Malware Analysis Report

2025-03-14 22:35

Sample ID 240406-1t546sch22
Target 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf
SHA256 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf

Threat Level: Known bad

The file 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables use of System Restore points

Disables RegEdit via registry modification

Modifies system executable filetype association

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Adds Run key to start application

Drops desktop.ini file(s)

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

System policy modification

Suspicious use of FindShellTrayWindow

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SetWindowsHookEx

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:57

Reported

2024-04-06 22:00

Platform

win7-20240221-en

Max time kernel

141s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Disables use of System Restore points

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\perfh009.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh00A.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh00C.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh011.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File created C:\Windows\SysWOW64\PerfStringBackup.TMP C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc007.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc009.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh010.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc011.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh007.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc00A.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File created C:\Windows\system32\perfc00C.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc010.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\Outlook\outlperf.h C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\inf\Outlook\outlperf.h C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\inf\Outlook\0009\outlperf.ini C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063040-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A8-0000-0000-C000-000000000046}\ = "ItemProperties" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307F-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E6-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063080-0000-0000-C000-000000000046}\ = "PropertyPages" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063073-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046}\ = "OlkCategoryEvents" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D7-0000-0000-C000-000000000046}\ = "_NewItemAlertRuleAction" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DC-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EB-0000-0000-C000-000000000046}\ = "_OlkContactPhoto" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E4-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063009-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C7-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308D-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300D-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E9-0000-0000-C000-000000000046}\ = "_MailModule" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F7-0000-0000-C000-000000000046}\ = "OlkInfoBarEvents" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\ = "_AccountSelector" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063034-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063074-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E1-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D8-0000-0000-C000-000000000046}\ = "_RuleConditions" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063086-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300C-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F3-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067353-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F7-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D5-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305C-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}\ = "ApplicationEvents_10" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300D-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305B-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}\ = "_NavigationFolder" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063041-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063048-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2080 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\xk.exe
PID 2080 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\xk.exe
PID 2080 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\xk.exe
PID 2080 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\xk.exe
PID 2080 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2080 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2080 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2080 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2080 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2080 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2080 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2080 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2080 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2080 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2080 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2080 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2080 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2080 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2080 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2080 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2080 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2080 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2080 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2080 wrote to memory of 2864 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2080 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2080 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2080 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2080 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2080 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\xk.exe
PID 2080 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\xk.exe
PID 2080 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\xk.exe
PID 2080 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\xk.exe
PID 2080 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2080 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2080 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2080 wrote to memory of 412 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2080 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2080 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2080 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2080 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2080 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2080 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2080 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2080 wrote to memory of 1312 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2080 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2080 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2080 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2080 wrote to memory of 1252 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2080 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2080 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2080 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2080 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2080 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2080 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2080 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2080 wrote to memory of 992 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe

"C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding

Network

N/A

Files

memory/2080-2-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2080-0-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2080-3-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2080-1-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2080-4-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 0e5817d0795284c455c76f25df817392
SHA1 b05e09a68085a4a1cd79d777da7f120b9fc39cb3
SHA256 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf
SHA512 0106bba2aacc769989f505cdc3e2bcaec1a9f8b30de3cb623207f3ae7d1255d6e3a6a693c4155b262cf510ad795c4cc1ed40989cb10ea80c2447729154029baa

C:\Windows\xk.exe

MD5 ad2045b54e786f2b8ea22ab361313582
SHA1 5efc874ea5edd0c0ff265e43358651ca4e5665f5
SHA256 ab4c8b569296c80e334b9114bf4bc16b36945df02aa6cd2d06a74269285b6c8d
SHA512 cb09fa284a1c3b02634da11d29fe7c1ad4761c3556a4e9f802f0523c18bbc72351b653c215f1deca1f017608cc9d1671c54042c41d3eb61fdc5fae3175530907

memory/2080-116-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

memory/2676-115-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2080-114-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

