43a5d2374dae6ac4c70aecd7570b1df3f2bd4ee8c85ab9613762502dca2f1b0d

Analysis

max time kernel
190s
max time network
174s
platform
windows10_x64
resource
win10-en-20210920
submitted
24-09-2021 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

okta.swa.ie-5.33.0.exe
Size

2.6MB
MD5

b318e26f2c2355ea929a77e0c0f96200
SHA1

1caacbd90bc1d0bdca3616234de909fa84961a34
SHA256

43a5d2374dae6ac4c70aecd7570b1df3f2bd4ee8c85ab9613762502dca2f1b0d
SHA512

cdc0a430f520f4837415d36f5e8b8af69589b429d304f2831a4bfb1a89771210b55db127ebaf718c53c8d5bfed6d292ca4762c726a7b14d546f0f9183718b340

Score

10^/10

adware discovery persistence stealer

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Executes dropped EXE 4 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid process

3692 regsvr32.exe
3588 regsvr32.exe
3916 regsvr32.exe
1116 regsvr32.exe

pid	process
3692	regsvr32.exe
3588	regsvr32.exe
3916	regsvr32.exe
1116	regsvr32.exe

Loads dropped DLL 7 IoCs

Processes:

okta.swa.ie-5.33.0.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

pid	process
2064	okta.swa.ie-5.33.0.exe
2064	okta.swa.ie-5.33.0.exe
2064	okta.swa.ie-5.33.0.exe
3692	regsvr32.exe
3588	regsvr32.exe
3916	regsvr32.exe
1116	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
stealer adware

Modify Registry
T1112

Browser Extensions
T1176

Drops file in Program Files directory 12 IoCs

Processes:

okta.swa.ie-5.33.0.exe

description	ioc	process
File opened for modification	C:\Program Files\Okta IE plugin\x86\OktaBHO.dll._tm	okta.swa.ie-5.33.0.exe
File created	C:\Program Files\Okta IE plugin\x86\toolbar\OktaIEBand.dll._tm	okta.swa.ie-5.33.0.exe
File opened for modification	C:\Program Files\Okta IE plugin\x86\toolbar\OktaIEBand.dll	okta.swa.ie-5.33.0.exe
File created	C:\Program Files\Okta IE plugin\x64\OktaBHO.dll._tm	okta.swa.ie-5.33.0.exe
File opened for modification	C:\Program Files\Okta IE plugin\x64\OktaBHO.dll	okta.swa.ie-5.33.0.exe
File opened for modification	C:\Program Files\Okta IE plugin\x64\toolbar\OktaIEBand.dll._tm	okta.swa.ie-5.33.0.exe
File created	C:\Program Files\Okta IE plugin\x86\OktaBHO.dll._tm	okta.swa.ie-5.33.0.exe
File opened for modification	C:\Program Files\Okta IE plugin\x86\toolbar\OktaIEBand.dll._tm	okta.swa.ie-5.33.0.exe
File opened for modification	C:\Program Files\Okta IE plugin\x64\OktaBHO.dll._tm	okta.swa.ie-5.33.0.exe
File created	C:\Program Files\Okta IE plugin\x64\toolbar\OktaIEBand.dll._tm	okta.swa.ie-5.33.0.exe
File opened for modification	C:\Program Files\Okta IE plugin\x64\toolbar\OktaIEBand.dll	okta.swa.ie-5.33.0.exe
File opened for modification	C:\Program Files\Okta IE plugin\x86\OktaBHO.dll	okta.swa.ie-5.33.0.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

