Malware Analysis Report

2025-04-03 19:50

Sample ID 241109-xt4dsszgmq
Target 024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f
SHA256 024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f
Tags
discovery evasion persistence upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f

Threat Level: Known bad

The file 024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence upx

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables RegEdit via registry modification

Disables use of System Restore points

Modifies system executable filetype association

Loads dropped DLL

Executes dropped EXE

Drops desktop.ini file(s)

Enumerates connected drives

Adds Run key to start application

UPX packed file

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: AddClipboardFormatListener

System policy modification

Modifies Control Panel

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 19:09

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 19:09

Reported

2024-11-09 19:12

Platform

win7-20241010-en

Max time kernel

141s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A

Disables use of System Restore points

evasion

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\perfh00C.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc011.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File created C:\Windows\SysWOW64\shell.exe C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened for modification C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File created C:\Windows\system32\perfh00A.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc00C.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh011.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\SysWOW64\IExplorer.exe C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File created C:\Windows\SysWOW64\PerfStringBackup.TMP C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc009.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh009.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File opened for modification C:\Windows\SysWOW64\Mig2.scr C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File created C:\Windows\system32\perfc010.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc007.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh007.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc00A.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh010.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\inf\Outlook\outlperf.h C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\inf\Outlook\0009\outlperf.ini C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File created C:\Windows\inf\Outlook\outlperf.h C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\xk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\xk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F026-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063045-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308A-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063080-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063107-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FD-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308A-0000-0000-C000-000000000046}\ = "Links" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}\ = "ItemEvents" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C9-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309E-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F0-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DB-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063062-0000-0000-C000-000000000046}\TypeLib C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302C-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EF-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}\ = "FormDescription" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DD-0000-0000-C000-000000000046}\ = "_FormNameRuleCondition" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FB-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063095-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}\ = "StoresEvents_12" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EF-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063041-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F026-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E3-0000-0000-C000-000000000046}\ = "OlkComboBoxEvents" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302D-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CE-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307F-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EC-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067366-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EB-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E5-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063002-0000-0000-C000-000000000046}\ = "_NameSpace" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C7-0000-0000-C000-000000000046}\ = "_Store" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063074-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063081-0000-0000-C000-000000000046}\ = "_DistListItem" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063026-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063021-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E4-0000-0000-C000-000000000046}\ = "_Categories" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309B-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063023-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F6-0000-0000-C000-000000000046}\ = "_OlkInfoBar" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063040-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D5-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D3-0000-0000-C000-000000000046} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Windows\xk.exe
PID 2820 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Windows\xk.exe
PID 2820 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Windows\xk.exe
PID 2820 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Windows\xk.exe
PID 2820 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2820 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2820 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2820 wrote to memory of 2404 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2820 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2820 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2820 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2820 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2820 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2820 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2820 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2820 wrote to memory of 1476 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2820 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2820 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2820 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2820 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2820 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Windows\xk.exe
PID 2820 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Windows\xk.exe
PID 2820 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Windows\xk.exe
PID 2820 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Windows\xk.exe
PID 2820 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2820 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2820 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2820 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Windows\SysWOW64\IExplorer.exe
PID 2820 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2820 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2820 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2820 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 2820 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2820 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2820 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2820 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 2820 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2820 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2820 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2820 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 2820 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2820 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2820 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2820 wrote to memory of 236 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 2820 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2820 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2820 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 2820 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe

"C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding

Network

N/A

Files

memory/2820-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 5d1b08a8f3bac19e29e8d59db580ee44
SHA1 8cec06018aa979f742643ff11bc24227a6c96952
SHA256 024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f
SHA512 44f978c9ed78e159a4817ad2da755c1177bd27dc71fd19eaae44bf6d80f816c59ee62d22c63ed9c41aba1558117c70e40eb93eda737e689ff2b6e07af6064def

memory/2820-109-0x00000000003D0000-0x00000000003FF000-memory.dmp

C:\Windows\xk.exe

MD5 eb213720e8a33939453e7799448fb581
SHA1 5272c89bc773e8bab77353c046f0d29e92ece122
SHA256 58113f85caf2b5463f5d252c9b10ea08566a70782785a22182b8fb30b61d163b
SHA512 3f5608a648602f78b44dfe4d91699fb54cb017a01cf59b485da2bc97aec0d38d8512514bdb70917c8f1c7c48db2ec7483f8fb70928725cfd90c289dd7c357805

