632afae0364939a18b6d18c91f9233f1db69524917d7ea3f763cd8e8dbea486d

Analysis

max time kernel
141s
max time network
125s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16/10/2023, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Size

91KB
MD5

d706c2e356a3bebe0475aafc6a63dade
SHA1

ca5c68350f9243d604a12559db2e44db8144bdb3
SHA256

632afae0364939a18b6d18c91f9233f1db69524917d7ea3f763cd8e8dbea486d
SHA512

69f105dcc29e13ae47265631bcc76851ccc03c639ae05f125a094512d0789c327a996525c4c851e517a0d2fc769fbe7f519fd987b4fac4e41a3c9dad15c86c25
SSDEEP

768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3ImuKyp3gRYjXbUeHORIC7:uT3OA3+KQsxfS4jynT3OA3+KQsxfS4q

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 10 IoCs

pid	Process
1476	xk.exe
2804	IExplorer.exe
292	WINLOGON.EXE
320	xk.exe
2844	IExplorer.exe
1880	WINLOGON.EXE
2432	CSRSS.EXE
2176	SERVICES.EXE
1572	LSASS.EXE
1160	SMSS.EXE

Loads dropped DLL 16 IoCs

pid	Process
2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File created	C:\desktop.ini	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened for modification	F:\desktop.ini	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File created	F:\desktop.ini	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\M:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\S:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\V:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\I:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\O:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\P:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\Q:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\W:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\Z:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\B:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\G:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\H:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\N:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\U:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\Y:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\E:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\J:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\L:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\R:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\T:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened (read-only)	\??\X:	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Mig2.scr	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File created	C:\Windows\SysWOW64\shell.exe	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File opened for modification	C:\Windows\xk.exe	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File created	C:\Windows\xk.exe	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\Desktop\	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046}\ = "_Accounts"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063036-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F0-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F4-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EB-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FB-0000-0000-C000-000000000046}\ = "_FromRssFeedRuleCondition"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A8-0000-0000-C000-000000000046}\ = "ItemProperties"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063047-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063093-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CE-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307C-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F4-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063023-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C8-0000-0000-C000-000000000046}\ = "_SelectNamesDialog"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063073-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E9-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\ = "_ViewField"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672ED-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EF-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063043-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CF-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FE-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063023-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063007-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063095-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063078-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F6-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F7-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063102-0000-0000-C000-000000000046}\ = "_SimpleItems"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063008-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302C-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DD-0000-0000-C000-000000000046}\ = "_OlkCheckBox"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063059-0000-0000-C000-000000000046}\ = "_FormRegionStartup"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\ = "_DRecipientControlEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F4-0000-0000-C000-000000000046}\ = "_OlkCategory"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D5-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DF-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EC-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DD-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
560	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
560	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
560	OUTLOOK.EXE
560	OUTLOOK.EXE
560	OUTLOOK.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
560	OUTLOOK.EXE
560	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
1476	xk.exe
2804	IExplorer.exe
292	WINLOGON.EXE
320	xk.exe
2844	IExplorer.exe
1880	WINLOGON.EXE
2432	CSRSS.EXE
2176	SERVICES.EXE
1572	LSASS.EXE
1160	SMSS.EXE
560	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 1476	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	28
PID 2052 wrote to memory of 1476	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	28
PID 2052 wrote to memory of 1476	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	28
PID 2052 wrote to memory of 1476	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	28
PID 2052 wrote to memory of 2804	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	29
PID 2052 wrote to memory of 2804	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	29
PID 2052 wrote to memory of 2804	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	29
PID 2052 wrote to memory of 2804	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	29
PID 2052 wrote to memory of 292	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	30
PID 2052 wrote to memory of 292	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	30
PID 2052 wrote to memory of 292	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	30
PID 2052 wrote to memory of 292	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	30
PID 2052 wrote to memory of 320	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	31
PID 2052 wrote to memory of 320	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	31
PID 2052 wrote to memory of 320	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	31
PID 2052 wrote to memory of 320	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	31
PID 2052 wrote to memory of 2844	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	32
PID 2052 wrote to memory of 2844	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	32
PID 2052 wrote to memory of 2844	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	32
PID 2052 wrote to memory of 2844	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	32
PID 2052 wrote to memory of 1880	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	33
PID 2052 wrote to memory of 1880	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	33
PID 2052 wrote to memory of 1880	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	33
PID 2052 wrote to memory of 1880	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	33
PID 2052 wrote to memory of 2432	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	34
PID 2052 wrote to memory of 2432	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	34
PID 2052 wrote to memory of 2432	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	34
PID 2052 wrote to memory of 2432	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	34
PID 2052 wrote to memory of 2176	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	35
PID 2052 wrote to memory of 2176	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	35
PID 2052 wrote to memory of 2176	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	35
PID 2052 wrote to memory of 2176	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	35
PID 2052 wrote to memory of 1572	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	36
PID 2052 wrote to memory of 1572	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	36
PID 2052 wrote to memory of 1572	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	36
PID 2052 wrote to memory of 1572	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	36
PID 2052 wrote to memory of 1160	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	37
PID 2052 wrote to memory of 1160	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	37
PID 2052 wrote to memory of 1160	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	37
PID 2052 wrote to memory of 1160	2052	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe	37