2552 taskkill.exe

pid	process
2552	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEregsvr32.exeregsvr32.exeIEXPLORE.EXEokta.swa.ie-5.33.0.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{8C938A58-9A96-4A95-929D-C8C28C639C32}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{8C938A58-9A96-4A95-929D-C8C28C639C32}	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1189312225"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$WordPress	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate\NextUpdateDate = "339296650"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1199781236"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\FileVersion = "2016061511"	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Styles\MaxScriptStatements = "4294967295"	okta.swa.ie-5.33.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$blogger	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	okta.swa.ie-5.33.0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30912898"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$http://www.typepad.com/	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\NextUpdateDate = "339328641"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{72392E09-1D75-11EC-AF2E-664C7E786535} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 3	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\HistoryJournalCertificate	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	okta.swa.ie-5.33.0.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d0000000002000000000010660000000100002000000061604e39ba6f9dd4b0c443baca92dfc253f51664bec104b3a401667d7c97f7f7000000000e8000000002000020000000a54949ad874adb5be8a8385b21e7147efcc7e84070e67fcdb587091e158808cb2000000006931722864885f4dc6190d3def1a1cae64268fb7fe120771d652fff2ea5060940000000e8800b0ed2979f45f29232c31fbc5d47fc960acefcb0a01b036d892dd0a659cb34941b82b166a89bb63764d05ad40e7addf06d2bc6c2a3232e4b0adca154fe98	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Telligent	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$vBulletin 4	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$MediaWiki	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "339280056"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30912898"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta\generator$Discuz!	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007dce5df328d2b3428465887ea00eec2d00000000020000000000106600000001000020000000c4e03edc3372dbb4214bd76f197c2bc256f8c01a9a179dc1194580e9455619cb000000000e800000000200002000000001412cc6629d287f37aaede372288b177b3dba57a7af4fa4db3619df404ea6d8000100004b7a883bf9ea3fe161249ce48ff96c458689f72509e6a968ff8e49f86e08b8357d5369e2db2ac0982f8030ff3b56bca2d2c5566c3c8339e9ff54955c631b7119827a13ba97d6014a77557d02058a527f94a50ced03da609bf9e86398060f42488ba2e657e46c60bdc22cc601038e8f5b4ae137b8caf3e23deda39ea32aee3079c03a3097d159e5fdec18fb32d368c6266673e5fb07187c3a3fcd87699d1c8c05c36b908c6994b00c363a98eca26fb6ed5005875511df96c5c03824df6214b6a4ff986ac28612c3ed375b09e4d45a6febdb1c79a31e30fd8886772439cd065def1257a8c90789f56f108270ffffba4a5a3e724f4250715890af50b18a96743190400000003ba5d3469a38007664ffc54f3595b9f8b1a3a064fee9a8009d16acccbd97e352cc440462d84f0efe8558a4237814847d3ddd77941863a30491b27ed59f1614b0	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Styles	okta.swa.ie-5.33.0.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Styles	okta.swa.ie-5.33.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1189312225"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30912898"	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Styles\MaxScriptStatements = "4294967295"	okta.swa.ie-5.33.0.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00109a4882b1d701	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\FlipAhead\Meta	IEXPLORE.EXE

