Malware Analysis Report

2025-01-06 10:18

Sample ID 240601-esdsmsaa99
Target dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e
SHA256 dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e
Tags
upx evasion persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e

Threat Level: Known bad

The file dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e was found to be: Known bad.

Malicious Activity Summary

upx evasion persistence

UPX dump on OEP (original entry point)

Modifies WinLogon for persistence

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

UPX dump on OEP (original entry point)

Disables use of System Restore points

Disables RegEdit via registry modification

Modifies system executable filetype association

Loads dropped DLL

UPX packed file

Executes dropped EXE

Drops desktop.ini file(s)

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies Control Panel

Suspicious use of SendNotifyMessage

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Modifies registry class

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 04:11

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 04:11

Reported

2024-06-01 04:14

Platform

win7-20240221-en

Max time kernel

141s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A

Disables use of System Restore points

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File created C:\Windows\system32\perfc010.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc011.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File created C:\Windows\system32\perfc009.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh00A.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh00C.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\SysWOW64\PerfStringBackup.TMP C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc007.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh007.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh009.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc00C.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh010.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc00A.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh011.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File created C:\Windows\inf\Outlook\outlperf.h C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\inf\Outlook\outlperf.h C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\inf\Outlook\0009\outlperf.ini C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A5-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063036-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063007-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063074-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067356-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A8-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A7-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063022-0000-0000-C000-000000000046}\ = "_JournalItem" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}\ = "StoresEvents_12" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302F-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\ = "_DRecipientControlEvents" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CF-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DB-0000-0000-C000-000000000046}\ = "_AccountRuleCondition" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304F-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EB-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063059-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046}\ = "_OlkOptionButton" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F9-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DC-0000-0000-C000-000000000046}\ = "_CategoryRuleCondition" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FB-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063062-0000-0000-C000-000000000046}\ = "_MeetingItem" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300D-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\ = "_ViewField" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309E-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EF-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063008-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302B-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302B-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302F-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063094-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063002-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F9-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A7-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063043-0000-0000-C000-000000000046}\ = "Action" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300F-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307D-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063035-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067355-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063093-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DE-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2504 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Windows\xk.exe
PID 2504 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Windows\xk.exe
PID 2504 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Windows\xk.exe
PID 2504 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Windows\xk.exe
PID 2504 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2504 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2504 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2504 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2504 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2504 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2504 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2504 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2504 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2504 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2504 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2504 wrote to memory of 1212 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2504 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2504 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2504 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2504 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2504 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Windows\xk.exe
PID 2504 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Windows\xk.exe
PID 2504 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Windows\xk.exe
PID 2504 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Windows\xk.exe
PID 2504 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2504 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2504 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2504 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2504 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2504 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2504 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2504 wrote to memory of 584 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2504 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2504 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2504 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2504 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2504 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2504 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2504 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2504 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2504 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2504 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2504 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2504 wrote to memory of 1364 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2504 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2504 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2504 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2504 wrote to memory of 2392 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe

"C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding

Network

N/A

Files

memory/2504-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 7115016190bd18b9033384e133486351
SHA1 c421e3a01d36d2caccfc4dae05e4294b3f6c2edf
SHA256 dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e
SHA512 a07ca85790def168d44a5a9db4a7fe763304fa9c9e4461479c264a0ac9a2a7f07b90051ca2c519e51739336a8a4edbd89b78d246967c77838c365e17f89e02d3

memory/2504-111-0x0000000002440000-0x000000000246F000-memory.dmp

memory/2504-110-0x0000000002440000-0x000000000246F000-memory.dmp

C:\Windows\xk.exe

MD5 da5367ec4b3d0be3834888ca6acb7e13
SHA1 e97507e73d542d4673cd0fd1a62d1e9e0f7e7de5
SHA256 049b887da4017ae61c5eaf875f70c3080f3a4c370d121c3617999187d996e38c
SHA512 2231494915d871f8d5b05d925dcea7c4f33b232d47aa21176ab994480fc3ea8afb0422fd749239fee22d8288944e4f1164ed05bd0c53d1b3657b8fd2ae64f26a

