443862c81b4d4c8fda7e72af1901b8446b5b94a21a83e13cb936ff623d5d6c25

Analysis

max time kernel
141s
max time network
133s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
16/11/2023, 10:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Size

63KB
MD5

cd3cd158e5e84f4733f5453bc0c13320
SHA1

ccfe677890b815252c525fe4711a080a90efb173
SHA256

443862c81b4d4c8fda7e72af1901b8446b5b94a21a83e13cb936ff623d5d6c25
SHA512

0e3d4e0af1cd86fc2c46eabad06ffabaab25e287a48c43cea0414eafbe7b231122eca7da534e24444d80ff87b535dfba0a149acaf9721b6df690533cbdd699c5
SSDEEP

1536:jRsjdEIUFC2p79OCnouy8VDtHAG4RsfU:jOm9CshoutdtR4

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 14 IoCs

pid	Process
1672	xk.exe
1052	IExplorer.exe
3020	WINLOGON.EXE
2348	CSRSS.EXE
2104	SERVICES.EXE
2548	LSASS.EXE
1620	SMSS.EXE
2928	xk.exe
2068	IExplorer.exe
640	WINLOGON.EXE
1772	CSRSS.EXE
1880	SERVICES.EXE
2156	LSASS.EXE
1136	SMSS.EXE