memory/2676-120-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 07b475ab48073f9ac1e3ba5944a4feec
SHA1 c4f269ad475d63e422aa8eaccc3c52ed9f2536b5
SHA256 16e7da71da41e7902ff2d95cd6e4bf1990b1602e286dc16aa5179190ebc37849
SHA512 5319d3d5061cf42eb8113199ab9ef933a06a1b66c7e651217831b55b1ded4a34754e9116f191ef332f2c16b2c7bc07ed9e06d1a69601f293deb9915b0f5fa52a

memory/2816-130-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2080-122-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

memory/2676-123-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2080-131-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

memory/2816-135-0x0000000000400000-0x000000000042C000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 853adf0747cc508dcad58714b0bba3e4
SHA1 9ed0ca53f1a2bc2b6b330d33909de180606812d6
SHA256 f178704d8dc03abe711fc0d93486fd2891a56268896f83d61fcb27195aef647e
SHA512 51091be2c5af9482942164b5d37a8d1e077717ff0dfc20244ea22d1067c39e6691b5fa97753dc376a6dcc39a87c8e3730ca6e954db0327542aa35ac79607f2c1

memory/2080-143-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

memory/1884-144-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1884-148-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1032-157-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2080-156-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1032-158-0x0000000000020000-0x0000000000024000-memory.dmp

memory/1032-162-0x0000000000400000-0x000000000042C000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 15d9fa181bc927dba228d19728bf1efa
SHA1 dba6faa7244451d1d75c1e5d2e48e3edceb6bd3d
SHA256 4c7a44906fda52d26087bbbfd7aee5bef3af0122ff7c6f40aac15a5acd75b7e7
SHA512 dd3bcdba8769504ae04960391a8fa11516f9dd3873799dcd5aeabc3e49d7a4092b3eab868a912a0f7d48f307755da23fca968e58d4e9360e48a7155a36bcf6ce

memory/2424-172-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2424-171-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2424-170-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2424-176-0x0000000000400000-0x000000000042C000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 efe65b598ecec236e5e8b1f18ddfcea9
SHA1 dc84ea697f08e482caea011144bd01edb0153bf6
SHA256 efd315332724d69164901331d06626b83e7065ffd5ed842f7a247c6f3c0c6c62
SHA512 1eab8d92caa4a2098cd279b9912ccbc7029fd360e4bb2bfb99c86d2f6960fbf36c274777805905a108c45b409043f508c2eb51ad042d46786952c450167751a2

memory/2424-179-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2864-185-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2080-186-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

memory/2864-191-0x0000000000400000-0x000000000042C000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 7c128c28560eabc72308ce87b08774aa
SHA1 cfde3f238b348fa42aaa93d378b38ef75e30763e
SHA256 ee22a856c3f98560b80ea561429559625ea5712130349711c16535dd53be2a36
SHA512 4652a9eff9f09ffd19a57e87b38c3acdbecad66feeaac6cc4493cf13b10b3d6f3a7dd4521c2aad52c88bb4f0527206b0f70aa9e209defa90207677a70231ebca

memory/2488-199-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2488-200-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2080-249-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

memory/1792-247-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2488-242-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2080-250-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

memory/2080-262-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

memory/1792-259-0x0000000000400000-0x000000000042C000-memory.dmp

memory/412-261-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/412-275-0x0000000000400000-0x000000000042C000-memory.dmp

memory/352-274-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2080-273-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

memory/352-281-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1312-288-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1312-287-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2080-289-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

memory/1312-291-0x0000000000020000-0x0000000000024000-memory.dmp

memory/1312-296-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1252-303-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/1252-302-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1252-304-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2080-306-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

memory/1252-309-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1252-312-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2148-318-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2148-322-0x0000000000400000-0x000000000042C000-memory.dmp

memory/992-331-0x0000000072940000-0x0000000072A93000-memory.dmp

memory/2148-325-0x0000000000400000-0x000000000042C000-memory.dmp

memory/992-335-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2000-360-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2000-361-0x000000007392D000-0x0000000073938000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

