Malware Analysis Report

2025-08-11 00:04

Sample ID 240525-2czrhadc56
Target 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f
SHA256 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f
Tags
evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f

Threat Level: Known bad

The file 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f was found to be: Known bad.

Malicious Activity Summary

evasion persistence

Detects executables built or packed with MPress PE compressor

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Modifies WinLogon for persistence

Detects executables built or packed with MPress PE compressor

Disables RegEdit via registry modification

Disables use of System Restore points

Loads dropped DLL

Executes dropped EXE

Modifies system executable filetype association

Adds Run key to start application

Drops desktop.ini file(s)

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SendNotifyMessage

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

System policy modification

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-25 22:26

Signatures

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 22:26

Reported

2024-05-25 22:29

Platform

win7-20240221-en

Max time kernel

140s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A

Disables use of System Restore points

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File created C:\Windows\system32\perfh00A.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh011.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc009.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc00C.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh00C.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh010.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc011.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File created C:\Windows\SysWOW64\PerfStringBackup.TMP C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc007.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh009.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh007.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc00A.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc010.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File created C:\Windows\inf\Outlook\outlperf.h C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\inf\Outlook\outlperf.h C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\inf\Outlook\0009\outlperf.ini C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F9-0000-0000-C000-000000000046}\ = "_AttachmentSelection" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E3-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067355-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063045-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063045-0000-0000-C000-000000000046}\ = "Recipient" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063005-0000-0000-C000-000000000046}\ = "_Inspector" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FB-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}\ = "_RuleCondition" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C2-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C9-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063044-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046}\ = "OlkCategoryEvents" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063105-0000-0000-C000-000000000046}\ = "AccountsEvents" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063073-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630ED-0000-0000-C000-000000000046}\ = "_JournalModule" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}\ = "_TextRuleCondition" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DD-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063047-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308D-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063078-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D4-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}\ = "ItemEvents" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063101-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063026-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063107-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\ = "_Rule" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\ = "_Stores" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307F-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A5-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309C-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}\ = "_NavigationModule" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304F-0000-0000-C000-000000000046}\ = "ExplorerEvents" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2076 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Windows\xk.exe
PID 2076 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Windows\xk.exe
PID 2076 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Windows\xk.exe
PID 2076 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Windows\xk.exe
PID 2076 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2076 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2076 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2076 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2076 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2076 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2076 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2076 wrote to memory of 312 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2076 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2076 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2076 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2076 wrote to memory of 1344 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2076 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2076 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2076 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2076 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2076 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2076 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2076 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2076 wrote to memory of 748 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2076 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2076 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2076 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2076 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2076 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Windows\xk.exe
PID 2076 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Windows\xk.exe
PID 2076 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Windows\xk.exe
PID 2076 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Windows\xk.exe
PID 2076 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2076 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2076 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2076 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2076 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2076 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2076 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2076 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2076 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2076 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2076 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2076 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2076 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2076 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2076 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2076 wrote to memory of 1148 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2076 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2076 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2076 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2076 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2076 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2076 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2076 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2076 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe

"C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding

Network

N/A

Files

memory/2076-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\services.exe

MD5 636e5a04688045b7bb9e766678779042
SHA1 ee262b0581b7504b8705ba9943b62f25fa9208fd
SHA256 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f
SHA512 96fba92a7da299d8a2c90c3c91eac6b8852fc13a3e56ade7c94d0cf95d5aab4eaef13ca683c6406c0bb8321633b8a6f6a86f5ba1dd2a99260fb2f8ccf3f5a25c

memory/2076-108-0x0000000002780000-0x00000000027AE000-memory.dmp

C:\Windows\xk.exe

MD5 cbe3d85ef31aba51b8531122fbf756ea
SHA1 9cae6100ec56cce176d84a9e36b1ed1d6bcfaf43
SHA256 48b675f8ec444e2c99383223490cc96d5af25ad2402b76af5f3cea82c89fe237
SHA512 32e618bcdc35b3a7472380d58639cd9f460aeb6e3e33859d08a2283ac4b68f45b7140424fcf501c1c91c126f2fa6ab0b08cdc1bcdfe0bba5db56add718f23284

memory/2420-114-0x0000000000400000-0x000000000042E000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 5e1bc18182d07d225e7d16be61471dd7
SHA1 790f7ec1a0b6b29dc9af30a093878a08965ba4a6
SHA256 8e4a64f0185bda47b20a8a17a7fba7e747b94869384f32c02faea92aed3f3734
SHA512 c9a6668d0d0bf46b93acdbe9f84448a28b150729459c8bd40bbbe5ffa01afd21e74a2ddcb58c18534b760405309ffd2db7d722412eaaa1975ca9109bd5af9475