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE58E239-A308-43E4-A8EE-0CC81E287696}\TypeLib\ = "{9D02C080-2DDA-4380-83A3-B64FCEF93793}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E411779C-5CFE-413F-A57B-18C55A4EFADA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E411779C-5CFE-413F-A57B-18C55A4EFADA}\TypeLib\ = "{CC8FCBD1-6B44-4A92-BAC4-2096A7A1C666}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E411779C-5CFE-413F-A57B-18C55A4EFADA}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\ToolboxBitmap32\ = "C:\\Program Files\\Okta IE plugin\\x64\\toolbar\\OktaIEBand.dll, 102"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\MiscStatus\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE58E239-A308-43E4-A8EE-0CC81E287696}\ = "IOktaIEBandObj"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\Control	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E411779C-5CFE-413F-A57B-18C55A4EFADA}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D0759D9-B114-46F1-92A0-C3E00EAE44AA}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E411779C-5CFE-413F-A57B-18C55A4EFADA}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E411779C-5CFE-413F-A57B-18C55A4EFADA}\Version	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\MiscStatus\1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CC8FCBD1-6B44-4A92-BAC4-2096A7A1C666}\1.0\0\win64\ = "C:\\Program Files\\Okta IE plugin\\x64\\OktaBHO.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E411779C-5CFE-413F-A57B-18C55A4EFADA}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E411779C-5CFE-413F-A57B-18C55A4EFADA}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D64105AE-BC18-4AD8-BE1C-1BD548F94ED8}\ = "IOktaBHOCallback"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D64105AE-BC18-4AD8-BE1C-1BD548F94ED8}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\ = "Okta toolbar"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\Control	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E411779C-5CFE-413F-A57B-18C55A4EFADA}\Version	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E411779C-5CFE-413F-A57B-18C55A4EFADA}\AppID = "{CA21169E-15AD-4932-A161-D544E66145CC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CC8FCBD1-6B44-4A92-BAC4-2096A7A1C666}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D0759D9-B114-46F1-92A0-C3E00EAE44AA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\TypeLib\ = "{9D02C080-2DDA-4380-83A3-B64FCEF93793}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D64105AE-BC18-4AD8-BE1C-1BD548F94ED8}\TypeLib\ = "{CC8FCBD1-6B44-4A92-BAC4-2096A7A1C666}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E411779C-5CFE-413F-A57B-18C55A4EFADA}\Version	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D64105AE-BC18-4AD8-BE1C-1BD548F94ED8}\ = "IOktaBHOCallback"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D64105AE-BC18-4AD8-BE1C-1BD548F94ED8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\Version	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E411779C-5CFE-413F-A57B-18C55A4EFADA}\InprocServer32\ = "C:\\Program Files\\Okta IE plugin\\x86\\OktaBHO.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D0759D9-B114-46F1-92A0-C3E00EAE44AA}\TypeLib\ = "{CC8FCBD1-6B44-4A92-BAC4-2096A7A1C666}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\Control	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE58E239-A308-43E4-A8EE-0CC81E287696}\TypeLib\Version = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CC8FCBD1-6B44-4A92-BAC4-2096A7A1C666}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E411779C-5CFE-413F-A57B-18C55A4EFADA}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CC8FCBD1-6B44-4A92-BAC4-2096A7A1C666}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D64105AE-BC18-4AD8-BE1C-1BD548F94ED8}\TypeLib\Version = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\Version\ = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E411779C-5CFE-413F-A57B-18C55A4EFADA}\ = "OktaBHO Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D64105AE-BC18-4AD8-BE1C-1BD548F94ED8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E411779C-5CFE-413F-A57B-18C55A4EFADA}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D0759D9-B114-46F1-92A0-C3E00EAE44AA}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D0759D9-B114-46F1-92A0-C3E00EAE44AA}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9D02C080-2DDA-4380-83A3-B64FCEF93793}\1.0\0\win32\ = "C:\\Program Files\\Okta IE plugin\\x86\\toolbar\\OktaIEBand.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CC8FCBD1-6B44-4A92-BAC4-2096A7A1C666}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CC8FCBD1-6B44-4A92-BAC4-2096A7A1C666}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\ToolboxBitmap32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E411779C-5CFE-413F-A57B-18C55A4EFADA}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E411779C-5CFE-413F-A57B-18C55A4EFADA}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\InprocServer32\ = "C:\\Program Files\\Okta IE plugin\\x64\\toolbar\\OktaIEBand.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\MiscStatus	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\MiscStatus\1\ = "131473"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32}\TypeLib	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

okta.swa.ie-5.33.0.exe

pid process

2064 okta.swa.ie-5.33.0.exe
2064 okta.swa.ie-5.33.0.exe
2064 okta.swa.ie-5.33.0.exe
2064 okta.swa.ie-5.33.0.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 2552 taskkill.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

IEXPLORE.EXE

pid process

2208 IEXPLORE.EXE

description	pid	process
Token: SeDebugPrivilege	2552	taskkill.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