memory/2820-110-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/1600-112-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1600-116-0x0000000000400000-0x000000000042F000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 5d8adb2d8030cdff2c4c9c7bac73d622
SHA1 0e70d460d609d10871a7f744dd9ece6d2311c1de
SHA256 14d06d4a8e91f69c7b012cbb391153d88edfa137ce8190f8307738151b43baa5
SHA512 c4ef2744f390df9fc46824766a76423d2a32e3e2ceeef7dd3eacc6f1d4be0708cf0a1ab596a183df4c82cf6b2da3ec3229866c3151a1b8fb07b855cf92fef6c0

memory/2820-124-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/2404-128-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 090fad22a92b3e8b13613eec88ae9305
SHA1 97dcfed2561078dd4735f0846a3fe6be3cef221d
SHA256 2ee152d36e54a7d8dfe027e81fc4f6e14a9f39015f9bd5c42d5fba0e32aa77ea
SHA512 dd248f3c7d25e3fa42f755b478ac85ea48d9b286ed806a96a8b01b14ad913a3bb8628d21b949b65cd04ffc46c7de02ade8dd76a0b093dda8c5bca58cc561faa3

memory/1348-137-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2820-136-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/1348-141-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 3f432dc4bcdfa91734be2dae6a737e79
SHA1 d692cc9efa0ec10d53067b3bd610b68e208d580e
SHA256 3aca2b801da19d148242e04571dd596db09a2eea54d6d96fd5746c19a5b56c3c
SHA512 e714347f66164f342e9d05694d126cf9b797f78d27f0147f8a85484868a2daa8bf44a83043a8c0ec32d1445cd2d22dafcd1982faee5c4defd0dc605d6a9bca0b

memory/2820-144-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2820-150-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/1476-154-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 273e0cad26d0e199645275cc46575ade
SHA1 2f162a4cf28e3a3a08ffd098a68e1abf180668fc
SHA256 7ceed93571ef6632371e47fd2d81e8e4a4c7808276f3a2605a30392c8f4582fb
SHA512 5495edd47ff55e9dbfd9f481da4833c833c1ce84bbbb02161e3ec63cb0485d4f2547fd6617d3227dfe8085c87dad8bb2a9d9b6bb2ff5867b68109b5aed3c92c1

memory/2820-161-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/2264-165-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2264-185-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\xk.exe

MD5 e1b4a31e6a2e2d0a34781347352cadc7
SHA1 7fcf5d429aca0bb0865d92d917c6c845ca57a334
SHA256 ee9e90c15bb5ebd94e8060166f195c0b729bc2b40ca8b8ad56a086eb118bb3a5
SHA512 c099a6185befdd1824d71eee5d8cf2dde9484e6d10134a1763c300306aef1ababf5d8a53914f8083f72ca2930318066f19e606dba85491293ab5e155400647d5

memory/2820-223-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/1992-226-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2820-225-0x00000000003D0000-0x00000000003FF000-memory.dmp

\Windows\SysWOW64\IExplorer.exe

MD5 727356a88a8e890d62a9ea5ab5e51977
SHA1 61556582fde302221f80674f112c8259720e75a2
SHA256 3d24549b2752142652557042c3ba0d51a253485f7c36effd0bb3ba420e98167f
SHA512 b4f2b72193d161ba5fde3f33b15474c03fd60f259129aa17a79fdbb4c6a7ff30013cc13ac14c43339cc1da76b1d01b0b2d39719bcea6710cef240b72c7dd1cda

memory/1992-230-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2116-252-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2820-251-0x00000000003D0000-0x00000000003FF000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 2187d768a2d768eac2ded1c948531cbe
SHA1 4f71b8939bc7675615a6869f5b4c04305635b9aa
SHA256 3b622b293be4bde77579485ffd5d622fa27de7250d33dd5fd9f4f736f92d0f1b
SHA512 061ff37d67d7ae1fe8a5d2ce7734c1653bd9bdd172906686026c9383bb59a3fad83c7d46d272962cca3ed62b7069a979f25ee7d9b5f637bfaea0d0a1be93272c