Loads dropped DLL 24 IoCs

pid	Process
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

Modifies system executable filetype association 2 TTPs 13 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2120-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0007000000018b17-8.dat	upx
behavioral1/files/0x0028000000017101-108.dat	upx
behavioral1/memory/1672-111-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1672-113-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000018f97-114.dat	upx
behavioral1/files/0x0006000000018f97-116.dat	upx
behavioral1/files/0x0006000000018f97-120.dat	upx
behavioral1/files/0x0005000000019333-124.dat	upx
behavioral1/files/0x0005000000019333-127.dat	upx
behavioral1/files/0x0005000000019333-132.dat	upx
behavioral1/memory/1052-126-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/3020-133-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/3020-136-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000500000001939b-143.dat	upx
behavioral1/files/0x000500000001939b-139.dat	upx
behavioral1/files/0x000500000001939b-137.dat	upx
behavioral1/memory/2348-144-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2348-147-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000500000001939d-148.dat	upx
behavioral1/memory/2120-150-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000500000001939d-151.dat	upx
behavioral1/files/0x000500000001939d-155.dat	upx
behavioral1/files/0x00050000000193c0-161.dat	upx
behavioral1/memory/2548-171-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00050000000193cc-177.dat	upx
behavioral1/files/0x00050000000193cc-172.dat	upx
behavioral1/files/0x00050000000193cc-169.dat	upx
behavioral1/files/0x00050000000193c0-165.dat	upx
behavioral1/memory/2104-160-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00050000000193c0-158.dat	upx
behavioral1/memory/1620-180-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0028000000017101-235.dat	upx
behavioral1/memory/2928-241-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000018f97-247.dat	upx
behavioral1/memory/2120-248-0x0000000000550000-0x000000000057F000-memory.dmp	upx
behavioral1/files/0x0006000000018f97-243.dat	upx
behavioral1/files/0x0006000000018f97-240.dat	upx
behavioral1/memory/2068-252-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019333-253.dat	upx
behavioral1/files/0x0005000000019333-259.dat	upx
behavioral1/memory/640-260-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0005000000019333-255.dat	upx
behavioral1/files/0x000500000001939b-266.dat	upx
behavioral1/files/0x000500000001939b-264.dat	upx
behavioral1/memory/2120-271-0x0000000000550000-0x000000000057F000-memory.dmp	upx
behavioral1/files/0x000500000001939b-270.dat	upx
behavioral1/memory/640-263-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1772-276-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x000500000001939d-274.dat	upx
behavioral1/files/0x000500000001939d-281.dat	upx
behavioral1/files/0x000500000001939d-277.dat	upx
behavioral1/files/0x00050000000193c0-284.dat	upx
behavioral1/memory/1880-285-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00050000000193c0-287.dat	upx
behavioral1/files/0x00050000000193c0-291.dat	upx
behavioral1/memory/2156-294-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00050000000193cc-297.dat	upx
behavioral1/files/0x00050000000193cc-295.dat	upx
behavioral1/files/0x00050000000193cc-301.dat	upx
behavioral1/memory/1136-305-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2120-457-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File created	C:\desktop.ini	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened for modification	F:\desktop.ini	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File created	F:\desktop.ini	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\P:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\Q:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\T:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\W:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\Z:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\U:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\V:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\E:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\G:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\H:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\I:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\L:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\N:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\X:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\Y:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\B:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\O:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\S:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\J:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\M:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened (read-only)	\??\R:	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\Mig2.scr	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\shell.exe	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xk.exe	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File created	C:\Windows\xk.exe	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Control Panel\Desktop\	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067368-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}\ = "OutlookBarShortcut"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309E-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E6-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672ED-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063021-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063094-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309C-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F4-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E9-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F0-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305A-0000-0000-C000-000000000046}\ = "_FormRegion"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F6-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063098-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FD-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063045-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305B-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046}\ = "OlkCommandButtonEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063043-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D2-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063074-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B2-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F0-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FA-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FD-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DB-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E4-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063107-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063077-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063045-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063043-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063095-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F4-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063022-0000-0000-C000-000000000046}\ = "_JournalItem"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063024-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E5-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300F-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E9-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FB-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\ = "_Rules"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A1-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2480	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2480	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2480	OUTLOOK.EXE
2480	OUTLOOK.EXE
2480	OUTLOOK.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2480	OUTLOOK.EXE
2480	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
1672	xk.exe
1052	IExplorer.exe
3020	WINLOGON.EXE
2348	CSRSS.EXE
2104	SERVICES.EXE
2548	LSASS.EXE
1620	SMSS.EXE
2928	xk.exe
2068	IExplorer.exe
640	WINLOGON.EXE
1772	CSRSS.EXE
1880	SERVICES.EXE
2156	LSASS.EXE
1136	SMSS.EXE
2480	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 1672	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	28
PID 2120 wrote to memory of 1672	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	28
PID 2120 wrote to memory of 1672	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	28
PID 2120 wrote to memory of 1672	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	28
PID 2120 wrote to memory of 1052	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	29
PID 2120 wrote to memory of 1052	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	29
PID 2120 wrote to memory of 1052	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	29
PID 2120 wrote to memory of 1052	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	29
PID 2120 wrote to memory of 3020	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	30
PID 2120 wrote to memory of 3020	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	30
PID 2120 wrote to memory of 3020	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	30
PID 2120 wrote to memory of 3020	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	30
PID 2120 wrote to memory of 2348	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	31
PID 2120 wrote to memory of 2348	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	31
PID 2120 wrote to memory of 2348	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	31
PID 2120 wrote to memory of 2348	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	31
PID 2120 wrote to memory of 2104	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	32
PID 2120 wrote to memory of 2104	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	32
PID 2120 wrote to memory of 2104	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	32
PID 2120 wrote to memory of 2104	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	32
PID 2120 wrote to memory of 2548	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	33
PID 2120 wrote to memory of 2548	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	33
PID 2120 wrote to memory of 2548	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	33
PID 2120 wrote to memory of 2548	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	33
PID 2120 wrote to memory of 1620	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	34
PID 2120 wrote to memory of 1620	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	34
PID 2120 wrote to memory of 1620	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	34
PID 2120 wrote to memory of 1620	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	34
PID 2120 wrote to memory of 2928	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	35
PID 2120 wrote to memory of 2928	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	35
PID 2120 wrote to memory of 2928	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	35
PID 2120 wrote to memory of 2928	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	35
PID 2120 wrote to memory of 2068	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	36
PID 2120 wrote to memory of 2068	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	36
PID 2120 wrote to memory of 2068	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	36
PID 2120 wrote to memory of 2068	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	36
PID 2120 wrote to memory of 640	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	37
PID 2120 wrote to memory of 640	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	37
PID 2120 wrote to memory of 640	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	37
PID 2120 wrote to memory of 640	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	37
PID 2120 wrote to memory of 1772	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	38
PID 2120 wrote to memory of 1772	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	38
PID 2120 wrote to memory of 1772	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	38
PID 2120 wrote to memory of 1772	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	38
PID 2120 wrote to memory of 1880	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	39
PID 2120 wrote to memory of 1880	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	39
PID 2120 wrote to memory of 1880	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	39
PID 2120 wrote to memory of 1880	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	39
PID 2120 wrote to memory of 2156	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	40
PID 2120 wrote to memory of 2156	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	40
PID 2120 wrote to memory of 2156	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	40
PID 2120 wrote to memory of 2156	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	40
PID 2120 wrote to memory of 1136	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	41
PID 2120 wrote to memory of 1136	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	41
PID 2120 wrote to memory of 1136	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	41
PID 2120 wrote to memory of 1136	2120	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe	41

