3b24b1c06cdd54a9f8912e9eb0b8482503e7174596a97dd535f3ad7965799fbc

Analysis

max time kernel
143s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
14/10/2023, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.b016230067411a11d2a2dcf179072330.exe
Size

196KB
MD5

b016230067411a11d2a2dcf179072330
SHA1

ef613a6e62d7bfd59e8700f6d0fca7108ab7b46f
SHA256

3b24b1c06cdd54a9f8912e9eb0b8482503e7174596a97dd535f3ad7965799fbc
SHA512

37e1228075cbb1321680d56a2d35398504fc351092664fab5838446d94d44968dc41c498cc0547b3f771a9478cd2b6dd6a2cb2c018b8103b9a514585d02e4ecb
SSDEEP

3072:ZOgUXoutNHxZVX4/awxfodLJUBv9Bsor1rHjhMU9npQQpmuG:ZFYoShRARoYlld9n2Qpmx

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	NEAS.b016230067411a11d2a2dcf179072330.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.b016230067411a11d2a2dcf179072330.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.b016230067411a11d2a2dcf179072330.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.b016230067411a11d2a2dcf179072330.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 13 IoCs

pid	Process
2912	xk.exe
2956	IExplorer.exe
1592	WINLOGON.EXE
2812	CSRSS.EXE
752	SERVICES.EXE
2916	LSASS.EXE
2188	xk.exe
3052	IExplorer.exe
1088	WINLOGON.EXE
1864	CSRSS.EXE
2132	SERVICES.EXE
1564	LSASS.EXE
2064	SMSS.EXE

Loads dropped DLL 22 IoCs

pid	Process
1272	NEAS.b016230067411a11d2a2dcf179072330.exe
1272	NEAS.b016230067411a11d2a2dcf179072330.exe
1272	NEAS.b016230067411a11d2a2dcf179072330.exe
1272	NEAS.b016230067411a11d2a2dcf179072330.exe
1272	NEAS.b016230067411a11d2a2dcf179072330.exe
1272	NEAS.b016230067411a11d2a2dcf179072330.exe
1272	NEAS.b016230067411a11d2a2dcf179072330.exe
1272	NEAS.b016230067411a11d2a2dcf179072330.exe
1272	NEAS.b016230067411a11d2a2dcf179072330.exe
1272	NEAS.b016230067411a11d2a2dcf179072330.exe
1272	NEAS.b016230067411a11d2a2dcf179072330.exe
1272	NEAS.b016230067411a11d2a2dcf179072330.exe
1272	NEAS.b016230067411a11d2a2dcf179072330.exe
1272	NEAS.b016230067411a11d2a2dcf179072330.exe
1272	NEAS.b016230067411a11d2a2dcf179072330.exe
1272	NEAS.b016230067411a11d2a2dcf179072330.exe
1272	NEAS.b016230067411a11d2a2dcf179072330.exe
1272	NEAS.b016230067411a11d2a2dcf179072330.exe
1272	NEAS.b016230067411a11d2a2dcf179072330.exe
1272	NEAS.b016230067411a11d2a2dcf179072330.exe
1272	NEAS.b016230067411a11d2a2dcf179072330.exe
1272	NEAS.b016230067411a11d2a2dcf179072330.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.b016230067411a11d2a2dcf179072330.exe