memory/1224-265-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2820-264-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/2116-254-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2820-250-0x00000000003D0000-0x00000000003FF000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 c5c246f572602bfc4284647a099b8af9
SHA1 0d55511452e42a764520db17cec4d85c8226bb72
SHA256 1b775ede5857cc539be12861bcff3a6c569a9887932a07e5e81f8dbe4d22ef90
SHA512 4cb53d1bc5d1ab938c83cc9a71c3edee34765b130a0dbefad716218cc62abf1b9c4406b13a2330cda1710fb79ca56b2408f7bdf6599e07cff702ea0f9108628d

memory/2468-242-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 f7ec6c59b1d032b49643c4f694a985af
SHA1 90a7d271d30edde626065feb260b8532c91741e7
SHA256 3dd6a4ef29dee3684dee8ce78e472552cd8c8923d4b9e8a900ab639f4e26c588
SHA512 12270d0b274ea8f3450bafddb2025e6122c7f49ea1a3bb43706de94c6835085c3cf0019584b2be73917c5aba19e08215c9023759e9f02a4eac477a21feb14ccb

memory/1224-270-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2820-268-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/2396-277-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2820-276-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/2396-281-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 92bb8c50d414f611784ed6d2dc86ca8f
SHA1 18e207eaa16c703748509e3fe584e85c9aa297af
SHA256 b3296ec18f983e8a020be1ceacda68a845f0726d6bffcaefab474a9fe2a477e7
SHA512 81af414de55d12b16076dfcce70c8ff50981586f2e36105a58aa2349cfd11898d3b0d9378abadf214d6048acb594777e04eb4a75879cf85b45e443730498356f

memory/236-292-0x0000000000400000-0x000000000042F000-memory.dmp

\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 9da4a47f8f5019d3af97337ab60036b9
SHA1 4aa6d74f54f143ecd68624a931a9f1c6b07042b0
SHA256 321d8c20b4a29ed1991837eb4e6cc97192a1bbc1fedccf1de96abc81e314caa0
SHA512 d3684e9a6aa413cb4960aa5e3dc7cb899cbf9c4b2e9058cdb74a1cf0b2830e64b7a1c1d5117731dfb4867f9b5a0cec5a34c6ed8432ae86bd21e20a52b7851f57

memory/2820-303-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/2820-302-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/2820-301-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/2820-300-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/2376-307-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2108-332-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

MD5 b3fd2998e815527f33f57a3edc578fa3
SHA1 6e967558f5ff8d1d420f55ce34e8ce767bdf4a45
SHA256 e85a4bf54e67466c40c41330d01b6c3f05b8ecb89f7726e91c92ad42667695de
SHA512 abd6641c213f06bdd78f44dfd16dac750c4ddd567fa83ab7e917458992cdd91847f34444ef4b75c1ec0fc2b1d009b08c40bdda7937c2fa5536d3e4e892cbe14d

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

MD5 f80bb81606569eea592220f2bfd93b4f
SHA1 464af913c1c0aa96a34253b829335e6c2a85a93e
SHA256 2c2c47c7d39dfbee2551e1c945e7c249d723276863c64ebee9d9278b4bb79457
SHA512 80890e4a82c664f1cf0a3db85de5b051fdfe0352e661b329d1f518045aec93ab51dc05406cc5a74f0d96a850deaebc201d7b8b83453a782e1de17b3e9ae1c918

C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

MD5 48dd6cae43ce26b992c35799fcd76898
SHA1 8e600544df0250da7d634599ce6ee50da11c0355
SHA256 7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a
SHA512 c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

memory/2820-457-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/2820-458-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2820-460-0x00000000003D0000-0x00000000003FF000-memory.dmp

memory/2820-459-0x00000000003D0000-0x00000000003FF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 19:09

Reported

2024-11-09 19:12

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

138s

Command Line

"C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\"" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A

Disables use of System Restore points

evasion

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
File created C:\Windows\xk.exe C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\xk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\IExplorer.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\ C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4464 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Windows\xk.exe
PID 4464 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Windows\xk.exe
PID 4464 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Windows\xk.exe
PID 4464 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4464 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4464 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Windows\SysWOW64\IExplorer.exe
PID 4464 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4464 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4464 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
PID 4464 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4464 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4464 wrote to memory of 4152 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
PID 4464 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4464 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4464 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
PID 4464 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4464 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4464 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
PID 4464 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 4464 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
PID 4464 wrote to memory of 4516 N/A C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe

"C:\Users\Admin\AppData\Local\Temp\024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f.exe"

C:\Windows\xk.exe

C:\Windows\xk.exe

C:\Windows\SysWOW64\IExplorer.exe

C:\Windows\system32\IExplorer.exe

C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"