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe

C:\Users\Admin\AppData\Local\Temp\NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.cd3cd158e5e84f4733f5453bc0c13320.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2120
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1672
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1052
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3020
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2348
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2104
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2548
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1620
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2928
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2068
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:640
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1772
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1880
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2156
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1136

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
8de7c90c63f4170396ba26d93df38c66

SHA1
82f37984432c2cf48639e4472d1346c5ddec6906

SHA256
0689858beaa967d365ef09dbf0269856d891e7fbdfb8abcb26b43edbafac9eb7

SHA512
e26ede4dfe6d0486c054642cdaf7f809ac6af24cbc19b98bc91463e5975b2bff52424b660ab047ccb61f89c748446b5f08638f25e040597a7f6431ada3cc9e0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
63KB

MD5
ae8c1498638d781afc5a296d3046ae3c

SHA1
7d241af8d6c7c4abf9f74d4bf7548b3c122f4a23

SHA256
e3237992d9b29a36f2fee400ac395ab5d1009611fad11e08dd581c7de37b02b7

SHA512
3768902c801e59a04f34214ba9acf8e9ba88c1ce8675b256d5d232d9439f51527368be9ee2bc780326e645b995897730c7684e60b6f5293b026469e80745d944

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
63KB

MD5
95a2859de41ac418d5df0db9ff853870

SHA1
746370cf82f1378457d73524784e96dd193e2f1e

SHA256
2481a4cba086a0a9c804dd8f893508f04a89f45cdb5f98de5b41fa5133d75d12

SHA512
d41dd54b59e5c12a95303acc9246490ead20581375f0cc153e13eda6ca4d184fa33ed8aea2606b61fe31e19e73c143168db418d26edc6e3d500334a6a203e23f

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
63KB

MD5
2d7414bda15c1a32e096a6fe0c248dc7

SHA1
5ab3db4d07531f8b0b0d89b00cf2bac334d75a46

SHA256
4228b5b004fb7adec03721ef3d6e137fb240cdfd443c6b9d4537eba853bc094c

SHA512
5710fd0791005ef946d1369bf07f02ce678bba9c1b5247695c9591df488639e7872e728cae1848f4eaa486c0953d98231dda4aa134d787ddd6330e29dfb6d359

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
63KB

MD5
d5373084eac90fe466b492a02c961f9d

SHA1
946ee4e4e6926697c9dc09a3e56f36fc2bb77377

SHA256
12945f6dfb04c44c3a0db71096d0341f1c82127d4991b47027bf46f09788fc20

SHA512
3ffb819efb39e4f03143f513d793a03c4cf49ac529e93dae52a9a4801dff064937dc47f7400eb5daf780495cc1826ac663aae6c93a4198c2c7bdcf0d1be9f20d