IEXPLORE.EXEIEXPLORE.EXEokta.swa.ie-5.33.0.exe

pid	process
2208	IEXPLORE.EXE
2208	IEXPLORE.EXE
3940	IEXPLORE.EXE
3940	IEXPLORE.EXE
3940	IEXPLORE.EXE
3940	IEXPLORE.EXE
2064	okta.swa.ie-5.33.0.exe
3940	IEXPLORE.EXE
3940	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

okta.swa.ie-5.33.0.exeIEXPLORE.EXE

description	pid	process	target process
PID 2064 wrote to memory of 2552	2064	okta.swa.ie-5.33.0.exe	taskkill.exe
PID 2064 wrote to memory of 2552	2064	okta.swa.ie-5.33.0.exe	taskkill.exe
PID 2064 wrote to memory of 3692	2064	okta.swa.ie-5.33.0.exe	regsvr32.exe
PID 2064 wrote to memory of 3692	2064	okta.swa.ie-5.33.0.exe	regsvr32.exe
PID 2064 wrote to memory of 3692	2064	okta.swa.ie-5.33.0.exe	regsvr32.exe
PID 2064 wrote to memory of 3588	2064	okta.swa.ie-5.33.0.exe	regsvr32.exe
PID 2064 wrote to memory of 3588	2064	okta.swa.ie-5.33.0.exe	regsvr32.exe
PID 2064 wrote to memory of 3916	2064	okta.swa.ie-5.33.0.exe	regsvr32.exe
PID 2064 wrote to memory of 3916	2064	okta.swa.ie-5.33.0.exe	regsvr32.exe
PID 2064 wrote to memory of 3916	2064	okta.swa.ie-5.33.0.exe	regsvr32.exe
PID 2064 wrote to memory of 1116	2064	okta.swa.ie-5.33.0.exe	regsvr32.exe
PID 2064 wrote to memory of 1116	2064	okta.swa.ie-5.33.0.exe	regsvr32.exe
PID 2064 wrote to memory of 2208	2064	okta.swa.ie-5.33.0.exe	IEXPLORE.EXE
PID 2064 wrote to memory of 2208	2064	okta.swa.ie-5.33.0.exe	IEXPLORE.EXE
PID 2208 wrote to memory of 3940	2208	IEXPLORE.EXE	IEXPLORE.EXE
PID 2208 wrote to memory of 3940	2208	IEXPLORE.EXE	IEXPLORE.EXE
PID 2208 wrote to memory of 3940	2208	IEXPLORE.EXE	IEXPLORE.EXE

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

Processes:

regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{E411779C-5CFE-413F-A57B-18C55A4EFADA} = "2"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\ListBox_Support_CLSID = "1"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\ListBox_Support_CLSID = "1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32} = "2"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{8C938A58-9A96-4A95-929D-C8C28C639C32} = "2"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\ListBox_Support_CLSID = "1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{E411779C-5CFE-413F-A57B-18C55A4EFADA} = "2"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\ListBox_Support_CLSID = "1"	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\okta.swa.ie-5.33.0.exe
"C:\Users\Admin\AppData\Local\Temp\okta.swa.ie-5.33.0.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\system32\taskkill.exe
"C:\Windows\system32\taskkill.exe" /im OktaIeHelper.exe /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\ProgramData\InstallMate\{951D73C6-B2B4-4319-A4E0-0E393B3D20F3}\x86\regsvr32.exe
"C:\ProgramData\InstallMate\{951D73C6-B2B4-4319-A4E0-0E393B3D20F3}\x86\regsvr32.exe" "C:\Program Files\Okta IE plugin\x86\OktaBHO.dll" /i:`` /r
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- System policy modification
PID:3692

C:\ProgramData\InstallMate\{951D73C6-B2B4-4319-A4E0-0E393B3D20F3}\x64\regsvr32.exe
"C:\ProgramData\InstallMate\{951D73C6-B2B4-4319-A4E0-0E393B3D20F3}\x64\regsvr32.exe" "C:\Program Files\Okta IE plugin\x64\toolbar\OktaIEBand.dll" /i:`` /r
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:3588

C:\ProgramData\InstallMate\{951D73C6-B2B4-4319-A4E0-0E393B3D20F3}\x86\regsvr32.exe
"C:\ProgramData\InstallMate\{951D73C6-B2B4-4319-A4E0-0E393B3D20F3}\x86\regsvr32.exe" "C:\Program Files\Okta IE plugin\x86\toolbar\OktaIEBand.dll" /i:`` /r
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- System policy modification
PID:3916