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.NEASd706c2e356a3bebe0475aafc6a63dadeexe_JC.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2052
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1476
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2804
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:292
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:320
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2844
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1880
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2432
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2176
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1572
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1160

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
78f1e1721936bb759bf71f2aa7630a05

SHA1
0ed62e54d1810fe49d8b1e4e2bc73eea0ec48fc8

SHA256
f123fe261b852a3c273e0e262326e83cb6ab1ae74bf7018af39a3c8bfe3bee68

SHA512
1432adc619807656004b3d8dc199ab348e29e984a2cac7c77eb07d716a2b4ffb3274356fd3542e56b9492d7f8a6ff0555ce596019418b45b6fa9b034d898ed53

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
c83e704a80e815af277c05ce3818270e

SHA1
843f483b90295517c47413c3a27316bc239178bd

SHA256
79a3dd7927cf7efb905a7093d7554f2036aa4392216eb6e2b66cd7272c327f83

SHA512
28fcfbd3eb4c0088347ace1053ac567940e0927cc61f5b0b540ed5a8c043ac78d69d91e8c4fdca6d49ee581eb47a2598cabb2e8a76804703521710236fc19ad6

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
e068e56adaeda4b9143c5ae2627efec4

SHA1
d1b16b2ea10778b32c46322073de0ad129851f74

SHA256
cf65d3967fd18af0b2574ae1a46191949d541c60367704ee325d54ce81010700

SHA512
27b0837109e75cb9fc2c5b334ea1803d8eda33751280af2a0d1d3042f1bfeebdef9caea554943967e168498d10f33f822b290fee8d3ab4f33293b98798718356

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
0ee10484b002e983af4b6bc21bacfb11

SHA1
0cf5f27250f474851c779f0d80feafa989b427d9

SHA256
f7da4ccb8a05d23a0f23cb3fda74c55acdc1b7cd4e23cd013e0d2356ce6a1c42

SHA512
4b881281014a8b1c8a619c0a94f8b8718e4a5356b6857201f883c262f0a18688f297bd4b1500f72c72c7f7e9ed9fefd30755fc43276d55306d7af1a34603846d

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
4538ab5f76e416ae51cbec5a21891e7d

SHA1
b93c84f2ce742a3f9dd5773ede811e691e36174e

SHA256
65fbfa2f7f5f433eaf15058b1bb14e8465e41deb9328ba0f0e041064add13080

SHA512
71b5e9f0e5488a1501234a0c806bff4c2ac754c53a21814c936002f2ee2a09a415c770401388a9e1d3f7d6db8439606078eaccfeb7a618a32d6e4432dab5d29f

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
cb15f9221d240f94ddf36fa7c66d392b