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
63KB

MD5
0dfe5561daf48698aa38f61be7bf032f

SHA1
5353798b14b264bf2bf8e5d4309807409433219c

SHA256
3f60f177e044bcdc52b0fb08e35d8b49ac70f052a25a7fa4ac352a09c1313c29

SHA512
ec4e744655170decf5128babb99ad02cc08542e651556dc5314c648ebbbdd1a88e065be60b8d894fa262934824f6f6776e597fe157b76d9112716d8cff5f60e2

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
63KB

MD5
d869099b221ce1be2b91d2ce10eaffcb

SHA1
27106d499c1226faa824bd8efdf44a5c25fa65bf

SHA256
e805a05f57f457bd7d739f076b41a8a4525e651ea643e007e4f0513bb1169ac5

SHA512
7ea43ba74336805595ef9e705d1741089cdbfd74cc8bd4ea8ba6a6b68fd656a0c880adbd06731d28cdd27544421200645bf81d6efaae2b490de02ae26795cfd5

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
63KB

MD5
0b0e1042898e9eac7b9ad89dc0d5bb3b

SHA1
02d88dfcb0e75bca70007022588769cd4eaf2a64

SHA256
4df23df79d302d42a09d76b17bfc97981a105b03c4f70b83700a237459fd9be7

SHA512
f958c58136a9ad63c8aac8b15ccd19ad407f4dae362644ffe75232cef94dc8e4ff53bf90b000d82090be3b2f255f51b3a0745d43bbf25af99a91bb2dd770f187

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
63KB

MD5
667d2b1f29104334af4e080fc8978478

SHA1
b71d10a761e8277ea5475f0ab6c8e6e15659e6b6

SHA256
2bcf5ed66572b50e02b6afdca9d71bed4bc631173c6a4be0d81b88a562b12a5f

SHA512
ca3a502cad8163a9faa4655b2e86d0ec76b48e04697f7bfffb18936062b4c95109f019ec8d37ca77a016f215a88f52869f085f4e280af5d40e6fd3a7d029be01

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
63KB

MD5
4e00e87dde54086fd198860bb7cec17c

SHA1
d05acf93fd0f63bd23a753d8b76c01cec469e907

SHA256
d4950f9bbfca26f4cab0a3cc75855acca2f78d8d411cb31f1f20e5d12e9296f7

SHA512
6467246818dafa407145fc0881897f18f486d49b96da3711b5e882252ef154e039702cf927b68eda94c003324f5c54effe6b9fa6cfcbb046d082c31da993a6c9

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
63KB

MD5
465bce04302883f5a2b1a80c6f3e4282

SHA1
11ffb1af928a7ce6db48871bb6b5802ff0d6fbae

SHA256
338a54131c6a5f814eee3ba62401ed5e4f57c63e8004246f4de753f9d062c151

SHA512
63ef57636acc76e5c642014703e8e622c4ae05279035db6114d50e450f8f5c7dc0d445a58e96a7bc22bda3741eff1f95d1d390440632689f30d1640ca3a4e498

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
63KB

MD5
cd3cd158e5e84f4733f5453bc0c13320

SHA1
ccfe677890b815252c525fe4711a080a90efb173

SHA256
443862c81b4d4c8fda7e72af1901b8446b5b94a21a83e13cb936ff623d5d6c25

SHA512
0e3d4e0af1cd86fc2c46eabad06ffabaab25e287a48c43cea0414eafbe7b231122eca7da534e24444d80ff87b535dfba0a149acaf9721b6df690533cbdd699c5

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
63KB

MD5
86b0c83953d52f36cb4a62ab677a0e8e

SHA1
b9fd283f37c2e5efe9d018f588bf982b8ca458c8

SHA256
9e0c86c9e56dfdfe58d4fa669f285be21a9e8da122aff82da82e373904a30ec9

SHA512
b7c991cca1d5219da9bb7a6fc7bf30e42f3c9379ef8ebc1a06f74bf79732aab4ac02d9e68191dc26cc1f9e8086e4bc1e29d8b11470d7a781ea8dc588b021b5a5