memory/2796-122-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2076-121-0x0000000002780000-0x00000000027AE000-memory.dmp

memory/2796-125-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 15227630e6034a235d6d9283367144b8
SHA1 c4b9d179b68ae4130574adb4c76707d6305ab4cc
SHA256 841ef5c3ec75c5f48577f1d3a91aa79524a6ad30958bef9c545c3b4f6543e7b1
SHA512 3ccbcdc009ee39ee1c1c708c8faaede9622e68d9f940c97440ac1853ba9461edc63302c8e15d1ce3239110613a1f970b198235ff772b47a828ba9e70be766f81

memory/2076-133-0x0000000002780000-0x00000000027AE000-memory.dmp

memory/312-136-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 07336e97096a76d94da07929d5104aa4
SHA1 3852b49c868740b0204a698031ab583984a0f0cf
SHA256 3936f0037a1f56ea94f7a30eece6f8d177ec22c1440f62cf144d655fd80a2b97
SHA512 39e0efad82270416bd6d64b10c7467277827bed488d02a82e5627207a283ef6d81347a11a26f30feedfd32975533c943b58c02ece2ee48bb5657a8cfbe00dd5a

memory/1344-144-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1344-147-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 9436fe8030e00c10f67135f9c520c713
SHA1 4d99734d61102bfdc789e2b52327206231208c7d
SHA256 300a927abe37c346b35f5a2186c25ad64d48cb59a0bb14b86c517ff4b0a07b6d
SHA512 9527b7d7ca77a0521ee1aadb3e092b6bd5c2b5368dd0c20fb7099950f72635af4d860badd49c9ceef52893585e08b668e63231bb8138fa2fe16a705b68e7b5c3

memory/2076-150-0x0000000000400000-0x000000000042E000-memory.dmp

memory/368-156-0x0000000000400000-0x000000000042E000-memory.dmp

memory/368-159-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 e164ea3d85b1a985a016817c4bdd7ae8
SHA1 194db080b94c6fa75d60a802eb425c2ce06351b9
SHA256 8733a7d556a8fbf4fbec41c0128f8331dbfe1a1a5e0b7ff7a05c07d4926568de
SHA512 d68e47aaf30feeba58ceb185cec532db57bf13c901386875a9467306c9f324defb60c4ccbe100da387b3574a139d8aa45669aedf91732597a40b95fb80c97c3b

memory/748-169-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 9973b2c296a65c496b82a08aca5889ba
SHA1 173581916d39edf8f5ac7bd9228a1b22f2ff30b1
SHA256 929040754750a1edbedecbf0e7e225e251ce3a7992d5ac3f2203d3b1ef2c78ce
SHA512 49ac35a53105dd608e678db74bdd9d0552ac2908c97e96f3f5b8400708da8b53b6543f284f166e4685f5d37acfd9dea46be6a8cef1b8e7b0aff1c846153c4b79

memory/2076-177-0x0000000002780000-0x00000000027AE000-memory.dmp

memory/2292-199-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Windows\xk.exe

MD5 56b428d340994f196376523a2d08d13f
SHA1 b5019ed496cd52946cf1e821a9394b080924ab1c
SHA256 5ee1aca367d31dba740e0ea23b988a5504b5ec2d549b42f169b81ca7df660a6a
SHA512 11d9a3345c67bd8764644fde5c45b13602b4d1f442e5a47f3cc271056a41a49033ec69b7e60d2db8326ab61c681aadd2c5ed4080c03f95ab81ed30e06a94f151

memory/2076-233-0x0000000002780000-0x00000000027AE000-memory.dmp

memory/3008-239-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2076-238-0x0000000002780000-0x00000000027AE000-memory.dmp

memory/3008-244-0x0000000000400000-0x000000000042E000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 aae51a1187d5b84625a814897a8c3deb
SHA1 030b7a0067d8fbc0dc1ef4e9ab3097f9cdf8a211
SHA256 862dd064b44272c2663256066a57dab9879f34ccd42c9605600a38a0d4a7b148
SHA512 31b04f7a896e4fa3bd534db447f817062ae29147ca27240fc6b44e93e442bd2c412937d83c35eb1078a8a9923734a9795af0e84c67cb65bd6e0c41a3e1f183fd

