2e80059a92e23f07ece25cd25f4e855cb01c8623a5ca9d8d63756c2273368563

max time kernel
867s
max time network
895s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-10-2022 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fucker script.exe
Size

104KB
MD5

db0655efbe0dbdef1df06207f5cb5b5b
SHA1

a8d48d5c0042ce359178d018c0873e8a7c2f27e8
SHA256

52972a23ab12b95cd51d71741db2cf276749e56030c092e2e4f0907dcb1fbd56
SHA512

5adc8463c3e148a66f8afdeefc31f2b3ffeb12b7641584d1d24306b0898da60a8b9b948bb4f9b7d693185f2daa9bd9437b3b84cebc0eabfa84dfcef6938e1704
SSDEEP

1536:m5iT3FccnYWkyjWpOku3yUyJCbyVAvy7+fRo:3LOcxkyjW3wvHq

Score

6^/10

collection

Malware Config

Signatures

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Docked = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff19000000190000009f0400007e020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Width = "270"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Width = "269"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Width = "270"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A0CC9400-46FF-11ED-9351-5A21EB137514} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Width = "269"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Width = "270"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LinksExplorer\Width = "270"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "yes"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff4b00000000000000d104000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{238A3BA1-46FF-11ED-9351-5A21EB137514} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0BDFBB11-46FF-11ED-9351-5A21EB137514} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 34 IoCs

pid	Process
2012	OUTLOOK.EXE
2172	vlc.exe
2452	vlc.exe
2564	vlc.exe
2684	vlc.exe
2084	vlc.exe
2556	vlc.exe
3120	vlc.exe
3092	vlc.exe
3128	vlc.exe
3376	vlc.exe
3452	vlc.exe
3780	vlc.exe
3832	vlc.exe
3316	vlc.exe
4196	vlc.exe
4316	vlc.exe
4416	vlc.exe
4528	vlc.exe
4276	vlc.exe
4256	vlc.exe
4724	vlc.exe
5024	vlc.exe
2288	vlc.exe
5272	vlc.exe
5308	vlc.exe
5660	vlc.exe
5916	vlc.exe
5148	vlc.exe
5884	vlc.exe
2832	vlc.exe
2936	vlc.exe
5948	vlc.exe
5448	vlc.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
1632	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
3796	chrome.exe
1648	iexplore.exe
1648	iexplore.exe
1648	iexplore.exe
1648	iexplore.exe
1648	iexplore.exe
1648	iexplore.exe
1648	iexplore.exe
1648	iexplore.exe
1648	iexplore.exe
1648	iexplore.exe
1648	iexplore.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
5348	chrome.exe
6624	chrome.exe
6624	chrome.exe
6624	chrome.exe
6624	chrome.exe
6624	chrome.exe
6624	chrome.exe
6624	chrome.exe
6624	chrome.exe
6624	chrome.exe
6624	chrome.exe
6624	chrome.exe
6624	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 34 IoCs