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
63KB

MD5
e3df015ac1be3a643ce5e37093720117

SHA1
cdd98e8b808d61202a26cc439a612abd73311271

SHA256
0c6655db437ac25020942cb6c4ef037a2f14874b2ae8dfe39617ea3acf05e8c9

SHA512
6a98a479a3111de3df4b9f358652ce38b59e5e5e2a43b4552811d88db1c8ad0cf5f546da48e9377c5b8f9cb12c89fe74681d4ac50533b9435bb53daf943ee89b

Download Submit
C:\Windows\xk.exe

Filesize
63KB

MD5
dbb55d3423c92dd0033fe12946bdc048

SHA1
b47283a32048cfdfb1eb1a9a50d679e2b90f26d4

SHA256
1c1fc6ffa5ed9f3fb8f71215e5475e819408998a08442a95521f637b44462d8b

SHA512
99dcab4e5537c14d5d7fe80e830bd9d33c632e91a40e2c2e7cf31126117c20fcff8fcde7f5b24148a6c8ed4c003405510ded10d7c9a6f005aece391e294db971

Download Submit
C:\Windows\xk.exe

Filesize
63KB

MD5
ebeb9f83503d822ddc3ac779f2576220

SHA1
193d007b05cad984d74e19d267f4f8b0136ebcf9

SHA256
b8f2d17a8b844ff13d9b2c8a3419fadf26e7c169c94df400147c1724c6f4da66

SHA512
cef8dab37cbc27cb5c7603c4c33dda973c30e4b6548679c251064f5fa15e1dc1de79f0a7df618942d4aedd348760177637fb42a12043a38f31cb2036d709cae8

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
63KB

MD5
ae8c1498638d781afc5a296d3046ae3c

SHA1
7d241af8d6c7c4abf9f74d4bf7548b3c122f4a23

SHA256
e3237992d9b29a36f2fee400ac395ab5d1009611fad11e08dd581c7de37b02b7

SHA512
3768902c801e59a04f34214ba9acf8e9ba88c1ce8675b256d5d232d9439f51527368be9ee2bc780326e645b995897730c7684e60b6f5293b026469e80745d944

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
63KB

MD5
ae8c1498638d781afc5a296d3046ae3c

SHA1
7d241af8d6c7c4abf9f74d4bf7548b3c122f4a23

SHA256
e3237992d9b29a36f2fee400ac395ab5d1009611fad11e08dd581c7de37b02b7

SHA512
3768902c801e59a04f34214ba9acf8e9ba88c1ce8675b256d5d232d9439f51527368be9ee2bc780326e645b995897730c7684e60b6f5293b026469e80745d944

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
63KB

MD5
95a2859de41ac418d5df0db9ff853870

SHA1
746370cf82f1378457d73524784e96dd193e2f1e

SHA256
2481a4cba086a0a9c804dd8f893508f04a89f45cdb5f98de5b41fa5133d75d12

SHA512
d41dd54b59e5c12a95303acc9246490ead20581375f0cc153e13eda6ca4d184fa33ed8aea2606b61fe31e19e73c143168db418d26edc6e3d500334a6a203e23f

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
63KB

MD5
95a2859de41ac418d5df0db9ff853870

SHA1
746370cf82f1378457d73524784e96dd193e2f1e

SHA256
2481a4cba086a0a9c804dd8f893508f04a89f45cdb5f98de5b41fa5133d75d12

SHA512
d41dd54b59e5c12a95303acc9246490ead20581375f0cc153e13eda6ca4d184fa33ed8aea2606b61fe31e19e73c143168db418d26edc6e3d500334a6a203e23f

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
63KB

MD5
2d7414bda15c1a32e096a6fe0c248dc7

SHA1
5ab3db4d07531f8b0b0d89b00cf2bac334d75a46

SHA256
4228b5b004fb7adec03721ef3d6e137fb240cdfd443c6b9d4537eba853bc094c

SHA512
5710fd0791005ef946d1369bf07f02ce678bba9c1b5247695c9591df488639e7872e728cae1848f4eaa486c0953d98231dda4aa134d787ddd6330e29dfb6d359