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 8cdb22cfe57ad631d89a9e9d8fc4bbcb
SHA1 9af7950ae759cfeea7142c0291874f3666face49
SHA256 311c41ff1b7e89c6eef0e95a847ab2493d5853d2e74e427264a04e06f80c308d
SHA512 cbe591e819f6f6799172232e4eb43cc58874dfbbe622280c59c53e6d7762d8729416b8b8b2cb85af43f9cffc6327b71b1cfa471b8755b6ab0a7f78338ab4e56b

memory/2988-259-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2904-266-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1684-275-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2076-274-0x0000000002780000-0x00000000027AE000-memory.dmp

memory/2076-273-0x0000000002780000-0x00000000027AE000-memory.dmp

memory/2076-272-0x0000000002780000-0x00000000027AE000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 a5a21dcd25f3f6b405179f49bc2655a8
SHA1 60c326bb9abdaea2d4a07e187179e58cd93d7987
SHA256 6adb266cf65839b59a8a2edd227ac3fb576252af3387767bfd8ec4784cc472dd
SHA512 ce4c74eac6f46e92c69051b40a9ca266982cb98009f07308efb409475b8ca434eb3a193f9466f62dbe61f1e33ba482d5d73ab018ec8f9f5c62368c520c32f02a

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 66052f25952a48d05b980ae87518614d
SHA1 088dce134bf1b83eac7350ee7a2bacb5a1d93d92
SHA256 447dcc6a82ed9f8593c7123ec3aee527846b0b7028a1d79d1e91d71b4382e282
SHA512 0a05196c831e920e8bee561c83cad182953cec8818756fb936186c198ec96ae18a7f0864e002ec13166ff5a63a45f244a45b8293e5f10c9b0eb843c15003e3aa

memory/1684-281-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2076-290-0x0000000002780000-0x00000000027AE000-memory.dmp

memory/2076-289-0x0000000002780000-0x00000000027AE000-memory.dmp

memory/2076-287-0x0000000002780000-0x00000000027AE000-memory.dmp

memory/2076-286-0x0000000002780000-0x00000000027AE000-memory.dmp

memory/1148-293-0x0000000000400000-0x000000000042E000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 479dde8ef252c19ffcbec1f5359ab4bc
SHA1 339234e36878b1cd0fe5bd168463c4e6d42464ed
SHA256 7223c11e8a9ba856f7705875e39050fb0706e85f5ee938dbfc8668f78d2a07c0
SHA512 bffc211153d5902ce4d56489a6fc5079ef5d24feb7bedbd8fde5d445488262b2072a7c0abfd78cb68ea4a7e49942e015d9840c427fb9306f38fae0392ed57da7

memory/2076-296-0x0000000002780000-0x00000000027AE000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 7f7fad8079e534a15f12d2b2ff92ef49
SHA1 6924daff6b2483ffcf7eed31abc0aa6ed8897b85
SHA256 9f4c7052253b67437d141e6ef95f3874fbb5f58c04f19d2a27141fb72dc8cc7b
SHA512 0474c5f41f395df2898014cba4e029fa1fb19b0e866ea91073841a18358c6d72e9fd90c10c98c10c5db988233cb9a2a2c05e1beebb05378e039692bf8f5bebe8

memory/3024-312-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3052-316-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2844-341-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

MD5 6bee9adce38c3d5f68b747c8b20b8128
SHA1 47b9c2951a719685a1c2c66dce786a87c3973f90
SHA256 3253e607b66e9fbe3deb5ae9e79b3965aee7439735cedca3f58ab56f4120b8ec
SHA512 7fae9b7736af5c4ef9e620a1564b956dee91f40fc5cc68fd0211eb281c88eeb63f0522aeca177f38c1d74eb8c2bf5da67b8ec34155977dbca3ad4c02fd453796

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

MD5 6fc0e53c359f3b0ebab08c034a3f9fbd
SHA1 f7bba75f3d1ddd0fffc5f6404c94823bf570c313
SHA256 afb525267b7024f9585f0c31335718eb8f66d1ddc8c1afa785c8928b803f19ca
SHA512 af15ca8354c0882a9b8e92c0a008278e060145b02eebf4d13496da0ff8e217e61fbee1462d2932d0e75bef32d0582c48096a2e3c5044e797a8a51bfbc967b7eb

C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

MD5 48dd6cae43ce26b992c35799fcd76898
SHA1 8e600544df0250da7d634599ce6ee50da11c0355
SHA256 7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a
SHA512 c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

memory/2076-466-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2076-467-0x0000000002780000-0x00000000027AE000-memory.dmp

memory/2076-469-0x0000000002780000-0x00000000027AE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 22:26