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1272-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0008000000015ca0-8.dat	upx
behavioral1/memory/2912-111-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000a000000015e08-110.dat	upx
behavioral1/memory/2912-114-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000600000001644f-115.dat	upx
behavioral1/memory/2956-122-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000600000001644f-121.dat	upx
behavioral1/files/0x000600000001644f-117.dat	upx
behavioral1/memory/2956-125-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016614-126.dat	upx
behavioral1/files/0x0006000000016614-128.dat	upx
behavioral1/files/0x0006000000016614-132.dat	upx
behavioral1/memory/1592-135-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1272-138-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00060000000167f2-136.dat	upx
behavioral1/files/0x00060000000167f2-139.dat	upx
behavioral1/files/0x00060000000167f2-143.dat	upx
behavioral1/files/0x0006000000016ae1-146.dat	upx
behavioral1/memory/2812-148-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016ae1-149.dat	upx
behavioral1/files/0x0006000000016ae1-153.dat	upx
behavioral1/memory/752-156-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016ba5-159.dat	upx
behavioral1/files/0x0006000000016ba5-157.dat	upx
behavioral1/files/0x0006000000016ba5-163.dat	upx
behavioral1/memory/2916-164-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2916-170-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000a000000015e08-222.dat	upx
behavioral1/files/0x000600000001644f-225.dat	upx
behavioral1/files/0x000600000001644f-232.dat	upx
behavioral1/files/0x000600000001644f-228.dat	upx
behavioral1/memory/2188-227-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/3052-236-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016614-235.dat	upx
behavioral1/files/0x0006000000016614-238.dat	upx
behavioral1/files/0x0006000000016614-242.dat	upx
behavioral1/files/0x00060000000167f2-252.dat	upx
behavioral1/files/0x00060000000167f2-248.dat	upx
behavioral1/memory/1088-247-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00060000000167f2-245.dat	upx
behavioral1/memory/1864-256-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016ae1-263.dat	upx
behavioral1/files/0x0006000000016ae1-259.dat	upx
behavioral1/files/0x0006000000016ae1-257.dat	upx
behavioral1/files/0x0006000000016ba5-273.dat	upx
behavioral1/files/0x0006000000016ba5-269.dat	upx
behavioral1/memory/2132-268-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016ba5-266.dat	upx
behavioral1/memory/1564-278-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000016c21-279.dat	upx
behavioral1/files/0x0006000000016c21-281.dat	upx
behavioral1/files/0x0006000000016c21-286.dat	upx
behavioral1/memory/2064-289-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1272-399-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	NEAS.b016230067411a11d2a2dcf179072330.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	NEAS.b016230067411a11d2a2dcf179072330.exe
File created	C:\desktop.ini	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened for modification	F:\desktop.ini	NEAS.b016230067411a11d2a2dcf179072330.exe
File created	F:\desktop.ini	NEAS.b016230067411a11d2a2dcf179072330.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\V:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\X:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\H:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\I:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\R:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\Y:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\J:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\M:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\K:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\O:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\Q:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\S:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\T:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\U:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\B:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\E:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\Z:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\N:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\W:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\G:	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened (read-only)	\??\L:	NEAS.b016230067411a11d2a2dcf179072330.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	NEAS.b016230067411a11d2a2dcf179072330.exe
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\Mig2.scr	NEAS.b016230067411a11d2a2dcf179072330.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	NEAS.b016230067411a11d2a2dcf179072330.exe
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	NEAS.b016230067411a11d2a2dcf179072330.exe
File created	C:\Windows\SysWOW64\shell.exe	NEAS.b016230067411a11d2a2dcf179072330.exe
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	NEAS.b016230067411a11d2a2dcf179072330.exe
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	NEAS.b016230067411a11d2a2dcf179072330.exe
File created	C:\Windows\xk.exe	NEAS.b016230067411a11d2a2dcf179072330.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\Desktop\	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	NEAS.b016230067411a11d2a2dcf179072330.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063038-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308A-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063104-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063089-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F025-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DE-0000-0000-C000-000000000046}\ = "_OlkComboBox"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FA-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063094-0000-0000-C000-000000000046}\ = "_AutoFormatRules"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EC-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}\ = "MAPIFolder"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304E-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063044-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309E-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FD-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304F-0000-0000-C000-000000000046}\ = "ExplorerEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A1-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063036-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\ = "_RuleCondition"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A7-0000-0000-C000-000000000046}\ = "ItemProperty"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063074-0000-0000-C000-000000000046}\ = "_OutlookBarShortcuts"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\ = "_AccountSelector"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C7-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D7-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063080-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063036-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\ = "_Rules"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C8-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063098-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063093-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}\ = "_OlkListBox"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063095-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063062-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F6-0000-0000-C000-000000000046}\ = "_OlkInfoBar"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FA-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308D-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063105-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067367-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063096-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F0-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063002-0000-0000-C000-000000000046}	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1076	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1272	NEAS.b016230067411a11d2a2dcf179072330.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1076	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1076	OUTLOOK.EXE
1076	OUTLOOK.EXE
1076	OUTLOOK.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1076	OUTLOOK.EXE
1076	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1272	NEAS.b016230067411a11d2a2dcf179072330.exe
2912	xk.exe
2956	IExplorer.exe
1592	WINLOGON.EXE
2812	CSRSS.EXE
752	SERVICES.EXE
2916	LSASS.EXE
2188	xk.exe
3052	IExplorer.exe
1088	WINLOGON.EXE
1864	CSRSS.EXE
2132	SERVICES.EXE
1564	LSASS.EXE
2064	SMSS.EXE
1076	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2912	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	28
PID 1272 wrote to memory of 2912	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	28
PID 1272 wrote to memory of 2912	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	28
PID 1272 wrote to memory of 2912	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	28
PID 1272 wrote to memory of 2956	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	29
PID 1272 wrote to memory of 2956	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	29
PID 1272 wrote to memory of 2956	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	29
PID 1272 wrote to memory of 2956	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	29
PID 1272 wrote to memory of 1592	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	30
PID 1272 wrote to memory of 1592	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	30
PID 1272 wrote to memory of 1592	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	30
PID 1272 wrote to memory of 1592	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	30
PID 1272 wrote to memory of 2812	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	31
PID 1272 wrote to memory of 2812	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	31
PID 1272 wrote to memory of 2812	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	31
PID 1272 wrote to memory of 2812	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	31
PID 1272 wrote to memory of 752	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	32
PID 1272 wrote to memory of 752	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	32
PID 1272 wrote to memory of 752	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	32
PID 1272 wrote to memory of 752	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	32
PID 1272 wrote to memory of 2916	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	33
PID 1272 wrote to memory of 2916	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	33
PID 1272 wrote to memory of 2916	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	33
PID 1272 wrote to memory of 2916	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	33
PID 1272 wrote to memory of 2188	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	34
PID 1272 wrote to memory of 2188	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	34
PID 1272 wrote to memory of 2188	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	34
PID 1272 wrote to memory of 2188	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	34
PID 1272 wrote to memory of 3052	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	35
PID 1272 wrote to memory of 3052	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	35
PID 1272 wrote to memory of 3052	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	35
PID 1272 wrote to memory of 3052	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	35
PID 1272 wrote to memory of 1088	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	36
PID 1272 wrote to memory of 1088	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	36
PID 1272 wrote to memory of 1088	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	36
PID 1272 wrote to memory of 1088	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	36
PID 1272 wrote to memory of 1864	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	37
PID 1272 wrote to memory of 1864	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	37
PID 1272 wrote to memory of 1864	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	37
PID 1272 wrote to memory of 1864	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	37
PID 1272 wrote to memory of 2132	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	38
PID 1272 wrote to memory of 2132	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	38
PID 1272 wrote to memory of 2132	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	38
PID 1272 wrote to memory of 2132	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	38
PID 1272 wrote to memory of 1564	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	39
PID 1272 wrote to memory of 1564	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	39
PID 1272 wrote to memory of 1564	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	39
PID 1272 wrote to memory of 1564	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	39
PID 1272 wrote to memory of 2064	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	40
PID 1272 wrote to memory of 2064	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	40
PID 1272 wrote to memory of 2064	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	40
PID 1272 wrote to memory of 2064	1272	NEAS.b016230067411a11d2a2dcf179072330.exe	40