SHA1
5dddc0a03e3c651edd125ae2c818f5e3566a9567

SHA256
9e9029c31526b8049866165b06a03be5c42c2f57cf350c7764431204146defac

SHA512
0c8bffadead5b89985e2671b4d5cb7f1f1b738408249910125492781832d0b4b92c135fcdd382da8e34c37a4f678f52aa4ad26b8ba486905d626eb703b93d40d

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
91KB

MD5
d706c2e356a3bebe0475aafc6a63dade

SHA1
ca5c68350f9243d604a12559db2e44db8144bdb3

SHA256
632afae0364939a18b6d18c91f9233f1db69524917d7ea3f763cd8e8dbea486d

SHA512
69f105dcc29e13ae47265631bcc76851ccc03c639ae05f125a094512d0789c327a996525c4c851e517a0d2fc769fbe7f519fd987b4fac4e41a3c9dad15c86c25

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
3c2ebcead7593a34acc5b39f50e19782

SHA1
d7743a3187d8ed3859de76c8596dbf48b0c03aaf

SHA256
950fd8b2a530600a3cd0a54430e5db9cc128a69ee98032924ff6144188b2cef1

SHA512
543dcffdfd5876c0770b1ab1bc3225d7108a8c4a5c6e5acff9ade2126bf3d7036be85d2086c7bbc39c2754d0e5184aedad21809cdd10c26d62ca61385ca5ebf4

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
94e7a70eb2a4b9fb19c7241a6861a8e9

SHA1
109f18f86e908c4b8315cf30d447c433047328e8

SHA256
c347cfd973f334643a8c0b46cbf990f4eb04a2678430edd8aa5f80e1bbd4aa21

SHA512
f148b5dc985f1cf7893cc1e7af022386c4d4bdd0b7de0a30f7b0d318a7b99a3e5187637fefc339f1fef1feb3c7d2f640945601f7a41a2bf4eb5ea753842301b6

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
ac16c48860413356abca5c1af5a6da98

SHA1
07bfe9134937bbcffcfbfee220c58a3442658a98

SHA256
4ccc06e791d8a6531737848b094c16d2ced684fc53efee13f011bd724e14b8eb

SHA512
4e1bbb4feeb9ecd09c798c2cbd5c9882fbe869b60af0b6b2d7bd79295fa3dc5551e419a2a8e2e9f5966837e6d72710a376371478d5732b5bdfe53275b7a65a0b

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
bc2b492b578d29a73ca6d83c5b89b8d5

SHA1
d721e783cef1094dba91657c2413c3b7e2ecc64f

SHA256
f55d040256fd669dbd5da6edc217356a4d72c24bec098d704b92dde6c3cdce08

SHA512
fc5676e78fe7fe7c0ef83aca55dcf79a95ea443b9f41f4fe03ae2673dd5f1c58baf2117d808eefda22fd3fbdaf08f45430ba2336ffec9a4b9d261f76fe158035

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
78f1e1721936bb759bf71f2aa7630a05

SHA1
0ed62e54d1810fe49d8b1e4e2bc73eea0ec48fc8

SHA256
f123fe261b852a3c273e0e262326e83cb6ab1ae74bf7018af39a3c8bfe3bee68

SHA512
1432adc619807656004b3d8dc199ab348e29e984a2cac7c77eb07d716a2b4ffb3274356fd3542e56b9492d7f8a6ff0555ce596019418b45b6fa9b034d898ed53

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
78f1e1721936bb759bf71f2aa7630a05

SHA1
0ed62e54d1810fe49d8b1e4e2bc73eea0ec48fc8

SHA256
f123fe261b852a3c273e0e262326e83cb6ab1ae74bf7018af39a3c8bfe3bee68

SHA512
1432adc619807656004b3d8dc199ab348e29e984a2cac7c77eb07d716a2b4ffb3274356fd3542e56b9492d7f8a6ff0555ce596019418b45b6fa9b034d898ed53

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
c83e704a80e815af277c05ce3818270e

SHA1
843f483b90295517c47413c3a27316bc239178bd

SHA256
79a3dd7927cf7efb905a7093d7554f2036aa4392216eb6e2b66cd7272c327f83

SHA512
28fcfbd3eb4c0088347ace1053ac567940e0927cc61f5b0b540ed5a8c043ac78d69d91e8c4fdca6d49ee581eb47a2598cabb2e8a76804703521710236fc19ad6