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
63KB

MD5
2d7414bda15c1a32e096a6fe0c248dc7

SHA1
5ab3db4d07531f8b0b0d89b00cf2bac334d75a46

SHA256
4228b5b004fb7adec03721ef3d6e137fb240cdfd443c6b9d4537eba853bc094c

SHA512
5710fd0791005ef946d1369bf07f02ce678bba9c1b5247695c9591df488639e7872e728cae1848f4eaa486c0953d98231dda4aa134d787ddd6330e29dfb6d359

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
63KB

MD5
d5373084eac90fe466b492a02c961f9d

SHA1
946ee4e4e6926697c9dc09a3e56f36fc2bb77377

SHA256
12945f6dfb04c44c3a0db71096d0341f1c82127d4991b47027bf46f09788fc20

SHA512
3ffb819efb39e4f03143f513d793a03c4cf49ac529e93dae52a9a4801dff064937dc47f7400eb5daf780495cc1826ac663aae6c93a4198c2c7bdcf0d1be9f20d

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
63KB

MD5
d5373084eac90fe466b492a02c961f9d

SHA1
946ee4e4e6926697c9dc09a3e56f36fc2bb77377

SHA256
12945f6dfb04c44c3a0db71096d0341f1c82127d4991b47027bf46f09788fc20

SHA512
3ffb819efb39e4f03143f513d793a03c4cf49ac529e93dae52a9a4801dff064937dc47f7400eb5daf780495cc1826ac663aae6c93a4198c2c7bdcf0d1be9f20d

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
63KB

MD5
0dfe5561daf48698aa38f61be7bf032f

SHA1
5353798b14b264bf2bf8e5d4309807409433219c

SHA256
3f60f177e044bcdc52b0fb08e35d8b49ac70f052a25a7fa4ac352a09c1313c29

SHA512
ec4e744655170decf5128babb99ad02cc08542e651556dc5314c648ebbbdd1a88e065be60b8d894fa262934824f6f6776e597fe157b76d9112716d8cff5f60e2

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
63KB

MD5
0dfe5561daf48698aa38f61be7bf032f

SHA1
5353798b14b264bf2bf8e5d4309807409433219c

SHA256
3f60f177e044bcdc52b0fb08e35d8b49ac70f052a25a7fa4ac352a09c1313c29

SHA512
ec4e744655170decf5128babb99ad02cc08542e651556dc5314c648ebbbdd1a88e065be60b8d894fa262934824f6f6776e597fe157b76d9112716d8cff5f60e2

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
63KB

MD5
d869099b221ce1be2b91d2ce10eaffcb

SHA1
27106d499c1226faa824bd8efdf44a5c25fa65bf

SHA256
e805a05f57f457bd7d739f076b41a8a4525e651ea643e007e4f0513bb1169ac5

SHA512
7ea43ba74336805595ef9e705d1741089cdbfd74cc8bd4ea8ba6a6b68fd656a0c880adbd06731d28cdd27544421200645bf81d6efaae2b490de02ae26795cfd5

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
63KB

MD5
d869099b221ce1be2b91d2ce10eaffcb

SHA1
27106d499c1226faa824bd8efdf44a5c25fa65bf

SHA256
e805a05f57f457bd7d739f076b41a8a4525e651ea643e007e4f0513bb1169ac5

SHA512
7ea43ba74336805595ef9e705d1741089cdbfd74cc8bd4ea8ba6a6b68fd656a0c880adbd06731d28cdd27544421200645bf81d6efaae2b490de02ae26795cfd5

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
63KB

MD5
0b0e1042898e9eac7b9ad89dc0d5bb3b

SHA1
02d88dfcb0e75bca70007022588769cd4eaf2a64

SHA256
4df23df79d302d42a09d76b17bfc97981a105b03c4f70b83700a237459fd9be7

SHA512
f958c58136a9ad63c8aac8b15ccd19ad407f4dae362644ffe75232cef94dc8e4ff53bf90b000d82090be3b2f255f51b3a0745d43bbf25af99a91bb2dd770f187