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NEAS.b016230067411a11d2a2dcf179072330.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.b016230067411a11d2a2dcf179072330.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.b016230067411a11d2a2dcf179072330.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.b016230067411a11d2a2dcf179072330.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.b016230067411a11d2a2dcf179072330.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1272
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2912
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2956
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1592
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2812
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:752
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2916
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2188
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3052
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1088
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1864
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2132
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1564
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2064

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
ae03d3195df4686696c3546146fd8806

SHA1
ed705bf44f509990da0d80319f894591b62c2030

SHA256
7953179e4c67e90266547cf026f8c64cc671fba9876fb73347357ce8ab818be0

SHA512
d16fcb3398abdcaa7ce01c013c72cc396486de881549cb261369e6af824ed7b60ef0c756445089f3246249e3617870e8fab7b3372e9ddaf3c02823ad743ff6c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
230KB

MD5
8615897572eb801370d1f9a9b038cc7c

SHA1
cedefdca9260f213ae212432f58456d2c048dc97

SHA256
d80d60a0a648f27ed01a6ff79a5067ef44e304d211d82522491c3ac015c1220c

SHA512
c62df61bc558b60581dfb5e55dd1ec188e31ea9ae776af2e74a9dc72debb612f1e6c695085cf52164bb680cb2f5e25f3aeced3b1cd9ee50eb08aca078b542976

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
e6ae8095cd23b2855eba96b3d318a95d

SHA1
677b1ba9dbed246c8d60711f0a9ebe69809a9988

SHA256
1ca572e87eddeecfbfa67e5fb11049db264876953d3e38a7740100fd162c3074

SHA512
5c4c729de6c5a2848924d38292cd4179894e95c1a12dc3931bdd4092c1e91962a46411a6e7298054b7c23bcef0ce0420bb8a6f68d0370c3b3950ccea1ff22a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
cc95ffdd3ffab2dd53e0ca0df7d5af68

SHA1
85a9aae7d6c455f84502cbb38592209887d3e173

SHA256
86b1ef88e9818962b6fca9fd27d34c90d6ab8982fce277660492c2c2667f5b93

SHA512
e1429e5553220dfc9afc49d4adada177fd273699abba6ccb1a6db9a23b28fe091157901b1023ea6ee9392ed6ace76caba5fade5781259edd467e9b3cd78137c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
196KB

MD5
6c2f001e58bbae2a5985d90ca098914f

SHA1
6de9453377da546bd0690c2ee851bdce4f59c1ab

SHA256
30aa477e5c063a1010727832aaff6fee7ab286c26d5f1dedcbc0204027225872

SHA512
db0cb5f8016149e619e80b3e26340a82b3bca2685c0fa85a713661c5565976864992adf46edc8f0e46a33793d52641809af67eedacea919b39c00427b38dccfc

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
196KB

MD5
e62eac8cd64b90cb7315227b83ab3e59

SHA1
cf3e6a4f978c192ad14f7b025fe7ea11aa5d2b68

SHA256
099b23ba1feca85c68843375c26745c82cc604c95b14f2c2179e510a2c2d4e43

SHA512
50a7562d0be19451e3c29daf33d2289e06723f69b302db27d791a5ca121dd5ecc0d184f3a99c845513560e53601c1877383e68eda9afed66ed6d417ad43cd715

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
196KB

MD5
2dca2a23f92a1ffd700eee9829c3bada

SHA1
8ead3c0bfb4fde8b9f2ebf0c6a2ec3ad394506ad

SHA256
5a750cfa3ef1facc7af73c674f505b34b8d612f026697ba0aee6efc5014329b3

SHA512
fb926e1de08b24bc7e756a34d302894ff8547fbde1392576dd969c7e354b36252dca5e67c9d4eb9cd4bb0a6c2258511a82046ac8a3f06d5b6625970a6b40608c

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
196KB

MD5
64e6698c5e0168970b8a0f5d822baa25

SHA1
d772f0bdd9a019f123f6e9a84937a052c0c1a868

SHA256
6e9bd91fbc6b0583f854303fff9d69c8fe6a844c6fdb24b40553eef55ada3980

SHA512
aaa65ac71e8bddc83d19d59dc71a432fc5a4a947cc4dc0cba0e86dff95d32231870871e3372250b18786fb03de237e97ef7ce16a98e579c9b3e1c1c2f75ec29d

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
196KB

MD5
2ab3faff36a24c366b186dffd3ac9003

SHA1
a211f80f42b3f22d3aa474013741a9d70be18eb0

SHA256
9fd829911abba7b7e096d9243ef73abfb0944d794e5d48ba9c70461da6898db2

SHA512
9ed2384146fed108eb3c7c697386cf8ab8ffcf672fbd20366bf2c989aa3b2ef49d9c0726e1a1873b4b6cc99d84d732039a685fbd6f277dfd523fb7532baf0242

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
196KB

MD5
08d55df8478240c4f4dc5c47df630062

SHA1
b4ce909e879df0b2840f45997db42b499c1a7fd1

SHA256
92704e0e62ea4fc7e32a1030a033416b1d6e190a871eeffbf62030bf9c4a02d4

SHA512
c13b58eb42f57887d2a244486799ce8007539c8cb3c0586b3fd05e1464c68528eacb955ce4a1323a9b75ee3400174d582350d9d122cb084e4a0a27538ebcf666