C:\ProgramData\InstallMate\{951D73C6-B2B4-4319-A4E0-0E393B3D20F3}\x64\regsvr32.exe
"C:\ProgramData\InstallMate\{951D73C6-B2B4-4319-A4E0-0E393B3D20F3}\x64\regsvr32.exe" "C:\Program Files\Okta IE plugin\x64\OktaBHO.dll" /i:`` /r
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- System policy modification
PID:1116

C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" "https://system.okta.com/plugin/verification/ie"
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2208

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2208 CREDAT:82945 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3940

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Okta IE plugin\x64\OktaBHO.dll
MD5
bf81d7bd4d0ffe69534d62894016b2ca

SHA1
4c1d3b414b55d212a58ba8fb0082c1b717cfa1d9

SHA256
cc0fcd4d60c20b1e43148a615ddf2892be19b6b16521bca58829e94d493e59f8

SHA512
6abf9d80dbb310896f2fdb9891ff51050e48733a7f8f1881e0854f54a9baa72483d5cdc8cf3f29f92cbd0b3b231dade61d02e45bfe29591a9fd7fe287e470b1c

Download Submit
C:\Program Files\Okta IE plugin\x64\toolbar\OktaIEBand.dll
MD5
ad2c1ba7ce659d21cabb1d5178d0d93b

SHA1
32912792f8c5e32d1cdde23fb5d7cd4ba09aea0a

SHA256
c1b3f0ba8a7bed237bbd759511c045551200c70827d2068174c1385d785efe1c

SHA512
f65ebf49cae63b32a3bfe399e369e02aa208467d5342321fc0e91804abb7bc24bcd6f907b34207aebbf584b37d5a75c5fe98ef4ba54d03c330d6fe50c5c3e93f

Download Submit
C:\Program Files\Okta IE plugin\x86\OktaBHO.dll
MD5
8c0fee0ea798113f2cc0d088d17a909b

SHA1
40dab5811598515499b308b8e2af4acfe7b113a0

SHA256
4d11ae4d7777d72a7cf88561d561dcdb45b3ecc80af0021767e4a13e9eb89a49

SHA512
fedb69abdeca031a4f2c1c50fe11a88967e97eedda8884fa60130b24185575b8d41e754c350fce8f610affd05dcc095e6a2b8b043c5552ab4024cd79d5c461a3

Download Submit
C:\Program Files\Okta IE plugin\x86\toolbar\OktaIEBand.dll
MD5
2e1b9e21ae58898abb96c41375843733

SHA1
68332f19978d8050f32e5eb8e0d685b437cd1435

SHA256
71e3368f34c3b0ef6d999b68b70ee25d8adf2b1405e0ac7031e3ceb65dab2a1b

SHA512
b43f1392790854386bf600bbcd22161869fa81438d82bd81d76b403fd341dc976a5195496120cad9e145fd89eb03b4279b68bfa429bf35b3c90f1b88e65992b7

Download Submit
C:\ProgramData\InstallMate\{951D73C6-B2B4-4319-A4E0-0E393B3D20F3}\x64\regsvr32.exe
MD5
3353415c921cc5c7b38bb03d0244e0fd

SHA1
e7a269266e96066b8887054ebefe1807c52c97ca

SHA256
1c00adbbdae60fc68edb5e92d048a649564d6315e2062ef31569835cd2349025

SHA512
7d4efafb14fc2311cd3a9019b76bdc71a50692299b0ca96445dd625edfd3b4ca9a533d623b73b7ab4cb5f116d0b5f607391c32ef40a2361bd3341d86d68d3afd

Download Submit
C:\ProgramData\InstallMate\{951D73C6-B2B4-4319-A4E0-0E393B3D20F3}\x64\regsvr32.exe
MD5
3353415c921cc5c7b38bb03d0244e0fd

