d1c36a

SHA256
11476b06409b8a84fc299e3ee0d7b27e3d759eba1989c733609a28f3d10bf2b4

SHA512
ac3bffbecb0649da400f5e920ffb9b79799c5697380d81c47ee3c0f6fd507cb717e7765b43084035556e3edeb860810d50b8fc05bb90e08dc5a6bccae602f635

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
222KB

MD5
9d0ae1f1281b0e4471cdb9a3c6f2fea9

SHA1
3b2eb0e04c3eef417514aa9620e25df713d1c36a

SHA256
11476b06409b8a84fc299e3ee0d7b27e3d759eba1989c733609a28f3d10bf2b4

SHA512
ac3bffbecb0649da400f5e920ffb9b79799c5697380d81c47ee3c0f6fd507cb717e7765b43084035556e3edeb860810d50b8fc05bb90e08dc5a6bccae602f635

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
222KB

MD5
943e18283f02336d7a36f652e29d55dd

SHA1
9a76e8caf7b08a916f03fa5292b64afd159ef5fd

SHA256
6712ccf4ace99df5742f64cab914e5e4a6bc5ed03f6aedcb48384fcc16aa9511

SHA512
b4fa114fee3600a6895d002830eb2fad6b58778dd1d99fb8eb04b67331af256cae766ddb7cadeec61875b0216e8ed6b7c5fc54934bdb66b89bc0e6fceeb0bb05

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
222KB

MD5
943e18283f02336d7a36f652e29d55dd

SHA1
9a76e8caf7b08a916f03fa5292b64afd159ef5fd

SHA256
6712ccf4ace99df5742f64cab914e5e4a6bc5ed03f6aedcb48384fcc16aa9511

SHA512
b4fa114fee3600a6895d002830eb2fad6b58778dd1d99fb8eb04b67331af256cae766ddb7cadeec61875b0216e8ed6b7c5fc54934bdb66b89bc0e6fceeb0bb05

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
222KB

MD5
8e8a09d9f311c23c7c604b0646232ad9

SHA1
75ce33803dad4197bf4daab4e1f74a39813f71a6

SHA256
3586b26d45393bede3bed0c9acb0a03f67916009d9811f0f15d4c1fc1646a26b

SHA512
23e1f59bb1090ca56421adb6a04614e4ff50f6b0358703df7a515738f6e2d3a59bbc6c99eabe2d4e9068e1d0b948a84aa2c016e13a6e722c251a6590d5b6d8c7

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
222KB

MD5
8e8a09d9f311c23c7c604b0646232ad9

SHA1
75ce33803dad4197bf4daab4e1f74a39813f71a6

SHA256
3586b26d45393bede3bed0c9acb0a03f67916009d9811f0f15d4c1fc1646a26b

SHA512
23e1f59bb1090ca56421adb6a04614e4ff50f6b0358703df7a515738f6e2d3a59bbc6c99eabe2d4e9068e1d0b948a84aa2c016e13a6e722c251a6590d5b6d8c7

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
222KB

MD5
f68b9d987d8961fe08431fe0b1781b58

SHA1
beb6dc22fe4329a518976ca678501e1a3d0cf1bf

SHA256
3f6fe6715ea9c581b9be991c8a1d763d8bfa22666e415de8e3747f35344df18b

SHA512
8164374bf3fdcc6d21bdcc13683eebe188c9149a1ff90bd71f0ba830c6ace036fad252dc2f7715fc1b63431f092db29470c7c08a425d7c6da2e0ff9438298c6d

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
222KB

MD5
f68b9d987d8961fe08431fe0b1781b58

SHA1
beb6dc22fe4329a518976ca678501e1a3d0cf1bf

SHA256
3f6fe6715ea9c581b9be991c8a1d763d8bfa22666e415de8e3747f35344df18b

SHA512
8164374bf3fdcc6d21bdcc13683eebe188c9149a1ff90bd71f0ba830c6ace036fad252dc2f7715fc1b63431f092db29470c7c08a425d7c6da2e0ff9438298c6d

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
222KB

MD5
65ddd58b1c0d8a8d63fdef882a67039c

SHA1
6d3f8f9689c296e213454b5132a868585ea0e21a

SHA256
068fb56530e50a729d24a661da7d92403252a909a8b23dfc6ea88a1596385ef0

SHA512
3f04006f513f3f30e9a13aeb69c261e39435aee63b86829f9465f1e1f51bb4d5cdd2c0992908589ec908549e31baad25e08572d434d6102d761a2c2793802b6b

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
222KB

MD5
65ddd58b1c0d8a8d63fdef882a67039c

SHA1
6d3f8f9689c296e213454b5132a868585ea0e21a

SHA256
068fb56530e50a729d24a661da7d92403252a909a8b23dfc6ea88a1596385ef0

SHA512
3f04006f513f3f30e9a13aeb69c261e39435aee63b86829f9465f1e1f51bb4d5cdd2c0992908589ec908549e31baad25e08572d434d6102d761a2c2793802b6b

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
222KB

MD5
5ee65066efde97955dcfdc70123caf64

SHA1
af39e5af739cad2101b2868cfdcc677f80782490

SHA256
4dcb3db618d4eb928f807ab25632ff29e990a648f4962ed23946778ab05f3493

SHA512
4d0e6055e0bef05b97c0f27c9d3bba8fb80626992763d04ecb025ca2bea9f0ac95eec9d24b980adbe004561d48e88c0b681238d0f41f9f85eb70bd8bab388834