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
c83e704a80e815af277c05ce3818270e

SHA1
843f483b90295517c47413c3a27316bc239178bd

SHA256
79a3dd7927cf7efb905a7093d7554f2036aa4392216eb6e2b66cd7272c327f83

SHA512
28fcfbd3eb4c0088347ace1053ac567940e0927cc61f5b0b540ed5a8c043ac78d69d91e8c4fdca6d49ee581eb47a2598cabb2e8a76804703521710236fc19ad6

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
e068e56adaeda4b9143c5ae2627efec4

SHA1
d1b16b2ea10778b32c46322073de0ad129851f74

SHA256
cf65d3967fd18af0b2574ae1a46191949d541c60367704ee325d54ce81010700

SHA512
27b0837109e75cb9fc2c5b334ea1803d8eda33751280af2a0d1d3042f1bfeebdef9caea554943967e168498d10f33f822b290fee8d3ab4f33293b98798718356

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
e068e56adaeda4b9143c5ae2627efec4

SHA1
d1b16b2ea10778b32c46322073de0ad129851f74

SHA256
cf65d3967fd18af0b2574ae1a46191949d541c60367704ee325d54ce81010700

SHA512
27b0837109e75cb9fc2c5b334ea1803d8eda33751280af2a0d1d3042f1bfeebdef9caea554943967e168498d10f33f822b290fee8d3ab4f33293b98798718356

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
0ee10484b002e983af4b6bc21bacfb11

SHA1
0cf5f27250f474851c779f0d80feafa989b427d9

SHA256
f7da4ccb8a05d23a0f23cb3fda74c55acdc1b7cd4e23cd013e0d2356ce6a1c42

SHA512
4b881281014a8b1c8a619c0a94f8b8718e4a5356b6857201f883c262f0a18688f297bd4b1500f72c72c7f7e9ed9fefd30755fc43276d55306d7af1a34603846d

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
0ee10484b002e983af4b6bc21bacfb11

SHA1
0cf5f27250f474851c779f0d80feafa989b427d9

SHA256
f7da4ccb8a05d23a0f23cb3fda74c55acdc1b7cd4e23cd013e0d2356ce6a1c42

SHA512
4b881281014a8b1c8a619c0a94f8b8718e4a5356b6857201f883c262f0a18688f297bd4b1500f72c72c7f7e9ed9fefd30755fc43276d55306d7af1a34603846d

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
4538ab5f76e416ae51cbec5a21891e7d

SHA1
b93c84f2ce742a3f9dd5773ede811e691e36174e

SHA256
65fbfa2f7f5f433eaf15058b1bb14e8465e41deb9328ba0f0e041064add13080

SHA512
71b5e9f0e5488a1501234a0c806bff4c2ac754c53a21814c936002f2ee2a09a415c770401388a9e1d3f7d6db8439606078eaccfeb7a618a32d6e4432dab5d29f

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
4538ab5f76e416ae51cbec5a21891e7d

SHA1
b93c84f2ce742a3f9dd5773ede811e691e36174e

SHA256
65fbfa2f7f5f433eaf15058b1bb14e8465e41deb9328ba0f0e041064add13080

SHA512
71b5e9f0e5488a1501234a0c806bff4c2ac754c53a21814c936002f2ee2a09a415c770401388a9e1d3f7d6db8439606078eaccfeb7a618a32d6e4432dab5d29f

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
cb15f9221d240f94ddf36fa7c66d392b

SHA1
5dddc0a03e3c651edd125ae2c818f5e3566a9567

SHA256
9e9029c31526b8049866165b06a03be5c42c2f57cf350c7764431204146defac

SHA512
0c8bffadead5b89985e2671b4d5cb7f1f1b738408249910125492781832d0b4b92c135fcdd382da8e34c37a4f678f52aa4ad26b8ba486905d626eb703b93d40d

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
cb15f9221d240f94ddf36fa7c66d392b