SHA1
e7a269266e96066b8887054ebefe1807c52c97ca

SHA256
1c00adbbdae60fc68edb5e92d048a649564d6315e2062ef31569835cd2349025

SHA512
7d4efafb14fc2311cd3a9019b76bdc71a50692299b0ca96445dd625edfd3b4ca9a533d623b73b7ab4cb5f116d0b5f607391c32ef40a2361bd3341d86d68d3afd

Download Submit
C:\ProgramData\InstallMate\{951D73C6-B2B4-4319-A4E0-0E393B3D20F3}\x64\regsvr32.exe
MD5
3353415c921cc5c7b38bb03d0244e0fd

SHA1
e7a269266e96066b8887054ebefe1807c52c97ca

SHA256
1c00adbbdae60fc68edb5e92d048a649564d6315e2062ef31569835cd2349025

SHA512
7d4efafb14fc2311cd3a9019b76bdc71a50692299b0ca96445dd625edfd3b4ca9a533d623b73b7ab4cb5f116d0b5f607391c32ef40a2361bd3341d86d68d3afd

Download Submit
C:\ProgramData\InstallMate\{951D73C6-B2B4-4319-A4E0-0E393B3D20F3}\x86\regsvr32.exe
MD5
c509ebdc4e6557ce525ed967b98295f9

SHA1
8585a83463f97c7d760e77038113b50f027441f0

SHA256
68d57181e59d069803b351ce40d1841110f1a171084f4cbeb4e8fa23716f5dc3

SHA512
e8b2a736b1bc79670d17db625c6a57f2b35aff0cf90eb0447be51affbadbeeef17121a1965d98bbb49e76e1a17ddbaf14b66f1ca2dcf87a1444aaad5c838a17c

Download Submit
C:\ProgramData\InstallMate\{951D73C6-B2B4-4319-A4E0-0E393B3D20F3}\x86\regsvr32.exe
MD5
c509ebdc4e6557ce525ed967b98295f9

SHA1
8585a83463f97c7d760e77038113b50f027441f0

SHA256
68d57181e59d069803b351ce40d1841110f1a171084f4cbeb4e8fa23716f5dc3

SHA512
e8b2a736b1bc79670d17db625c6a57f2b35aff0cf90eb0447be51affbadbeeef17121a1965d98bbb49e76e1a17ddbaf14b66f1ca2dcf87a1444aaad5c838a17c

Download Submit
C:\ProgramData\InstallMate\{951D73C6-B2B4-4319-A4E0-0E393B3D20F3}\x86\regsvr32.exe
MD5
c509ebdc4e6557ce525ed967b98295f9

SHA1
8585a83463f97c7d760e77038113b50f027441f0

SHA256
68d57181e59d069803b351ce40d1841110f1a171084f4cbeb4e8fa23716f5dc3

SHA512
e8b2a736b1bc79670d17db625c6a57f2b35aff0cf90eb0447be51affbadbeeef17121a1965d98bbb49e76e1a17ddbaf14b66f1ca2dcf87a1444aaad5c838a17c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2543B5AF7D46D42E6CEED21F85143F6A_515F3099EFB1C5E69E2D764425FF9E87
MD5
07a5ed13fee6ded28c48f40ee33ecb8f

SHA1
ac0759cafd7b163736bc44ad6209ee15bbb77911

SHA256
529ab9b8be74aa69f48c319ef821e2c1f3b2dfff6da8cf7fd79ab14aeddc0fa0

SHA512
c3c63493abe5297e9c27eaed47d018ef1dff99710339021b9b39d81f2b604cd89be63e2dff37d50ee90dc1887220fb53d249f6fe020fc5103b2c7faabc49dab5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27
MD5
96d912754b19ecf01f2a44cb111a5836

SHA1
bdd29febe61e6518a02ed7436f4f693ed008702c

SHA256
02d969c7f8bfce21ddce96ec8520c1b2d36a1e4fb8fe12f3a5435d60cab9bbcf

SHA512
cd8f1d3c15d1e00bf98a847d0f8c23411be02e3136191a7c7a43296f832b7680d8ef9d6906138645914a0501bf234cd8a54c37e3163037faa62a28baa3affd41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
f6c43ba8f66df7d9a8ba2cacbdbdec3e