MD5 253086a5c68964b3cc276c41f7345df2
SHA1 669f776c2e84d071ecf00b53a1a1521d3c0e7b9f
SHA256 f42058caf8cb9c244f2fa142186791e4faa1607c02432eb26341881fdb15a9b2
SHA512 fa98d8df1ad145849d105185b05cdaa37e06c3857912e4346ad3484f689759d652de3b7375a4f162e64b692b4327dbdeba0efee2e29287760a57593d25b86f94

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

MD5 38f600cd69dbcff49e0b3da148a55ca4
SHA1 f617a23facd5ea520d50274aaee6b132812e904c
SHA256 672153c27b47493f130fd5e4db4dcfd7ff5e9c0d7b43fd172786ccdd14ec4004
SHA512 d52344e42cbed07eca06206ecc0f3af11310ce9b38288c844fe0ada769c08b26f6759c4ad66c22322be2711853a70861d92598fffd6aed72f7eb54efe9fc76d2

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

MD5 d64dd3563fc80fe0ca3f905eccf8f46f
SHA1 a81b84aa0ab2f73ce34ff5813535a9cc8f2af93b
SHA256 4763851cfa45964b7a4310d13d4d329554575d34110c779ff4f450de0892b7ed
SHA512 3bace8449295338dbe1fe5c450f089ab63cd21a6397d2518f345b3abde6c022be57b7216aaddaa41c5966afc329c7f4dfd60a213b9e984ec3ada073150233d5f

memory/2000-461-0x0000000073DE1000-0x0000000073DE2000-memory.dmp

memory/2080-487-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2000-489-0x000000007392D000-0x0000000073938000-memory.dmp

memory/2080-502-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

memory/2080-503-0x0000000001EE0000-0x0000000001F0C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:57

Reported

2024-04-06 22:00

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2840 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\xk.exe
PID 2840 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\xk.exe
PID 2840 wrote to memory of 3924 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\xk.exe
PID 2840 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2840 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2840 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2840 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2840 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2840 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2840 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2840 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2840 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2840 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2840 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2840 wrote to memory of 3352 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2840 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\xk.exe
PID 2840 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\xk.exe
PID 2840 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\xk.exe
PID 2840 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2840 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2840 wrote to memory of 3100 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2840 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2840 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2840 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2840 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2840 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2840 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2840 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2840 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2840 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2840 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2840 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2840 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2840 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2840 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2840 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2840 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2840 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2840 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2840 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2840 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2840 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe

"C:\Users\Admin\AppData\Local\Temp\6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

memory/2840-0-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2840-1-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/2840-2-0x0000000075390000-0x00000000754ED000-memory.dmp

memory/2840-3-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2840-5-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 0e5817d0795284c455c76f25df817392
SHA1 b05e09a68085a4a1cd79d777da7f120b9fc39cb3
SHA256 6a58b0bc4c822cc137698ab4e80280822987179bd565aa6c7ed076debd8acfdf
SHA512 0106bba2aacc769989f505cdc3e2bcaec1a9f8b30de3cb623207f3ae7d1255d6e3a6a693c4155b262cf510ad795c4cc1ed40989cb10ea80c2447729154029baa

C:\Windows\xk.exe

MD5 30124627eb25d19170b4e23873c86f14
SHA1 d61e6ea2809984735ae9c411bc6273fddd2f97dd
SHA256 98cf5cb7999c7459dbc9d304680c454c6c625abebca94c0440f64dc60eb75cc7
SHA512 927f337f33e422ff5133d935c6f68fa236539c7c84682bb9b3b7733f5410b9e97ea6301e7c03c6f9a5644d16d850a669e27839a9f18a98add1f7f193abfd6a51