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
196KB

MD5
9154758c3debd74fd56490173329fa3b

SHA1
c3b58b70eab1a64d47c64bd49fd764419d459f81

SHA256
707aa9057254812119ad2b36798720d0ff6cb7111818c56a9cac45e0f63a128b

SHA512
cac44116bfb3cc89d87090e5d69264e90990649d700fc93990ae6c4abe3d0a572d66cced509812baedc35171c2ee7436a97299970f1a48174b54b14f0c392ac9

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
196KB

MD5
983ea229886a99523711eb7fc620daac

SHA1
945a4c31e1d1d25f1f5c4fea68a698eefc3f75d5

SHA256
eb93180c3eb338c00e9952a3aba35e1b5c959593d4334dceec28c57764bdfeb4

SHA512
8955dcfecb63c84c09b35d74e76a0f932905d043c5ff60eccfe9870ff0b4278b50a75c61d9dae6cb31d0a2ec768aec398de2093cc0794c3a443b6c13ed78c3c3

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
196KB

MD5
f27208548f478c7e4211e5c8bb46f2b4

SHA1
7eb8a811cbcb9c19fbdac45f7a24e5667dfba08e

SHA256
9146179a62451428a42f939f65860891426a2f3a719f71bed658e4a4ee6e0308

SHA512
79c8bd336ab19e3021ed6ee81a703d4f473e94372136ab401b569e06762538badec5604cf83bdaa06bf8dbdd1c1b981c26372acecf3ff9e66124ed93837703e9

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
196KB

MD5
b016230067411a11d2a2dcf179072330

SHA1
ef613a6e62d7bfd59e8700f6d0fca7108ab7b46f

SHA256
3b24b1c06cdd54a9f8912e9eb0b8482503e7174596a97dd535f3ad7965799fbc

SHA512
37e1228075cbb1321680d56a2d35398504fc351092664fab5838446d94d44968dc41c498cc0547b3f771a9478cd2b6dd6a2cb2c018b8103b9a514585d02e4ecb

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
196KB

MD5
1796818e3a5a5aec519a52279d92c5ef

SHA1
1f6253e05fb964e695114f7009a9cb2f7165192c

SHA256
a3aadeceed0361c0926ac73d36badb3136830d695b8bd72fd3a3a729d99b4673

SHA512
d673c7cbdb40443732667cbbab9acd898c91389726c445928ef2c180326ecaec355fdbd91d7c64f9181b8be5986f7af515f74f8f03ee21b9065637c5e4dde151

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
196KB

MD5
77316c8e242dd7acb57f46e74cc4a47e

SHA1
54caefd4ff0ad8b54de8d95f09d70bac143a9061

SHA256
e9998e74cf655aa3845b31226915f9ab9da4be88413ab4d69ebb5084d57adffd

SHA512
b0a3498d4569cf97b758c494e674942d86f20197e5a63766ceb6f586b25292c1833fffe3decddf9d79062a83293bbdf5ea451a6ff35af088f955a895da873bff

Download Submit
C:\Windows\xk.exe

Filesize
196KB

MD5
41af360d0d4b4fca6ebc3445f04e8b3d

SHA1
8ca8f6378467b82e0f4723b1473141ace11341e7

SHA256
8dd5a3c2520e3f4b4d2515df84bf0f4ef070f72dde169d7a1bd74cfc71e1c4ae

SHA512
2c4f94c4baf21a1906a586ac555bcd4675eee5352fac16702a94a3ee126d8b9808c4a3f1a46f272947199dbd3de45b07632e4db26a3d6c142b7bb48a03984eaa

Download Submit
C:\Windows\xk.exe

Filesize
196KB

MD5
5d25e69aeeec59a6a887d9bef8829d82

SHA1
1cd745823c0e1283c75af969c6a9cb603aeda42a

SHA256
ccadb29c433fe72a1b03a8d308724bfdaab6bebad9518976f649789dd3de7b20

SHA512
e4a3476dc01741068cc3c3b82ef0413480ffb9f9f4b63436e90254d01e8a0d8d2f1c4bc5249efb79777a28de6b4fefef54baf35d96ca01ccb3d6946332216dee