pid	Process
2172	vlc.exe
2452	vlc.exe
2564	vlc.exe
2684	vlc.exe
2084	vlc.exe
3120	vlc.exe
3128	vlc.exe
2556	vlc.exe
3092	vlc.exe
3376	vlc.exe
3452	vlc.exe
3780	vlc.exe
3832	vlc.exe
3316	vlc.exe
4196	vlc.exe
4316	vlc.exe
4416	vlc.exe
4528	vlc.exe
4256	vlc.exe
4724	vlc.exe
2288	vlc.exe
5024	vlc.exe
4276	vlc.exe
5308	vlc.exe
5272	vlc.exe
5660	vlc.exe
5916	vlc.exe
2936	vlc.exe
1648	iexplore.exe
5884	vlc.exe
2832	vlc.exe
5148	vlc.exe
5948	vlc.exe
5448	vlc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	5600	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5600	AUDIODG.EXE
Token: 33	5600	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5600	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
2172	vlc.exe
2172	vlc.exe
1436	iexplore.exe
2452	vlc.exe
2564	vlc.exe
1648	iexplore.exe
2452	vlc.exe
2564	vlc.exe
2684	vlc.exe
2684	vlc.exe
2452	vlc.exe
2452	vlc.exe
2172	vlc.exe
2452	vlc.exe
2564	vlc.exe
2684	vlc.exe
2084	vlc.exe
1692	chrome.exe
2084	vlc.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
2084	vlc.exe
3120	vlc.exe
3128	vlc.exe
2556	vlc.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
2172	vlc.exe
2172	vlc.exe
2452	vlc.exe
2564	vlc.exe
2452	vlc.exe
2564	vlc.exe
2684	vlc.exe
2684	vlc.exe
2084	vlc.exe
1692	chrome.exe
2084	vlc.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
1692	chrome.exe
3120	vlc.exe
3128	vlc.exe
2556	vlc.exe
3120	vlc.exe
3092	vlc.exe
3128	vlc.exe
2556	vlc.exe
3092	vlc.exe
3376	vlc.exe
3376	vlc.exe
3452	vlc.exe
3452	vlc.exe
1692	chrome.exe
1692	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1436	iexplore.exe
1436	iexplore.exe
1648	iexplore.exe
1648	iexplore.exe
2172	vlc.exe
2012	OUTLOOK.EXE
2012	OUTLOOK.EXE
2012	OUTLOOK.EXE
2012	OUTLOOK.EXE
2452	vlc.exe
2564	vlc.exe
2684	vlc.exe
1488	IEXPLORE.EXE
1488	IEXPLORE.EXE
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
2084	vlc.exe
1648	iexplore.exe
1648	iexplore.exe
2556	vlc.exe
3120	vlc.exe
3128	vlc.exe
3092	vlc.exe
3376	vlc.exe
3452	vlc.exe
1648	iexplore.exe
1648	iexplore.exe
2108	IEXPLORE.EXE
2108	IEXPLORE.EXE
3680	IEXPLORE.EXE
3680	IEXPLORE.EXE
3780	vlc.exe
3832	vlc.exe
1648	iexplore.exe
1648	iexplore.exe
1648	iexplore.exe
1648	iexplore.exe
1120	IEXPLORE.EXE
1120	IEXPLORE.EXE
3732	IEXPLORE.EXE
3732	IEXPLORE.EXE
3316	vlc.exe
4196	vlc.exe
4316	vlc.exe
4416	vlc.exe
4528	vlc.exe
1648	iexplore.exe
1648	iexplore.exe
1648	iexplore.exe
1648	iexplore.exe
4624	IEXPLORE.EXE
4624	IEXPLORE.EXE
2108	IEXPLORE.EXE
2108	IEXPLORE.EXE
1648	iexplore.exe
1648	iexplore.exe
4960	IEXPLORE.EXE
4960	IEXPLORE.EXE
1648	iexplore.exe
1648	iexplore.exe
4256	vlc.exe
4724	vlc.exe
4276	vlc.exe
5024	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 1488	1436	iexplore.exe	34
PID 1436 wrote to memory of 1488	1436	iexplore.exe	34
PID 1436 wrote to memory of 1488	1436	iexplore.exe	34
PID 1436 wrote to memory of 1488	1436	iexplore.exe	34
PID 1648 wrote to memory of 1120	1648	iexplore.exe	33
PID 1648 wrote to memory of 1120	1648	iexplore.exe	33
PID 1648 wrote to memory of 1120	1648	iexplore.exe	33
PID 1648 wrote to memory of 1120	1648	iexplore.exe	33
PID 1692 wrote to memory of 1032	1692	chrome.exe	35
PID 1692 wrote to memory of 1032	1692	chrome.exe	35
PID 1692 wrote to memory of 1032	1692	chrome.exe	35
PID 544 wrote to memory of 1968	544	wmplayer.exe	37
PID 544 wrote to memory of 1968	544	wmplayer.exe	37
PID 544 wrote to memory of 1968	544	wmplayer.exe	37
PID 544 wrote to memory of 1968	544	wmplayer.exe	37
PID 544 wrote to memory of 1968	544	wmplayer.exe	37
PID 544 wrote to memory of 1968	544	wmplayer.exe	37
PID 544 wrote to memory of 1968	544	wmplayer.exe	37
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1688	1692	chrome.exe	39
PID 1692 wrote to memory of 1632	1692	chrome.exe	40
PID 1692 wrote to memory of 1632	1692	chrome.exe	40
PID 1692 wrote to memory of 1632	1692	chrome.exe	40
PID 1692 wrote to memory of 1612	1692	chrome.exe	42
PID 1692 wrote to memory of 1612	1692	chrome.exe	42