C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE

"C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/4464-0-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\winlogon.exe

MD5 5d1b08a8f3bac19e29e8d59db580ee44
SHA1 8cec06018aa979f742643ff11bc24227a6c96952
SHA256 024c8906af92356de99c6b6b4525d83fde2a8909ed58aaea78c4eae58b0a788f
SHA512 44f978c9ed78e159a4817ad2da755c1177bd27dc71fd19eaae44bf6d80f816c59ee62d22c63ed9c41aba1558117c70e40eb93eda737e689ff2b6e07af6064def

C:\Windows\xk.exe

MD5 5a7b67ddcffaa50f344fc0d81e38f303
SHA1 0b4ee80b082b291cbf286adc124d29bd432bed66
SHA256 b036c88fe8f40af7302aafa0e2a4226eb36609b702c33f85a9c0ac3de7169e0f
SHA512 a0cde54ad468c9a249fe5b8cd49bd461e9e13cdcedb44249bacf92a3ccaf3874860f9eba677b6685324e5c702e3dab9abdeb33b63856c69a9c95dc4ff24c3024

C:\Windows\SysWOW64\IExplorer.exe

MD5 56edf0c1804dcc49a0c394c0179a14d1
SHA1 56d2d22db4317c48ead04e3eddad4eec1c2bc9cf
SHA256 e10e30b3120d43746f17c3b3e6041b9e93340fe928fb83bbc9f952514a3c4be9
SHA512 6093a4d2bc62336f752080254dfa2848661f2f5e65f106a62645baddba2cd4413a36397be4fd51cc42fe303b5249eb70a9ea130f5ae7a826fa60edfd3a1bd615

memory/4836-113-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1336-119-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

MD5 18b170e2862b33f6430099137148d60d
SHA1 73c1e9df8a97f7bafa6a78ffce327180b1cb455d
SHA256 f31723f8807c2aeff09fc9291fd934befcd997a1b86c9fbfc875d9366664d1ad
SHA512 5cd1f30c0cf54856feff2605ce1fe4da51a38e3bd517e8065c5b7fb1459b401750896d994b964d27b2f0306c28ce912586bae7600a1e69af44caefac992dac00

memory/228-125-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

MD5 03b9a5e001bf8efb991debce3af78c89
SHA1 77f8020885d42e31ada7caf6fb414be8b4444e28
SHA256 20ef84a4220c1a5f53520cf56164577ee65f0da9239de85b47755ecb550363ae
SHA512 32744ee7170b96bf6077d382f86f38f29fd1c1ee5820307ecc983fb2095dcee9e45ef0a7b5e1498974913003a8a46c79e7a3cf712b025baf09edc6a81e38269c

memory/4152-132-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

MD5 6c0d951a5b226edf3b2c01c9a5ffe6f8
SHA1 82321488f5052dba56b9d66a33a388b25373a2c0
SHA256 97c2354ef26fbdbb7a08654e0f483a486b1a9d06fb04b168d794899be602b6e2
SHA512 5769061a0aefb43638a43322db4a6d64d36b2cbb5a39d49df2a709c141b608761254b35ff690c6ed714c25d74b51757b07c9005f9a3d9045265ab0a87effbe14

memory/908-138-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

MD5 747f1590d38f3be77b3b54949485bcda
SHA1 b61fc724bb6a2e64de56bf42fa500c835a3e5510
SHA256 fff543645172ca5aacdd6d6aaeac0f9494d4d5037b2a1036fd5ac55ce4ee258a
SHA512 abd61110c103b200e92542a7ef1ce5b13fa225c3466ce3a30491da52b229efcc9f09671ab000387bfa1669992452d58431e1ca4f0bec9ef0e26295ca96e8df4b

memory/2416-145-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

MD5 71741849971ae37ac8476f7ea5429f93
SHA1 d715bbb15233a626f496dc3daf230bd465d5779f
SHA256 c55e4abc585827ad515c00c586bc2846e9af26492802a75f28c96753f723b019
SHA512 f5abcfa46aed22354cfa6eebcce69c1f20c0168e372ba687230af3351b033dcc54c8dc68aed53bdad9a37403736e03ccfe2704ee7f3d4aa20aa8a7f21ebbab8a

memory/4516-152-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4464-154-0x0000000000400000-0x000000000042F000-memory.dmp