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
196KB

MD5
6c2f001e58bbae2a5985d90ca098914f

SHA1
6de9453377da546bd0690c2ee851bdce4f59c1ab

SHA256
30aa477e5c063a1010727832aaff6fee7ab286c26d5f1dedcbc0204027225872

SHA512
db0cb5f8016149e619e80b3e26340a82b3bca2685c0fa85a713661c5565976864992adf46edc8f0e46a33793d52641809af67eedacea919b39c00427b38dccfc

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
196KB

MD5
6c2f001e58bbae2a5985d90ca098914f

SHA1
6de9453377da546bd0690c2ee851bdce4f59c1ab

SHA256
30aa477e5c063a1010727832aaff6fee7ab286c26d5f1dedcbc0204027225872

SHA512
db0cb5f8016149e619e80b3e26340a82b3bca2685c0fa85a713661c5565976864992adf46edc8f0e46a33793d52641809af67eedacea919b39c00427b38dccfc

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
196KB

MD5
e62eac8cd64b90cb7315227b83ab3e59

SHA1
cf3e6a4f978c192ad14f7b025fe7ea11aa5d2b68

SHA256
099b23ba1feca85c68843375c26745c82cc604c95b14f2c2179e510a2c2d4e43

SHA512
50a7562d0be19451e3c29daf33d2289e06723f69b302db27d791a5ca121dd5ecc0d184f3a99c845513560e53601c1877383e68eda9afed66ed6d417ad43cd715

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
196KB

MD5
e62eac8cd64b90cb7315227b83ab3e59

SHA1
cf3e6a4f978c192ad14f7b025fe7ea11aa5d2b68

SHA256
099b23ba1feca85c68843375c26745c82cc604c95b14f2c2179e510a2c2d4e43

SHA512
50a7562d0be19451e3c29daf33d2289e06723f69b302db27d791a5ca121dd5ecc0d184f3a99c845513560e53601c1877383e68eda9afed66ed6d417ad43cd715

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
196KB

MD5
2dca2a23f92a1ffd700eee9829c3bada

SHA1
8ead3c0bfb4fde8b9f2ebf0c6a2ec3ad394506ad

SHA256
5a750cfa3ef1facc7af73c674f505b34b8d612f026697ba0aee6efc5014329b3

SHA512
fb926e1de08b24bc7e756a34d302894ff8547fbde1392576dd969c7e354b36252dca5e67c9d4eb9cd4bb0a6c2258511a82046ac8a3f06d5b6625970a6b40608c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
196KB

MD5
2dca2a23f92a1ffd700eee9829c3bada

SHA1
8ead3c0bfb4fde8b9f2ebf0c6a2ec3ad394506ad

SHA256
5a750cfa3ef1facc7af73c674f505b34b8d612f026697ba0aee6efc5014329b3

SHA512
fb926e1de08b24bc7e756a34d302894ff8547fbde1392576dd969c7e354b36252dca5e67c9d4eb9cd4bb0a6c2258511a82046ac8a3f06d5b6625970a6b40608c

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
196KB

MD5
64e6698c5e0168970b8a0f5d822baa25

SHA1
d772f0bdd9a019f123f6e9a84937a052c0c1a868

SHA256
6e9bd91fbc6b0583f854303fff9d69c8fe6a844c6fdb24b40553eef55ada3980

SHA512
aaa65ac71e8bddc83d19d59dc71a432fc5a4a947cc4dc0cba0e86dff95d32231870871e3372250b18786fb03de237e97ef7ce16a98e579c9b3e1c1c2f75ec29d

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
196KB

MD5
64e6698c5e0168970b8a0f5d822baa25

SHA1
d772f0bdd9a019f123f6e9a84937a052c0c1a868

SHA256
6e9bd91fbc6b0583f854303fff9d69c8fe6a844c6fdb24b40553eef55ada3980

SHA512
aaa65ac71e8bddc83d19d59dc71a432fc5a4a947cc4dc0cba0e86dff95d32231870871e3372250b18786fb03de237e97ef7ce16a98e579c9b3e1c1c2f75ec29d