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
63KB

MD5
0b0e1042898e9eac7b9ad89dc0d5bb3b

SHA1
02d88dfcb0e75bca70007022588769cd4eaf2a64

SHA256
4df23df79d302d42a09d76b17bfc97981a105b03c4f70b83700a237459fd9be7

SHA512
f958c58136a9ad63c8aac8b15ccd19ad407f4dae362644ffe75232cef94dc8e4ff53bf90b000d82090be3b2f255f51b3a0745d43bbf25af99a91bb2dd770f187

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
63KB

MD5
667d2b1f29104334af4e080fc8978478

SHA1
b71d10a761e8277ea5475f0ab6c8e6e15659e6b6

SHA256
2bcf5ed66572b50e02b6afdca9d71bed4bc631173c6a4be0d81b88a562b12a5f

SHA512
ca3a502cad8163a9faa4655b2e86d0ec76b48e04697f7bfffb18936062b4c95109f019ec8d37ca77a016f215a88f52869f085f4e280af5d40e6fd3a7d029be01

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
63KB

MD5
667d2b1f29104334af4e080fc8978478

SHA1
b71d10a761e8277ea5475f0ab6c8e6e15659e6b6

SHA256
2bcf5ed66572b50e02b6afdca9d71bed4bc631173c6a4be0d81b88a562b12a5f

SHA512
ca3a502cad8163a9faa4655b2e86d0ec76b48e04697f7bfffb18936062b4c95109f019ec8d37ca77a016f215a88f52869f085f4e280af5d40e6fd3a7d029be01

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
63KB

MD5
4e00e87dde54086fd198860bb7cec17c

SHA1
d05acf93fd0f63bd23a753d8b76c01cec469e907

SHA256
d4950f9bbfca26f4cab0a3cc75855acca2f78d8d411cb31f1f20e5d12e9296f7

SHA512
6467246818dafa407145fc0881897f18f486d49b96da3711b5e882252ef154e039702cf927b68eda94c003324f5c54effe6b9fa6cfcbb046d082c31da993a6c9

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
63KB

MD5
4e00e87dde54086fd198860bb7cec17c

SHA1
d05acf93fd0f63bd23a753d8b76c01cec469e907

SHA256
d4950f9bbfca26f4cab0a3cc75855acca2f78d8d411cb31f1f20e5d12e9296f7

SHA512
6467246818dafa407145fc0881897f18f486d49b96da3711b5e882252ef154e039702cf927b68eda94c003324f5c54effe6b9fa6cfcbb046d082c31da993a6c9

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
63KB

MD5
465bce04302883f5a2b1a80c6f3e4282

SHA1
11ffb1af928a7ce6db48871bb6b5802ff0d6fbae

SHA256
338a54131c6a5f814eee3ba62401ed5e4f57c63e8004246f4de753f9d062c151

SHA512
63ef57636acc76e5c642014703e8e622c4ae05279035db6114d50e450f8f5c7dc0d445a58e96a7bc22bda3741eff1f95d1d390440632689f30d1640ca3a4e498

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
63KB

MD5
465bce04302883f5a2b1a80c6f3e4282

SHA1
11ffb1af928a7ce6db48871bb6b5802ff0d6fbae

SHA256
338a54131c6a5f814eee3ba62401ed5e4f57c63e8004246f4de753f9d062c151

SHA512
63ef57636acc76e5c642014703e8e622c4ae05279035db6114d50e450f8f5c7dc0d445a58e96a7bc22bda3741eff1f95d1d390440632689f30d1640ca3a4e498