SHA1
ca1689ef9e173070d54e22ab81655771134bb7bb

SHA256
edd8ca062a79f778031d3582d2ffcb90c3dda6a26cba0a7b01b1b12746912fc7

SHA512
f4c14a7b5695d0c3c37ae1d0c3d857853f236fecdaa8270ce41ef09addc2cef6a2f75a8c9e0cea5fd6cfe7dd8df68238ab4703b4553c23d1d2072efc3b37fc55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2543B5AF7D46D42E6CEED21F85143F6A_515F3099EFB1C5E69E2D764425FF9E87
MD5
f261f6662386e410e00608b689b2c2e6

SHA1
d677373021f12442100fb49981c1969a28a37b48

SHA256
b7b0bb2d25c39b80ce5b643af41037c8fcbef513b5d970ab6663cee9c34860a5

SHA512
ca6f5f9a1c92330630d2c302fa219b17acaba97aa6fcadc0152288597eb47ac3950c1aed9ec1fc7c2af2d6f3ca3f39eb0910b92446482a95e87dfa1cf4cabc37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27
MD5
1b98d37110dae51971a4f889818cd764

SHA1
50b8bc707162625024dc74b5c2404d36d667ce07

SHA256
8a9274a8abbf43f45fb9c88f708ba9452e93bc04ae35d477223c5322650e2026

SHA512
8d40fc92c3de58234ecfff832f1d9847f582f1d1d8ecbe9e79dc4ee5614b8d65e6ae16465bc1f7658a46e170a2041466b1095ebb3fb5a98fbc3011be5cd669ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
ec6259923b3374578fe0a9e73bec6f51

SHA1
27b1933e85b60b35ffa8a2db9fa6d413910c8498

SHA256
04bed63b5b872fd053b40d05cdc6701c92e7a771334f5ee7e2f82bb5878189f0

SHA512
5d3ba9edce8e6214b90cd4cd624216825cc327d8a677e9c240e982e40bd618ee9f55565b73d411c366a8150c9501e9949f5af13c797c479ebdf576db98cc9ce4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\A8VXDAW1.cookie
MD5
800aa45e0e482c63b5b2be0a7dc9332c

SHA1
00dadba99571f7efc42a646f04b87ecc26f4e720

SHA256
0b6191c834874eac0e6fc43be52c6be26d800fddba6b487ecd22063b1d1228ed

SHA512
f5b5356c74e9eec9ffbaaf82124681a934cf8e47a7bd841c758e6c9023b3f0439b2d60ae0f45ff907663948904a70719e4300d3156427a4b7abde6d6e61e22c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\Y5FJI9BC.cookie
MD5
9cc7373e69776eb6826f6cbebc929d85

SHA1
387125914955b90d8ee55189374a805d670aa5d2

SHA256
57f884919850a7fc6d42a352fbfbe62a8eb007fd2164810dd2bc1a98414ffe2e

SHA512
dff583d308f05dec7e20760f62fb91d95a29a9b31c4cb59365d5fc5757893b7aa1a2dd8c66c6014ba9d082ddff4854d6e3f5912a47a9ee47028d3702326c5dc8

Download Submit
\Program Files\Okta IE plugin\x64\OktaBHO.dll
MD5
bf81d7bd4d0ffe69534d62894016b2ca

SHA1
4c1d3b414b55d212a58ba8fb0082c1b717cfa1d9

SHA256
cc0fcd4d60c20b1e43148a615ddf2892be19b6b16521bca58829e94d493e59f8

SHA512
6abf9d80dbb310896f2fdb9891ff51050e48733a7f8f1881e0854f54a9baa72483d5cdc8cf3f29f92cbd0b3b231dade61d02e45bfe29591a9fd7fe287e470b1c

Download Submit
\Program Files\Okta IE plugin\x64\toolbar\OktaIEBand.dll
MD5
ad2c1ba7ce659d21cabb1d5178d0d93b