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
196KB

MD5
2ab3faff36a24c366b186dffd3ac9003

SHA1
a211f80f42b3f22d3aa474013741a9d70be18eb0

SHA256
9fd829911abba7b7e096d9243ef73abfb0944d794e5d48ba9c70461da6898db2

SHA512
9ed2384146fed108eb3c7c697386cf8ab8ffcf672fbd20366bf2c989aa3b2ef49d9c0726e1a1873b4b6cc99d84d732039a685fbd6f277dfd523fb7532baf0242

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
196KB

MD5
2ab3faff36a24c366b186dffd3ac9003

SHA1
a211f80f42b3f22d3aa474013741a9d70be18eb0

SHA256
9fd829911abba7b7e096d9243ef73abfb0944d794e5d48ba9c70461da6898db2

SHA512
9ed2384146fed108eb3c7c697386cf8ab8ffcf672fbd20366bf2c989aa3b2ef49d9c0726e1a1873b4b6cc99d84d732039a685fbd6f277dfd523fb7532baf0242

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
196KB

MD5
08d55df8478240c4f4dc5c47df630062

SHA1
b4ce909e879df0b2840f45997db42b499c1a7fd1

SHA256
92704e0e62ea4fc7e32a1030a033416b1d6e190a871eeffbf62030bf9c4a02d4

SHA512
c13b58eb42f57887d2a244486799ce8007539c8cb3c0586b3fd05e1464c68528eacb955ce4a1323a9b75ee3400174d582350d9d122cb084e4a0a27538ebcf666

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
196KB

MD5
08d55df8478240c4f4dc5c47df630062

SHA1
b4ce909e879df0b2840f45997db42b499c1a7fd1

SHA256
92704e0e62ea4fc7e32a1030a033416b1d6e190a871eeffbf62030bf9c4a02d4

SHA512
c13b58eb42f57887d2a244486799ce8007539c8cb3c0586b3fd05e1464c68528eacb955ce4a1323a9b75ee3400174d582350d9d122cb084e4a0a27538ebcf666

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
196KB

MD5
9154758c3debd74fd56490173329fa3b

SHA1
c3b58b70eab1a64d47c64bd49fd764419d459f81

SHA256
707aa9057254812119ad2b36798720d0ff6cb7111818c56a9cac45e0f63a128b

SHA512
cac44116bfb3cc89d87090e5d69264e90990649d700fc93990ae6c4abe3d0a572d66cced509812baedc35171c2ee7436a97299970f1a48174b54b14f0c392ac9

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
196KB

MD5
9154758c3debd74fd56490173329fa3b

SHA1
c3b58b70eab1a64d47c64bd49fd764419d459f81

SHA256
707aa9057254812119ad2b36798720d0ff6cb7111818c56a9cac45e0f63a128b

SHA512
cac44116bfb3cc89d87090e5d69264e90990649d700fc93990ae6c4abe3d0a572d66cced509812baedc35171c2ee7436a97299970f1a48174b54b14f0c392ac9

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
196KB

MD5
983ea229886a99523711eb7fc620daac

SHA1
945a4c31e1d1d25f1f5c4fea68a698eefc3f75d5

SHA256
eb93180c3eb338c00e9952a3aba35e1b5c959593d4334dceec28c57764bdfeb4

SHA512
8955dcfecb63c84c09b35d74e76a0f932905d043c5ff60eccfe9870ff0b4278b50a75c61d9dae6cb31d0a2ec768aec398de2093cc0794c3a443b6c13ed78c3c3

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
196KB

MD5
983ea229886a99523711eb7fc620daac

SHA1
945a4c31e1d1d25f1f5c4fea68a698eefc3f75d5

SHA256
eb93180c3eb338c00e9952a3aba35e1b5c959593d4334dceec28c57764bdfeb4

SHA512
8955dcfecb63c84c09b35d74e76a0f932905d043c5ff60eccfe9870ff0b4278b50a75c61d9dae6cb31d0a2ec768aec398de2093cc0794c3a443b6c13ed78c3c3

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
196KB

MD5
f27208548f478c7e4211e5c8bb46f2b4

SHA1
7eb8a811cbcb9c19fbdac45f7a24e5667dfba08e

SHA256
9146179a62451428a42f939f65860891426a2f3a719f71bed658e4a4ee6e0308

SHA512
79c8bd336ab19e3021ed6ee81a703d4f473e94372136ab401b569e06762538badec5604cf83bdaa06bf8dbdd1c1b981c26372acecf3ff9e66124ed93837703e9