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
63KB

MD5
86b0c83953d52f36cb4a62ab677a0e8e

SHA1
b9fd283f37c2e5efe9d018f588bf982b8ca458c8

SHA256
9e0c86c9e56dfdfe58d4fa669f285be21a9e8da122aff82da82e373904a30ec9

SHA512
b7c991cca1d5219da9bb7a6fc7bf30e42f3c9379ef8ebc1a06f74bf79732aab4ac02d9e68191dc26cc1f9e8086e4bc1e29d8b11470d7a781ea8dc588b021b5a5

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
63KB

MD5
86b0c83953d52f36cb4a62ab677a0e8e

SHA1
b9fd283f37c2e5efe9d018f588bf982b8ca458c8

SHA256
9e0c86c9e56dfdfe58d4fa669f285be21a9e8da122aff82da82e373904a30ec9

SHA512
b7c991cca1d5219da9bb7a6fc7bf30e42f3c9379ef8ebc1a06f74bf79732aab4ac02d9e68191dc26cc1f9e8086e4bc1e29d8b11470d7a781ea8dc588b021b5a5

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
63KB

MD5
e3df015ac1be3a643ce5e37093720117

SHA1
cdd98e8b808d61202a26cc439a612abd73311271

SHA256
0c6655db437ac25020942cb6c4ef037a2f14874b2ae8dfe39617ea3acf05e8c9

SHA512
6a98a479a3111de3df4b9f358652ce38b59e5e5e2a43b4552811d88db1c8ad0cf5f546da48e9377c5b8f9cb12c89fe74681d4ac50533b9435bb53daf943ee89b

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
63KB

MD5
e3df015ac1be3a643ce5e37093720117

SHA1
cdd98e8b808d61202a26cc439a612abd73311271

SHA256
0c6655db437ac25020942cb6c4ef037a2f14874b2ae8dfe39617ea3acf05e8c9

SHA512
6a98a479a3111de3df4b9f358652ce38b59e5e5e2a43b4552811d88db1c8ad0cf5f546da48e9377c5b8f9cb12c89fe74681d4ac50533b9435bb53daf943ee89b

Download Submit
memory/640-263-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/640-260-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1052-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1136-305-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1620-180-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-113-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1672-111-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1772-276-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1880-285-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2068-252-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2104-160-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2120-130-0x0000000000550000-0x000000000057F000-memory.dmp

Filesize
188KB

Download
memory/2120-109-0x0000000000550000-0x000000000057F000-memory.dmp

Filesize
188KB

Download
memory/2120-460-0x0000000000550000-0x000000000057F000-memory.dmp

Filesize
188KB

Download
memory/2120-458-0x0000000000550000-0x000000000057F000-memory.dmp

Filesize
188KB

Download
memory/2120-250-0x0000000000550000-0x000000000057F000-memory.dmp

Filesize
188KB

Download
memory/2120-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2120-248-0x0000000000550000-0x000000000057F000-memory.dmp

Filesize
188KB

Download
memory/2120-457-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2120-121-0x0000000000550000-0x000000000057F000-memory.dmp

Filesize
188KB

Download
memory/2120-271-0x0000000000550000-0x000000000057F000-memory.dmp

Filesize
188KB

Download
memory/2120-238-0x0000000000550000-0x000000000057F000-memory.dmp

Filesize
188KB

Download
memory/2120-236-0x0000000000550000-0x000000000057F000-memory.dmp

Filesize
188KB

Download
memory/2120-167-0x0000000000550000-0x000000000057F000-memory.dmp

Filesize
188KB

Download
memory/2120-176-0x0000000000550000-0x000000000057F000-memory.dmp

Filesize
188KB

Download
memory/2120-302-0x0000000000550000-0x000000000057F000-memory.dmp

Filesize
188KB

Download
memory/2120-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2156-294-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2480-331-0x000000007338D000-0x0000000073398000-memory.dmp

Filesize
44KB

Download
memory/2480-330-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2480-431-0x000000006C411000-0x000000006C412000-memory.dmp

Filesize
4KB

Download
memory/2480-461-0x000000007338D000-0x0000000073398000-memory.dmp

Filesize
44KB

Download
memory/2548-171-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2928-241-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3020-133-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download