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
222KB

MD5
5ee65066efde97955dcfdc70123caf64

SHA1
af39e5af739cad2101b2868cfdcc677f80782490

SHA256
4dcb3db618d4eb928f807ab25632ff29e990a648f4962ed23946778ab05f3493

SHA512
4d0e6055e0bef05b97c0f27c9d3bba8fb80626992763d04ecb025ca2bea9f0ac95eec9d24b980adbe004561d48e88c0b681238d0f41f9f85eb70bd8bab388834

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
222KB

MD5
258b84a4c1af516d463323bcc90aa94a

SHA1
751bf1eb8759e9cc35ca28f7fe83afa1409435dc

SHA256
0c53524cc55785d6a648dfa7e3b08a6ecb6f2247cd3a8983c2dc54f1a2d0733b

SHA512
fd8cd36d813dc58d98ed01e895f08daba22eb2241dc7c533fac48ac9fe027615ff858c47b4a32b9366072bf5011f9114a636ab1a17f079e5139c156fee9f7c85

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
222KB

MD5
258b84a4c1af516d463323bcc90aa94a

SHA1
751bf1eb8759e9cc35ca28f7fe83afa1409435dc

SHA256
0c53524cc55785d6a648dfa7e3b08a6ecb6f2247cd3a8983c2dc54f1a2d0733b

SHA512
fd8cd36d813dc58d98ed01e895f08daba22eb2241dc7c533fac48ac9fe027615ff858c47b4a32b9366072bf5011f9114a636ab1a17f079e5139c156fee9f7c85

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
222KB

MD5
369aec65b1f1b5f1ab99a1aeaa605d2b

SHA1
13950269735d4d7bfbf9d0f38bcfcf0de8145a15

SHA256
78f2efb4befca097a9220b9f6ac09ae4c3ea96fa9e8d3034d5d03765044e307a

SHA512
05c6a4e5f09d21f9f6ec17e607a0edf83469df290802df8b8fbc544e315c95892e0ddc63c7b1b93f0f81e7b6c1e02d92029d4a42c9512793c2a12000cc99c46d

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
222KB

MD5
369aec65b1f1b5f1ab99a1aeaa605d2b

SHA1
13950269735d4d7bfbf9d0f38bcfcf0de8145a15

SHA256
78f2efb4befca097a9220b9f6ac09ae4c3ea96fa9e8d3034d5d03765044e307a

SHA512
05c6a4e5f09d21f9f6ec17e607a0edf83469df290802df8b8fbc544e315c95892e0ddc63c7b1b93f0f81e7b6c1e02d92029d4a42c9512793c2a12000cc99c46d

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
222KB

MD5
a5f0b996282bd727c2ca5e592b24812d

SHA1
1785005081e7517eae9fa8a8550948fb9e90c8f5

SHA256
e476755ae3067216ae43ead2e1802a28a2ce513d4c753ab6f150f867e9ccc9b7

SHA512
ad9aa7ef5ceb336eaf96c93f69a0e3c98728e77589d5e38d65a1db7e5109d67d5d6e19105cc6b59a5c868c6324d7ab83b693c342e9d01ec9908813deeb4244e3

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
222KB

MD5
a5f0b996282bd727c2ca5e592b24812d

SHA1
1785005081e7517eae9fa8a8550948fb9e90c8f5

SHA256
e476755ae3067216ae43ead2e1802a28a2ce513d4c753ab6f150f867e9ccc9b7

SHA512
ad9aa7ef5ceb336eaf96c93f69a0e3c98728e77589d5e38d65a1db7e5109d67d5d6e19105cc6b59a5c868c6324d7ab83b693c342e9d01ec9908813deeb4244e3

Download Submit
memory/1048-275-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1048-279-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1052-265-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1052-278-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1416-211-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1540-408-0x0000000073E4D000-0x0000000073E58000-memory.dmp

Filesize
44KB

Download
memory/1540-405-0x0000000074311000-0x0000000074312000-memory.dmp

Filesize
4KB

Download
memory/1540-305-0x0000000073E4D000-0x0000000073E58000-memory.dmp

Filesize
44KB

Download
memory/1540-304-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1568-138-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1692-163-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1732-247-0x0000000001CF0000-0x0000000001D1C000-memory.dmp

Filesize
176KB

Download
memory/1732-216-0x0000000001CF0000-0x0000000001D1C000-memory.dmp

Filesize
176KB

Download
memory/1732-202-0x0000000001CF0000-0x0000000001D1C000-memory.dmp

Filesize
176KB

Download
memory/1732-432-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1732-239-0x0000000001CF0000-0x0000000001D1C000-memory.dmp

Filesize
176KB

Download
memory/1732-262-0x0000000001CF0000-0x0000000001D1C000-memory.dmp

Filesize
176KB

Download
memory/1732-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1732-141-0x0000000001CF0000-0x0000000001D1C000-memory.dmp

Filesize
176KB

Download
memory/1732-105-0x0000000001CF0000-0x0000000001D1C000-memory.dmp

Filesize
176KB

Download
memory/1732-110-0x0000000001CF0000-0x0000000001D1C000-memory.dmp

Filesize
176KB

Download
memory/1732-269-0x0000000001CF0000-0x0000000001D1C000-memory.dmp

Filesize
176KB

Download
memory/1732-134-0x0000000001CF0000-0x0000000001D1C000-memory.dmp

Filesize
176KB

Download
memory/1732-122-0x0000000001CF0000-0x0000000001D1C000-memory.dmp

Filesize
176KB

Download
memory/1732-116-0x0000000001CF0000-0x0000000001D1C000-memory.dmp

Filesize
176KB

Download
memory/2036-244-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2036-241-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2360-234-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2360-229-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2424-125-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2424-128-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2592-112-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2592-114-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2792-223-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2792-218-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2872-255-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download