Reported

2024-05-25 22:29

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4320 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Windows\xk.exe
PID 4320 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Windows\xk.exe
PID 4320 wrote to memory of 820 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Windows\xk.exe
PID 4320 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4320 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4320 wrote to memory of 3708 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4320 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4320 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4320 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4320 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4320 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4320 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4320 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4320 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4320 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4320 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4320 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4320 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4320 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 4320 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 4320 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe

"C:\Users\Admin\AppData\Local\Temp\639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4320-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 636e5a04688045b7bb9e766678779042
SHA1 ee262b0581b7504b8705ba9943b62f25fa9208fd
SHA256 639088a541928a5d1531bdf56f8f5775022af3184ff3555dde59e95349e7df4f
SHA512 96fba92a7da299d8a2c90c3c91eac6b8852fc13a3e56ade7c94d0cf95d5aab4eaef13ca683c6406c0bb8321633b8a6f6a86f5ba1dd2a99260fb2f8ccf3f5a25c

C:\Windows\xk.exe

MD5 0a11facc5fb553045b0519f18fd4ca93
SHA1 1fd704a01597c9ad20b079f26961570c015c3763
SHA256 8193fe38ffd8b1489b91e8700e25b0bc2b423880d7582abdd145cac4d7fc2391
SHA512 3999a69d8cfcd6f2c7de86fadb13874e0b76eb5a04271db8006fb89023bb7f48f85f599a506b5f2d78edcdeb93165b55b22e6d1206fee7923a1a4da7ab24a164

C:\Windows\SysWOW64\IExplorer.exe

MD5 e6815a06181fa25472254b6487365584
SHA1 37d5731147f59111baf7429af2bb0af8ad53f22f
SHA256 1d8cdbcfa2ddb0a69c37e4f43373e03584d88682d675d282fd1c5a6cbdc5f6fd
SHA512 2bbe9f3ebb6dda986986d03c94da073afd8d4fa83da6da3243d089e1116ee21a8364748c335e9f997c7531e04e0ae7795efb5fa7b2dbf97460c9c8ae1cf1faf6

memory/820-114-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3708-117-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

MD5 8789daff15be061c694aeb82a0bfff23
SHA1 de1e5bec03e8cfa3b0805c946eda092963d607fe
SHA256 39da2ed049600ecc76770e32063e41ef69f30d01c9d7c77052a513dd96ec04fc
SHA512 aecbd484dc9c80c7805808e2a8e55f5ff4401b59d52ae92ae2f8c81701ad52fe1ec57f971020b86ff0b3ca476299ee64c6440cc847a846677a5cc8260e830854

memory/2396-123-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 bf30651a3499b5eb3c1bf12eefefbe49
SHA1 8cbf18ef1199be1d32c24d0452c8a8c6569eaeef
SHA256 5f1f0a2d55c24d6a34d46a45cd4d77214627a809029db4043e6c3a22f64ce25a
SHA512 d18ba418bef59264f491b7a9eb26773db66ed3d44989c4248369be9e04ed9ae80f9ff455e9cf70416ecfe182f8207d24a8da338d5d979d2e24e6d18784bc6dc9

memory/5012-130-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 adfc1f2fcd4eb7ffb2fa1bbf75aff68b
SHA1 2a1c7d7e4ca924efa4fd8b67f613524b49f209e9
SHA256 e5cbb7661b29459299875bee1ca9327b15825797e71198bd0286af4ec1f61784
SHA512 87ea8bfbb5177ab9738c4415bfa447076a70553114d556a7b5ae58a1dab3313916f013d615dd7148d7ddc564e57698e1677f56030bd53236b0111c5fa1b94f09

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 e08d7cf8a7a3e909dd4fe8ff680e53f5
SHA1 e5eaf3ef3351a42c1d7b30e694266eba990a643e
SHA256 cb09594e2b95ed6fa2463235857e237c45d11ad690d1b0690db19e0dbb921c68
SHA512 bb87f10611040c4cbd31207a2691224b7fe0065d850ab140ebc8dd88251f8c63b3576c6731bdfabca643c8f3f0d9d8d06581b584da89ff99abb50cdbe9e49cf1

memory/1668-138-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1196-142-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 be043a994d136e1ec8ce33888e7e6139
SHA1 cfd9f2c68047b0cb8593d6142b92a6573c2f1866
SHA256 12850c894f33323f62c54c1eff48fbf40a4c3cea8e38f0e9524eee653d25c4e8
SHA512 b801ab41d5eaf458759d702efff7f39384a86d5963bb60bcb956a1d0b03998809ed420bf404ef8dc63f2b6fe91f4f30dfd18115599d609693b38ce3ee0e91279

memory/1216-146-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1216-149-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4320-151-0x0000000000400000-0x000000000042E000-memory.dmp