SHA1
5dddc0a03e3c651edd125ae2c818f5e3566a9567

SHA256
9e9029c31526b8049866165b06a03be5c42c2f57cf350c7764431204146defac

SHA512
0c8bffadead5b89985e2671b4d5cb7f1f1b738408249910125492781832d0b4b92c135fcdd382da8e34c37a4f678f52aa4ad26b8ba486905d626eb703b93d40d

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
3c2ebcead7593a34acc5b39f50e19782

SHA1
d7743a3187d8ed3859de76c8596dbf48b0c03aaf

SHA256
950fd8b2a530600a3cd0a54430e5db9cc128a69ee98032924ff6144188b2cef1

SHA512
543dcffdfd5876c0770b1ab1bc3225d7108a8c4a5c6e5acff9ade2126bf3d7036be85d2086c7bbc39c2754d0e5184aedad21809cdd10c26d62ca61385ca5ebf4

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
3c2ebcead7593a34acc5b39f50e19782

SHA1
d7743a3187d8ed3859de76c8596dbf48b0c03aaf

SHA256
950fd8b2a530600a3cd0a54430e5db9cc128a69ee98032924ff6144188b2cef1

SHA512
543dcffdfd5876c0770b1ab1bc3225d7108a8c4a5c6e5acff9ade2126bf3d7036be85d2086c7bbc39c2754d0e5184aedad21809cdd10c26d62ca61385ca5ebf4

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
94e7a70eb2a4b9fb19c7241a6861a8e9

SHA1
109f18f86e908c4b8315cf30d447c433047328e8

SHA256
c347cfd973f334643a8c0b46cbf990f4eb04a2678430edd8aa5f80e1bbd4aa21

SHA512
f148b5dc985f1cf7893cc1e7af022386c4d4bdd0b7de0a30f7b0d318a7b99a3e5187637fefc339f1fef1feb3c7d2f640945601f7a41a2bf4eb5ea753842301b6

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
94e7a70eb2a4b9fb19c7241a6861a8e9

SHA1
109f18f86e908c4b8315cf30d447c433047328e8

SHA256
c347cfd973f334643a8c0b46cbf990f4eb04a2678430edd8aa5f80e1bbd4aa21

SHA512
f148b5dc985f1cf7893cc1e7af022386c4d4bdd0b7de0a30f7b0d318a7b99a3e5187637fefc339f1fef1feb3c7d2f640945601f7a41a2bf4eb5ea753842301b6

Download Submit
memory/292-142-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/292-146-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/292-148-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/292-150-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/292-235-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/320-215-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/320-208-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/320-207-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/560-318-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/560-419-0x0000000073791000-0x0000000073792000-memory.dmp

Filesize
4KB

Download
memory/560-446-0x00000000732CD000-0x00000000732D8000-memory.dmp

Filesize
44KB

Download
memory/560-319-0x00000000732CD000-0x00000000732D8000-memory.dmp

Filesize
44KB

Download
memory/1160-293-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1160-289-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1476-119-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1476-115-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/1476-114-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1572-276-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/1572-277-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1572-281-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1880-237-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1880-244-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1880-241-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1880-236-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2052-140-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2052-143-0x0000000002E40000-0x0000000002E6C000-memory.dmp

Filesize
176KB

Download
memory/2052-445-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2052-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2052-220-0x0000000002E40000-0x0000000002E6C000-memory.dmp

Filesize
176KB

Download
memory/2052-1-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2052-209-0x0000000002E40000-0x0000000002E6C000-memory.dmp

Filesize
176KB

Download
memory/2052-2-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2052-3-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2052-126-0x0000000002E40000-0x0000000002E6C000-memory.dmp

Filesize
176KB

Download
memory/2052-4-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2052-113-0x0000000002E40000-0x0000000002E6C000-memory.dmp

Filesize
176KB

Download
memory/2176-268-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2176-264-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2176-263-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2432-251-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2432-250-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2432-255-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2804-133-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2804-129-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download
memory/2804-128-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2844-222-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2844-229-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2844-223-0x0000000000020000-0x0000000000024000-memory.dmp

Filesize
16KB

Download