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
196KB

MD5
f27208548f478c7e4211e5c8bb46f2b4

SHA1
7eb8a811cbcb9c19fbdac45f7a24e5667dfba08e

SHA256
9146179a62451428a42f939f65860891426a2f3a719f71bed658e4a4ee6e0308

SHA512
79c8bd336ab19e3021ed6ee81a703d4f473e94372136ab401b569e06762538badec5604cf83bdaa06bf8dbdd1c1b981c26372acecf3ff9e66124ed93837703e9

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
196KB

MD5
1796818e3a5a5aec519a52279d92c5ef

SHA1
1f6253e05fb964e695114f7009a9cb2f7165192c

SHA256
a3aadeceed0361c0926ac73d36badb3136830d695b8bd72fd3a3a729d99b4673

SHA512
d673c7cbdb40443732667cbbab9acd898c91389726c445928ef2c180326ecaec355fdbd91d7c64f9181b8be5986f7af515f74f8f03ee21b9065637c5e4dde151

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
196KB

MD5
1796818e3a5a5aec519a52279d92c5ef

SHA1
1f6253e05fb964e695114f7009a9cb2f7165192c

SHA256
a3aadeceed0361c0926ac73d36badb3136830d695b8bd72fd3a3a729d99b4673

SHA512
d673c7cbdb40443732667cbbab9acd898c91389726c445928ef2c180326ecaec355fdbd91d7c64f9181b8be5986f7af515f74f8f03ee21b9065637c5e4dde151

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
196KB

MD5
77316c8e242dd7acb57f46e74cc4a47e

SHA1
54caefd4ff0ad8b54de8d95f09d70bac143a9061

SHA256
e9998e74cf655aa3845b31226915f9ab9da4be88413ab4d69ebb5084d57adffd

SHA512
b0a3498d4569cf97b758c494e674942d86f20197e5a63766ceb6f586b25292c1833fffe3decddf9d79062a83293bbdf5ea451a6ff35af088f955a895da873bff

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
196KB

MD5
77316c8e242dd7acb57f46e74cc4a47e

SHA1
54caefd4ff0ad8b54de8d95f09d70bac143a9061

SHA256
e9998e74cf655aa3845b31226915f9ab9da4be88413ab4d69ebb5084d57adffd

SHA512
b0a3498d4569cf97b758c494e674942d86f20197e5a63766ceb6f586b25292c1833fffe3decddf9d79062a83293bbdf5ea451a6ff35af088f955a895da873bff

Download Submit
memory/752-156-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1076-314-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1076-315-0x000000007350D000-0x0000000073518000-memory.dmp

Filesize
44KB

Download
memory/1076-421-0x000000006C441000-0x000000006C442000-memory.dmp

Filesize
4KB

Download
memory/1076-403-0x000000007350D000-0x0000000073518000-memory.dmp

Filesize
44KB

Download
memory/1088-247-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1272-253-0x0000000001C90000-0x0000000001CBF000-memory.dmp

Filesize
188KB

Download
memory/1272-275-0x0000000001C90000-0x0000000001CBF000-memory.dmp

Filesize
188KB

Download
memory/1272-396-0x0000000001C90000-0x0000000001CBF000-memory.dmp

Filesize
188KB

Download
memory/1272-395-0x0000000001C90000-0x0000000001CBF000-memory.dmp

Filesize
188KB

Download
memory/1272-276-0x0000000001C90000-0x0000000001CBF000-memory.dmp

Filesize
188KB

Download
memory/1272-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1272-285-0x0000000001C90000-0x0000000001CBF000-memory.dmp

Filesize
188KB

Download
memory/1272-400-0x0000000001C90000-0x0000000001CBF000-memory.dmp

Filesize
188KB

Download
memory/1272-109-0x0000000001C90000-0x0000000001CBF000-memory.dmp

Filesize
188KB

Download
memory/1272-399-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1272-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-278-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1592-135-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1864-256-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2064-289-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2132-268-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-227-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2812-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2912-114-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2912-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2916-164-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2916-170-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2956-122-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2956-125-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3052-236-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download