Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 21:57
Static task
static1
Behavioral task
behavioral1
Sample
6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe
Resource
win10v2004-20240226-en
General
-
Target
6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe
-
Size
91KB
-
MD5
0e5817d0795284c455c76f25df817392
-
SHA1
b05e09a68085a4a1cd79d777da7f120b9fc39cb3
-
SHA256
6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf
-
SHA512
0106bba2aacc769989f505cdc3e2bcaec1a9f8b30de3cb623207f3ae7d1255d6e3a6a693c4155b262cf510ad795c4cc1ed40989cb10ea80c2447729154029baa
-
SSDEEP
768:E3gRYjXbUeHORIC4ZxBMldNKm8Mxm8I+IxrjPfAQ4o3ImuKm3gRYjXbUeHORIC4q:uT3OA3+KQsxfS42T3OA3+KQsxfS45W
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Disables use of System Restore points 1 TTPs
-
Executes dropped EXE 14 IoCs
pid Process 2676 xk.exe 2816 IExplorer.exe 1884 WINLOGON.EXE 1032 CSRSS.EXE 2424 SERVICES.EXE 2864 LSASS.EXE 2488 SMSS.EXE 1792 xk.exe 412 IExplorer.exe 352 WINLOGON.EXE 1312 CSRSS.EXE 1252 SERVICES.EXE 2148 LSASS.EXE 992 SMSS.EXE -
Loads dropped DLL 24 IoCs
pid Process 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Modifies system executable filetype association 2 TTPs 13 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Adds Run key to start application 2 TTPs 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification F:\desktop.ini 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File created F:\desktop.ini 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened for modification C:\desktop.ini 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File created C:\desktop.ini 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\L: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\R: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\T: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\W: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\G: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\M: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\Z: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\B: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\N: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\O: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\U: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\I: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\H: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\J: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\P: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\Q: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\S: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\V: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\X: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\E: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened (read-only) \??\Y: 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Drops file in System32 directory 20 IoCs
description ioc Process File created C:\Windows\system32\perfh009.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00A.dat OUTLOOK.EXE File created C:\Windows\system32\perfh00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfh011.dat OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\shell.exe 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File created C:\Windows\SysWOW64\shell.exe 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File created C:\Windows\SysWOW64\IExplorer.exe 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened for modification C:\Windows\SysWOW64\Mig2.scr 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File created C:\Windows\SysWOW64\PerfStringBackup.TMP OUTLOOK.EXE File created C:\Windows\system32\perfc007.dat OUTLOOK.EXE File created C:\Windows\system32\perfc009.dat OUTLOOK.EXE File created C:\Windows\system32\perfh010.dat OUTLOOK.EXE File created C:\Windows\system32\perfc011.dat OUTLOOK.EXE File created C:\Windows\SysWOW64\Mig2.scr 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI OUTLOOK.EXE File created C:\Windows\system32\perfh007.dat OUTLOOK.EXE File created C:\Windows\system32\perfc00A.dat OUTLOOK.EXE File opened for modification C:\Windows\SysWOW64\IExplorer.exe 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File created C:\Windows\system32\perfc00C.dat OUTLOOK.EXE File created C:\Windows\system32\perfc010.dat OUTLOOK.EXE -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File opened for modification C:\Windows\inf\Outlook\outlperf.h OUTLOOK.EXE File created C:\Windows\inf\Outlook\0009\outlperf.ini OUTLOOK.EXE File opened for modification C:\Windows\xk.exe 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe File created C:\Windows\xk.exe 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\ 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" OUTLOOK.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" OUTLOOK.EXE Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt OUTLOOK.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" OUTLOOK.EXE -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063040-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A8-0000-0000-C000-000000000046}\ = "ItemProperties" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307F-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E6-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063080-0000-0000-C000-000000000046}\ = "PropertyPages" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063073-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046}\ = "OlkCategoryEvents" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D7-0000-0000-C000-000000000046}\ = "_NewItemAlertRuleAction" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DC-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EB-0000-0000-C000-000000000046}\ = "_OlkContactPhoto" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E4-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063009-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C7-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308D-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300D-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E9-0000-0000-C000-000000000046}\ = "_MailModule" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F7-0000-0000-C000-000000000046}\ = "OlkInfoBarEvents" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\ = "_AccountSelector" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}\TypeLib OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063034-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063074-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E1-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D8-0000-0000-C000-000000000046}\ = "_RuleConditions" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063086-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300C-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067353-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F7-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D5-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305C-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}\ = "ApplicationEvents_10" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300D-0000-0000-C000-000000000046}\ProxyStubClsid32 OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305B-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}\ = "_NavigationFolder" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063041-0000-0000-C000-000000000046} OUTLOOK.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046} OUTLOOK.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063048-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" OUTLOOK.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2000 OUTLOOK.EXE -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2000 OUTLOOK.EXE -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2000 OUTLOOK.EXE 2000 OUTLOOK.EXE 2000 OUTLOOK.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2000 OUTLOOK.EXE 2000 OUTLOOK.EXE -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 2676 xk.exe 2816 IExplorer.exe 1884 WINLOGON.EXE 1032 CSRSS.EXE 2424 SERVICES.EXE 2864 LSASS.EXE 2488 SMSS.EXE 1792 xk.exe 412 IExplorer.exe 352 WINLOGON.EXE 1312 CSRSS.EXE 1252 SERVICES.EXE 2148 LSASS.EXE 992 SMSS.EXE 2000 OUTLOOK.EXE -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2676 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 28 PID 2080 wrote to memory of 2676 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 28 PID 2080 wrote to memory of 2676 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 28 PID 2080 wrote to memory of 2676 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 28 PID 2080 wrote to memory of 2816 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 29 PID 2080 wrote to memory of 2816 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 29 PID 2080 wrote to memory of 2816 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 29 PID 2080 wrote to memory of 2816 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 29 PID 2080 wrote to memory of 1884 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 30 PID 2080 wrote to memory of 1884 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 30 PID 2080 wrote to memory of 1884 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 30 PID 2080 wrote to memory of 1884 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 30 PID 2080 wrote to memory of 1032 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 31 PID 2080 wrote to memory of 1032 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 31 PID 2080 wrote to memory of 1032 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 31 PID 2080 wrote to memory of 1032 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 31 PID 2080 wrote to memory of 2424 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 32 PID 2080 wrote to memory of 2424 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 32 PID 2080 wrote to memory of 2424 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 32 PID 2080 wrote to memory of 2424 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 32 PID 2080 wrote to memory of 2864 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 33 PID 2080 wrote to memory of 2864 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 33 PID 2080 wrote to memory of 2864 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 33 PID 2080 wrote to memory of 2864 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 33 PID 2080 wrote to memory of 2488 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 34 PID 2080 wrote to memory of 2488 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 34 PID 2080 wrote to memory of 2488 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 34 PID 2080 wrote to memory of 2488 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 34 PID 2080 wrote to memory of 1792 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 35 PID 2080 wrote to memory of 1792 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 35 PID 2080 wrote to memory of 1792 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 35 PID 2080 wrote to memory of 1792 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 35 PID 2080 wrote to memory of 412 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 36 PID 2080 wrote to memory of 412 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 36 PID 2080 wrote to memory of 412 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 36 PID 2080 wrote to memory of 412 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 36 PID 2080 wrote to memory of 352 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 37 PID 2080 wrote to memory of 352 