\Windows\SysWOW64\IExplorer.exe

MD5 b5fb5c66f1ce37c796c87660f12d2e68
SHA1 b543215fc059b80e221bdff42fc4f1951b48d8ef
SHA256 96e232779107e546c8e3062819e5d68c9098ca7e8081c36ebb6307abb583ec3d
SHA512 a2e2fc55ff9796df9af03e3d08678b6b685ff97a2f052e71912cad381b0c95260e2da9c0b2d798117618cfc411af60bcef64a2bedadd5a02e0800794b59398a1

memory/3060-115-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1120-123-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 2d19153f7896ae9065b37ddad77144bc
SHA1 f67de875e21368112329889668b8ff710433701e
SHA256 e09c457d301cca9956bca800f1edf2285f54887d88eadb14a28e3f70586538f1
SHA512 f44d3cbdad84cd4c487cb6841403ba57905eb771a4db1833f4af8d334ab85f6952fcc3d0951fe8f53455396e9991db917c8cb2cb8db92ed52dd478f4e9d5ac27

memory/1120-134-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2504-133-0x0000000002440000-0x000000000246F000-memory.dmp

memory/2004-138-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 2570da2dbadc06e862ffcf8ad59c3f17
SHA1 cc56d2cbcb759d7374cd292cd47ac76a9c959833
SHA256 72a553b67433acc1d8cd3a294963d0e944cdc1ec4cecdc92361a016b04e337af
SHA512 22232e93979533000ada00eb90a06b943f094dd902af182b201962b1ccd133325351fc1086fece84fc3d04daa499194e32e419616c4b779da02621d0c4bb7623

memory/2504-146-0x0000000002440000-0x000000000246F000-memory.dmp

memory/1212-150-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 3fb1b279336aef7fc55f9c2539499d0c
SHA1 8c3ed745d224e9624d30b012341bb1c9269fbe6e
SHA256 a4c174e3c407515eefcff795ae46d8f9d689558e55d06eb2e8ed18dff3c7c53f
SHA512 f514a15c7d2f944239d11a8bcef8547d32a40ef04c0f2c8b5990a028a4ddc2210be75c9a5ad43cdd479a60777f178b0903f79dee33d2652d03c94d13c0098b4b

memory/2504-157-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1980-162-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\xk.exe

MD5 65caa779a1da98f853bb5e4d88ac9a89
SHA1 3931b586eb0a2f7b2f854bc028e08024c3a0a850
SHA256 90c902a683b5a0e8c1e572ec63d3d17a266479de9125e09d7fabdd952346e923
SHA512 75deb5e473d7ab0db0fd5107fad1e59068dd147c1b2254430a9a069425be8dad92a9feac92964f231fcb9655b9f4b4abf85be971eca21ca4940e28f22c561a8f

memory/1088-219-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 277ca4d8b3dc879462706a0b71c302b0
SHA1 8f08a58b32458586f8630d8504e48593a4f3772d
SHA256 bf8950664b0cacd10613075724aa6b7b0fd70e0ee367b786cf9b696ef4bb249b
SHA512 53f89a22cba13963e609b1a4fec957556466d743041c8ab0704e803ddef4697c0cc1619039cb07e4fed45cf9047cb3bbda8ae3636a2291f8d3aa22eb3b4b0ce3

memory/1088-230-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2504-228-0x0000000002440000-0x000000000246F000-memory.dmp

memory/584-245-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2504-244-0x0000000002440000-0x000000000246F000-memory.dmp

memory/2504-243-0x0000000002440000-0x000000000246F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 92b358a484929b77f70dcfd4f46c96ef
SHA1 21c2859fe8e8e67e25db6cd8bd8d4d9a803f7bed
SHA256 891ce2bb413dcf536ad4603338d5892dd3f8e4d366e32450f2d34cb13527bc2f
SHA512 3380195c6ffc114783dfec4bac5337df657157b4a78d0f90b30c18a1baab5950ffcc316ad9598560f7f6bb74c30672e6d50b637f25e0a07ca556bb0bbb07d9f4

memory/1048-238-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 0aacfc620624b34ace60e43e3ea95b2a
SHA1 ca2cd314650d099ef35d77d7c2f13bb64a0b7afb
SHA256 9df38d3c94816cc0437c348294185d6511beb270b8e542c19d31eb28aa461cc7
SHA512 1bec87b311aa18a6a538c1d777904b13b021b8ad877712fb4049ae5c3b39fafc4738411e935a8347f8657aed16b3dc15549e46a407e19a2b758df59a4f2c4a6e