memory/3924-112-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/3924-113-0x0000000075390000-0x00000000754ED000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 b78047daeb9c0b13e78b55cf11972626
SHA1 3c669e472fa1ab028f2e920d869a6d10a8dd1e73
SHA256 179aac65216f930886850ff105dc2e144d695b5fb9509cb0ed622ab045296810
SHA512 89603507373e47769724004e6d1679282397df9112fcbf6bde5c815be6abe044bb85696a0922d109dee6f55c9b5e369c05ddc206022e54d026404783a1928fb2

memory/4756-121-0x0000000075390000-0x00000000754ED000-memory.dmp

memory/3924-119-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4756-122-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4756-124-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/4756-127-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 a00dfd4e68e05b5a92ee823f32b6f64a
SHA1 c2381ce4be9b40f955068daecab784fd952bed55
SHA256 bc46f5342c58f4116cc31f5cb7deeda5e0f453bacc5df4e8f77ead392a635975
SHA512 c73ca7fdf453e209d36bb9df123d5be7e8c919da9dc1b95960444069066db7461de9fa94806f481d14e37a7a53e9f3dee2d622d0feeef9768c2bbb5b74422829

memory/4196-132-0x0000000075390000-0x00000000754ED000-memory.dmp

memory/4196-131-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/4196-136-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 1cf48007aad3603d663b61ed3f054f2d
SHA1 ba815bd7bb654a0c61e17dca799894bdf2fdfe51
SHA256 f31e9d581fef9b19350f4928bce33711a181639dcf4a02225d0b7855360a7a7a
SHA512 6772d9aab5a95e82dae6e26d4f2bc2380f938fea1eb971ea2dbeceb5ae05d9465d58199e2d066fed3213cb30c266649db84b197ab124206a683c1999b77047e2

memory/4864-141-0x0000000075390000-0x00000000754ED000-memory.dmp

memory/2840-140-0x00000000001C0000-0x00000000001C4000-memory.dmp

memory/4864-142-0x00000000001E0000-0x00000000001E4000-memory.dmp

memory/4864-147-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2840-145-0x0000000000400000-0x000000000042C000-memory.dmp

memory/4864-148-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 cb7096fc7a738270bb6232148d6dfb90
SHA1 d6014dd50a67d30efb678763f44d46d03a5c8713
SHA256 d0bbfa9f927e0c04c1aa1505150e71c3e64c2b108957967cdd14df98bba93cdc
SHA512 e9b720765cf162a91d7fb4b5492cb351190afa1581939c4cc656946d0426791101d6c4138f37142f022f85bfb73b5b4294d9c41304b17848edbf4f39a510f985

memory/3352-153-0x0000000075390000-0x00000000754ED000-memory.dmp

memory/3352-152-0x00000000001E0000-0x00000000001E4000-memory.dmp

memory/3352-161-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Windows\xk.exe

MD5 866c63b0d15281a57633aded8c94135a
SHA1 a53109c802dc2bf4335c141c12d7d6b09aba0daa
SHA256 0d1b7d0461da4f8107387e644e3c46667da9fdbeb3d34416bd9dabf5afeeea7d
SHA512 fa9708d1f6ef3b7a27f2c5428e7f5358fd403ca02605202381557c5c8de544e1e2942c48981afd7fdb80b935b7ac69f2b5e1324246ee3c7cb7951e2c6b89db4e

memory/2768-205-0x0000000075390000-0x00000000754ED000-memory.dmp

memory/2768-207-0x0000000000020000-0x0000000000024000-memory.dmp

memory/2768-212-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Windows\SysWOW64\IExplorer.exe