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 37 PID 2080 wrote to memory of 352 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 37 PID 2080 wrote to memory of 352 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 37 PID 2080 wrote to memory of 1312 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 38 PID 2080 wrote to memory of 1312 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 38 PID 2080 wrote to memory of 1312 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 38 PID 2080 wrote to memory of 1312 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 38 PID 2080 wrote to memory of 1252 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 39 PID 2080 wrote to memory of 1252 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 39 PID 2080 wrote to memory of 1252 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 39 PID 2080 wrote to memory of 1252 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 39 PID 2080 wrote to memory of 2148 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 40 PID 2080 wrote to memory of 2148 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 40 PID 2080 wrote to memory of 2148 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 40 PID 2080 wrote to memory of 2148 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 40 PID 2080 wrote to memory of 992 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 41 PID 2080 wrote to memory of 992 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 41 PID 2080 wrote to memory of 992 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 41 PID 2080 wrote to memory of 992 2080 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe 41 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe"C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2080 -
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2676
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2816
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1884
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1032
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2424
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2864
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2488
-
-
C:\Windows\xk.exeC:\Windows\xk.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1792
-
-
C:\Windows\SysWOW64\IExplorer.exeC:\Windows\system32\IExplorer.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:412
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:352
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1312
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1252
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2148
-
-
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:992
-
-
C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2000
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
235KB
MD538f600cd69dbcff49e0b3da148a55ca4
SHA1f617a23facd5ea520d50274aaee6b132812e904c
SHA256672153c27b47493f130fd5e4db4dcfd7ff5e9c0d7b43fd172786ccdd14ec4004
SHA512d52344e42cbed07eca06206ecc0f3af11310ce9b38288c844fe0ada769c08b26f6759c4ad66c22322be2711853a70861d92598fffd6aed72f7eb54efe9fc76d2
-
Filesize
240KB
MD5253086a5c68964b3cc276c41f7345df2
SHA1669f776c2e84d071ecf00b53a1a1521d3c0e7b9f
SHA256f42058caf8cb9c244f2fa142186791e4faa1607c02432eb26341881fdb15a9b2
SHA512fa98d8df1ad145849d105185b05cdaa37e06c3857912e4346ad3484f689759d652de3b7375a4f162e64b692b4327dbdeba0efee2e29287760a57593d25b86f94
-
Filesize
231KB
MD5d64dd3563fc80fe0ca3f905eccf8f46f
SHA1a81b84aa0ab2f73ce34ff5813535a9cc8f2af93b
SHA2564763851cfa45964b7a4310d13d4d329554575d34110c779ff4f450de0892b7ed
SHA5123bace8449295338dbe1fe5c450f089ab63cd21a6397d2518f345b3abde6c022be57b7216aaddaa41c5966afc329c7f4dfd60a213b9e984ec3ada073150233d5f
-
Filesize
91KB
MD50e5817d0795284c455c76f25df817392
SHA1b05e09a68085a4a1cd79d777da7f120b9fc39cb3
SHA2566a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf
SHA5120106bba2aacc769989f505cdc3e2bcaec1a9f8b30de3cb623207f3ae7d1255d6e3a6a693c4155b262cf510ad795c4cc1ed40989cb10ea80c2447729154029baa
-
Filesize
91KB
MD507b475ab48073f9ac1e3ba5944a4feec
SHA1c4f269ad475d63e422aa8eaccc3c52ed9f2536b5
SHA25616e7da71da41e7902ff2d95cd6e4bf1990b1602e286dc16aa5179190ebc37849
SHA5125319d3d5061cf42eb8113199ab9ef933a06a1b66c7e651217831b55b1ded4a34754e9116f191ef332f2c16b2c7bc07ed9e06d1a69601f293deb9915b0f5fa52a
-
Filesize
91KB
MD5ad2045b54e786f2b8ea22ab361313582
SHA15efc874ea5edd0c0ff265e43358651ca4e5665f5
SHA256ab4c8b569296c80e334b9114bf4bc16b36945df02aa6cd2d06a74269285b6c8d
SHA512cb09fa284a1c3b02634da11d29fe7c1ad4761c3556a4e9f802f0523c18bbc72351b653c215f1deca1f017608cc9d1671c54042c41d3eb61fdc5fae3175530907
-
Filesize
91KB
MD5efe65b598ecec236e5e8b1f18ddfcea9
SHA1dc84ea697f08e482caea011144bd01edb0153bf6
SHA256efd315332724d69164901331d06626b83e7065ffd5ed842f7a247c6f3c0c6c62
SHA5121eab8d92caa4a2098cd279b9912ccbc7029fd360e4bb2bfb99c86d2f6960fbf36c274777805905a108c45b409043f508c2eb51ad042d46786952c450167751a2
-
Filesize
91KB
MD515d9fa181bc927dba228d19728bf1efa
SHA1dba6faa7244451d1d75c1e5d2e48e3edceb6bd3d
SHA2564c7a44906fda52d26087bbbfd7aee5bef3af0122ff7c6f40aac15a5acd75b7e7
SHA512dd3bcdba8769504ae04960391a8fa11516f9dd3873799dcd5aeabc3e49d7a4092b3eab868a912a0f7d48f307755da23fca968e58d4e9360e48a7155a36bcf6ce
-
Filesize
91KB
MD57c128c28560eabc72308ce87b08774aa
SHA1cfde3f238b348fa42aaa93d378b38ef75e30763e
SHA256ee22a856c3f98560b80ea561429559625ea5712130349711c16535dd53be2a36
SHA5124652a9eff9f09ffd19a57e87b38c3acdbecad66feeaac6cc4493cf13b10b3d6f3a7dd4521c2aad52c88bb4f0527206b0f70aa9e209defa90207677a70231ebca
-
Filesize
91KB
MD5853adf0747cc508dcad58714b0bba3e4
SHA19ed0ca53f1a2bc2b6b330d33909de180606812d6
SHA256f178704d8dc03abe711fc0d93486fd2891a56268896f83d61fcb27195aef647e
SHA51251091be2c5af9482942164b5d37a8d1e077717ff0dfc20244ea22d1067c39e6691b5fa97753dc376a6dcc39a87c8e3730ca6e954db0327542aa35ac79607f2c1