memory/2944-260-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2504-259-0x0000000002440000-0x000000000246F000-memory.dmp

memory/584-249-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 0b16a65dae246083386cdca4298b2688
SHA1 341baf4f1639445c9cc9e693cbe125a6d7604563
SHA256 8132895999f8deb4045f64ee070233a037a1391ff836d354713ebd63e28354ed
SHA512 3e7c4fa16c5ade0cff261f02b4f82a165cece72a62b645f556a0ff3d5eeb988167dd2d21d8f838cd10332f446f0ef23e2763668d69e00b421fde7f2d6c7ce3d7

memory/2944-264-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2504-269-0x0000000002440000-0x000000000246F000-memory.dmp

memory/2044-274-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 b432c3a33ab6cd2338da2203022fae3f
SHA1 f1e1a3f0bebae96b3902456e424f4a6d636ac59b
SHA256 b81bd442e4209445c5de702f92077a4ab7321976dfca94f1cdaed7aab6a31740
SHA512 c58f7a9ce409be5fa256e00cf5b391cea7b760a20f2e8cfc1bb0d652e4f3d70be4b3ac2243d33591b9be8d00bf845003c10ce2918102b222691be527b8be9f89

memory/1364-284-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 242c172c57c20368f99dfcb571ecfcb2
SHA1 7658e7e140dca869b336daa98e0dd990e7a01385
SHA256 6adad52e992f0f85d4bbc72e439014b32c170561796205f49260b21ff55ac243
SHA512 19c9688d14da62429feb49dec4597ee6f6415b7afc5f8dc2c72ee0ac9c8e059b1d9ea0b8dd44e45597ef07c97b8ece84d83a74460bb64a5b90a1eae6ecd99e5e

memory/2504-292-0x0000000002440000-0x000000000246F000-memory.dmp

memory/2392-296-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1180-321-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

MD5 3b63567142c421476bc40a6f99d25a21
SHA1 c4be0a1d15609f6594277c4f0f0ff2ea85922d5d
SHA256 e8edd60bb8dbc3b4c5bf4e63a17e107c7c9ccf1614587ea43d7c2f9bc82a51e6
SHA512 3a55db53da2f2c5d8572718f05c608d5ec59896ad242dba725499e603074cebad17401080a86e2d81a8a7dc052b525c66908007a02d235f90b1ac7b3f550c352

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

MD5 002e52e4f821de0a36e8258f5ea53709
SHA1 b994bc2ed9697c2276c0f953459e0c92c2be191a
SHA256 64c65dbabfb5a387043ac681abd76e6f4477eb6798e1b8a3322309094f5a2f5c
SHA512 34809569a8d7866bd3e3ebf6a779ad66b73009d43436467a493fac289c0223db0f904d5065fa24ebbbeb7b3fbf0aee127989b449a8641f1b6b0964fdb1696de8

C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

MD5 93dc1e7e8e4dc4762538a84b135b355d
SHA1 bb5653cf46ca6b9dcf6925ed5bd9b7f75dc997b6
SHA256 fbaf3df6ac17055ec9d5da6aadd6377d3f1651157107aeb86f5a9d51419b673c
SHA512 4516d55e32320c75e448724430afc4d723a5db0edd5279acd013195c59f993f9f0c0306099295bd3f8173d63822aad1de4d89a589e086234e8217ba439c70b5e

memory/2504-446-0x0000000000400000-0x000000000042F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 04:11

Reported

2024-06-01 04:14

Platform

win10v2004-20240426-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2668 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Windows\xk.exe
PID 2668 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Windows\xk.exe
PID 2668 wrote to memory of 4296 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Windows\xk.exe
PID 2668 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2668 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2668 wrote to memory of 1844 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2668 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2668 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2668 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2668 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2668 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2668 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2668 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2668 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2668 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2668 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2668 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2668 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2668 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2668 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2668 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe

"C:\Users\Admin\AppData\Local\Temp\dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/2668-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 7115016190bd18b9033384e133486351
SHA1 c421e3a01d36d2caccfc4dae05e4294b3f6c2edf
SHA256 dd6c9a8045da52d61a2ff855e3432f4ef72863dd367f20410fcd12949192556e
SHA512 a07ca85790def168d44a5a9db4a7fe763304fa9c9e4461479c264a0ac9a2a7f07b90051ca2c519e51739336a8a4edbd89b78d246967c77838c365e17f89e02d3

C:\Windows\xk.exe

MD5 d5f8a1505a7470af9bdc425e635c8447
SHA1 7d7ca90a6027b1be54f854460348cfe0ba8df000
SHA256 77e45fc6afaf7a397647f79d88b07c5642b9f55866d5d5dace2d67c02645261e
SHA512 0bc68f0fabd1f42464b1e07d88110cd2386ea82bac4d9c1e4ab9caae687a588ccaf508f748aaf7e2c8fb95d7a4156f6cd61f3d6b79ce7e91e1be0a53d8116d02

C:\Windows\SysWOW64\IExplorer.exe

MD5 2e2a3bd15f2734fe91cf54025e13b1b5
SHA1 f960305795cbbc56fc08f06d6bfe24347ed55e7a
SHA256 8c80b4b6d81d68fa5b7d1a8b4398e5b6e30a86eb7f15255566c116a858628140
SHA512 ab4a6a71c206a889004933b20cf2e411c5c889880b798184a3d65a0d835a08f9d2d3fe7373cbc143aca00783f6ec238f26300202897ef45c5eb16e00e1e249f5

memory/4296-114-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1844-115-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1844-118-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 6b36cd18f90d1b249477f782747ba8b9
SHA1 f0193c404ccf6d8769650a130bd7c04994715d66
SHA256 72cfe3537c71b61218dd97c69044e3942e07fbb7bfd93e5533fa8956bfbabb25
SHA512 5359fd53c97be086791ec2e2970d9058c4430230e0f7ac95a001cbc1c07761a2eccf381e31d365137a4a70e57972cf597df120f89122753628f6be5350975cc3

memory/3476-125-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 6e3ca1b2de0dc35ec0b1ea0936246c16
SHA1 527aebd6152b47305fc172cd3f2085a3b1f82493
SHA256 874d8acee578ea2b6bc76b2dce864bef30198d4a8f11ebe49372cd5c51c8874e
SHA512 9dc4879ae495e9aeea820d2f3146044604e99d689c527fa41243fcce24102f33a20ece38b550034606450fbd0d6f003a6911c5743537a6dbaf9c046185c03cc0

memory/2856-132-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

MD5 34751c5f328499e3e8aca8c4170e4985
SHA1 873cb8a956657e6c5805a0f5539263876ca6ee60
SHA256 28709d21d8925aa605beca0cc59d60b54fcad8eb77d087cc1bfe32279cb581bd
SHA512 4667dc1b45ae5dfd94ab31f2e1fd28f421b36960a7b7af1273e20b9541f0f2e9a2b4da03648bb7d8bde8383affd188754a00cf6e8fd2ee83f6a9ba9844100109

memory/4960-136-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4960-140-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 00db3fd0ebfaa0200df4cde2f58c2c72
SHA1 78ba557c0436b60a4c92859109982de8391f6c7f
SHA256 e7ff2b28b5e4c9d68f26cb6db3df0779c97ac3b71e03ec555a832af355bec857
SHA512 07bdc30644424b23c9dfa13b070209f78a22bfd06cde6228498c3e536e599af6798a81b3c467095cfb98f7c1d8ac8e2e771a6d208488f70d605e540f5b787120

memory/4792-149-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 5d760e01579b704a6d10a92a299d2235
SHA1 c8311a1b1f728adccf92c9ef409e0efa10ffd1b4
SHA256 37531aa72badba8d48723f09f7c89565fdee80d3c363c0ad5f0a02bb121757a3
SHA512 39202fddb9abdb9ba73b1b4167627cf052a20ba6894754164c5dc8ae75a1161d42fe39dfa759d1c89a93ec365ef82fbf4b6a9613acfa1a79aebe3c6632dd5548

memory/1200-154-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2668-155-0x0000000000400000-0x000000000042F000-memory.dmp