MD5 88c5986e991f02b9c46cd5ddfa3dd254
SHA1 a30aba09a07d249ff9df2fa0d7ea73d4fab26e70
SHA256 0914a6c20aa6f74c146925ac4347da26c346678e23f0de06fcd4e8f33d376062
SHA512 bf9d60318def65d8db736df262d929f265e2e865c0f0be24b951d81392b9158494a4884dc1fc6c4ce8a3000eb6527ba3688b209f66fe047b5c49a2390c19cd3b

memory/3100-213-0x0000000075390000-0x00000000754ED000-memory.dmp

memory/3100-214-0x0000000000020000-0x0000000000024000-memory.dmp

memory/3100-218-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 fb86919120183fe4c8288032db5cfe66
SHA1 d463d926c42b3a4aec6352d3612d021dfaa23bc4
SHA256 eec6303d5a835053dbaa7583d08f152ba3de1041e7d933101422676eef75f22a
SHA512 8df9339573f14669a5617dc24f9691a7e756f16f010f31e6f735cb5cab9e0d8ca003fe77305014d258079db7f5952d5cae4534a216737639f4881ab1eb15e6b1

memory/4036-221-0x0000000075390000-0x00000000754ED000-memory.dmp

memory/4036-223-0x0000000000020000-0x0000000000024000-memory.dmp

memory/4036-226-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 9acd8d94d61cf6fb2e38ef84657b9596
SHA1 a0742558055658a700a446ef37e4f39643c1caf9
SHA256 204d060ec8c0eecb27f54728559d1e9c571cb0607d4a0b3a5da0385697bcf8ed
SHA512 a0feed0c244dc1f29404ac013cfc084ad6862fb8e8c1e308050cb852e3a977ef4ffbe4dc6f298811e3d2bf5fc608f59768b636c7fbcc860e9d110e9e2fd9c14c

memory/536-229-0x0000000075390000-0x00000000754ED000-memory.dmp

memory/536-231-0x00000000001E0000-0x00000000001E4000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 4956789ec6d9a856f6c43f04549fb2cb
SHA1 66dde89760c78f535de20b88abf6ba291504d999
SHA256 e59b0e8d975d6c2d50e7899bf33d8b1995cd36714bb17a7b7dcab010836831ac
SHA512 0f0a84f65290236e64b0730c211f79922bafe803556b3ae3a1e3d31544735577e2d9abe507f06948fc0f73832aa54988969b5f5f0046c46f308c58700f8bbf6c

memory/536-235-0x0000000000400000-0x000000000042C000-memory.dmp

memory/1080-237-0x0000000075390000-0x00000000754ED000-memory.dmp

memory/1080-241-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 0722baa786d5beecac91e62503e57161
SHA1 2406054c7ed57769fffb6b023ff835cf8e2c5bcd
SHA256 9f8f52ade7e053020b1728c6a25b3c35583b88fad430b3499f06e240fe516e8d
SHA512 65c5e9a7a5a6a8a87f7a89ba84ad0203dc3f388f73679d2ed9439a6adf51a13a645d31971df3e58b9de30421554ba1ed40bdeb1c7c3119e5e44b14c32c9e9ece

memory/2392-245-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2392-246-0x0000000075390000-0x00000000754ED000-memory.dmp

memory/2392-250-0x0000000000400000-0x000000000042C000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 bced9a829bb680355786ac6ca02386d9
SHA1 c6b210f436e1e86740a98d446dbfccc3d84b484e
SHA256 9868954b4b8dde34d13565ff3f974d94896626f6c771733e67bfe7f2eaec50dd
SHA512 4b703ac89456028b22a178a8673e4acdd585d617027c5231178f841169f895e1341cc3e511f206bb7941e82b15bfd74216c75e28d50460a03a0e707844b2c503

memory/3780-254-0x0000000075390000-0x00000000754ED000-memory.dmp

memory/3780-265-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2840-284-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2760-287-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2760-288-0x0000000075390000-0x00000000754ED000-memory.dmp

memory/4024-295-0x0000000075390000-0x00000000754ED000-memory.dmp

memory/4024-294-0x00000000001E0000-0x00000000001E4000-memory.dmp

memory/4024-299-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2840-300-0x0000000000400000-0x000000000042C000-memory.dmp