SHA1
32912792f8c5e32d1cdde23fb5d7cd4ba09aea0a

SHA256
c1b3f0ba8a7bed237bbd759511c045551200c70827d2068174c1385d785efe1c

SHA512
f65ebf49cae63b32a3bfe399e369e02aa208467d5342321fc0e91804abb7bc24bcd6f907b34207aebbf584b37d5a75c5fe98ef4ba54d03c330d6fe50c5c3e93f

Download Submit
\Program Files\Okta IE plugin\x86\OktaBHO.dll
MD5
8c0fee0ea798113f2cc0d088d17a909b

SHA1
40dab5811598515499b308b8e2af4acfe7b113a0

SHA256
4d11ae4d7777d72a7cf88561d561dcdb45b3ecc80af0021767e4a13e9eb89a49

SHA512
fedb69abdeca031a4f2c1c50fe11a88967e97eedda8884fa60130b24185575b8d41e754c350fce8f610affd05dcc095e6a2b8b043c5552ab4024cd79d5c461a3

Download Submit
\Program Files\Okta IE plugin\x86\toolbar\OktaIEBand.dll
MD5
2e1b9e21ae58898abb96c41375843733

SHA1
68332f19978d8050f32e5eb8e0d685b437cd1435

SHA256
71e3368f34c3b0ef6d999b68b70ee25d8adf2b1405e0ac7031e3ceb65dab2a1b

SHA512
b43f1392790854386bf600bbcd22161869fa81438d82bd81d76b403fd341dc976a5195496120cad9e145fd89eb03b4279b68bfa429bf35b3c90f1b88e65992b7

Download Submit
\Users\Admin\AppData\Local\Temp\4FAA91E7\_Setup.dll
MD5
66b37af54b379443355a8702cfcb32c1

SHA1
a09f41cd717ddea32a992b61089f1901b4378db6

SHA256
2594cd5ddbd7802b1957eb4df1db415d6fd989fd96ac37a38118cfecfd76b544

SHA512
b453d8f32a97875ed88915748fba59489cf41593babaafeb2c9d58524ee8a62b8c16ddf11fc37a47639fa66f6e52a31ececfaaa8e673a453c053e16c6afd55be

Download Submit
\Users\Admin\AppData\Local\Temp\4FAA91E7\_Setupx.dll
MD5
b146d15a29fbbaecc2fb29f1f6d861f8

SHA1
ad61298b02137ff9bb4ccb19f3078154e6e643b3

SHA256
a3d3486fe5787f94d63bb0c13b00710928a5b21c641e746ee998d61377180a40

SHA512
5f4d372c93b06033ac1466099b7f4a88fc5f72f074f7a3642126e11224a9ff8167cb569d7261294c28dce810a71a397dd20dfd78070fd3cf203a036a9fd49de1

Download Submit
\Users\Admin\AppData\Local\Temp\TsuD2D6663B.dll
MD5
dc64c8a348fab6369762bccad3f86f6f

SHA1
5f5f21f8531039e32acfca45ef3210f4542c222e

SHA256
9c0655d7ab56cbe7a701096363997712ba01a06773dd046f62db8305eb331e72

SHA512
b5697eba36d25b1698beca8592da0c5b6ac58384c72df33b83431dbcdd86c572fd8c8cafb7dabddb9ffc8c2e4d5f7710b4486e3343f39adcbf0755faf93473ae

Download Submit
memory/1116-133-0x0000000000000000-mapping.dmp

Download
memory/2208-137-0x0000000000000000-mapping.dmp

Download
memory/2208-138-0x00007FFBC0580000-0x00007FFBC05EB000-memory.dmp

Filesize
428KB

Download
memory/2552-118-0x0000000000000000-mapping.dmp

Download
memory/3588-124-0x0000000000000000-mapping.dmp

Download
memory/3692-119-0x0000000000000000-mapping.dmp

Download
memory/3916-129-0x0000000000000000-mapping.dmp

Download
memory/3940-139-0x0000000000000000-mapping.dmp

Download