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE

C:\Users\Admin\AppData\Local\Temp\fucker script.exe
"C:\Users\Admin\AppData\Local\Temp\fucker script.exe"
1⤵
PID:1848

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:275457 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1120
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:406533 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2108
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:209929 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:3680
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:209943 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3732
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:4076554 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4624
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:2372621 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4960
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:3748894 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:6004
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:2896926 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:3796
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:2110487 /prefetch:2
  2⤵
  PID:6660
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:472069 /prefetch:2
  2⤵
  PID:1716
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:7943209 /prefetch:2
  2⤵
  PID:1172
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:2765853 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:6868

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1436 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1488
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1436 CREDAT:406532 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:5092

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6544f50,0x7fef6544f60,0x7fef6544f70
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1028,1105329686198772507,8699603452585606656,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1072 /prefetch:2
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1028,1105329686198772507,8699603452585606656,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1028,1105329686198772507,8699603452585606656,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1680 /prefetch:8
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,1105329686198772507,8699603452585606656,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2060 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,1105329686198772507,8699603452585606656,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2096 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1028,1105329686198772507,8699603452585606656,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2424 /prefetch:2
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,1105329686198772507,8699603452585606656,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,1105329686198772507,8699603452585606656,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,1105329686198772507,8699603452585606656,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2336 /prefetch:8
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,1105329686198772507,8699603452585606656,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2320 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,1105329686198772507,8699603452585606656,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1580 /prefetch:8
  2⤵
  PID:5500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,1105329686198772507,8699603452585606656,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1732 /prefetch:8
  2⤵
  PID:5492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,1105329686198772507,8699603452585606656,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3728 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1028,1105329686198772507,8699603452585606656,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4252 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1028,1105329686198772507,8699603452585606656,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4276 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,1105329686198772507,8699603452585606656,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3716 /prefetch:8
  2⤵
  PID:5816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,1105329686198772507,8699603452585606656,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3720 /prefetch:8
  2⤵
  PID:6536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1028,1105329686198772507,8699603452585606656,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3996 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1028,1105329686198772507,8699603452585606656,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3748 /prefetch:8
  2⤵
  PID:6776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1028,1105329686198772507,8699603452585606656,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2176 /prefetch:1
  2⤵
  PID:6576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1028,1105329686198772507,8699603452585606656,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3900 /prefetch:8
  2⤵
  PID:6172

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
- Suspicious use of WriteProcessMemory
PID:544
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:1968

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- outlook_win_path
PID:2012

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:908

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2172

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2452

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2512

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2548

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2564

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2576

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2652

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2644

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2684

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2708

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3004

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
1⤵
PID:3056

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2084

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2972

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3000

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2556

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2544

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3092

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3128

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3120

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3176

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3200

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3284

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3324

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3376

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3412

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3452

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3548

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3748

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3756

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3780

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3820

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3832

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3840

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:4048

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4084

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3320

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2884

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:1860

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:3360

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3048

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
1⤵
PID:3892

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3316

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3572

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:1580

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:3572
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:4112

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:4160

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4184

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4196

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:4256

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4316

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4416

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4528

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:4584

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4596

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:4636

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:4700

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:4756

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4852

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:4896

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:4924

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:4968

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
1⤵
PID:5044

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4276

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:4408

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4724

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4256

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:4156

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:4916

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:4984
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:4924

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5024

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:2288

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:1744

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5036

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5132

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5232

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5272

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5296

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5308

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:5452

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:5592

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x65c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5600

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5660

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:5700
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:5732

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:5772

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5848

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:5856

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
PID:5876
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5876 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:5500
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5876 CREDAT:537612 /prefetch:2
  2⤵
  PID:1072

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:5888

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5916

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:5952

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:5968

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
1⤵
PID:5988

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6012

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:6028
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:6140

C:\Windows\system32\SndVol.exe
SndVol.exe -f 45286012 22315
1⤵
PID:6064

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6088

C:\Windows\system32\SndVol.exe
SndVol.exe -m 46269591
1⤵
PID:5804

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
PID:5584

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
PID:6020
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:6020 CREDAT:275457 /prefetch:2
  2⤵
  PID:5808

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5148

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:6036

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5456

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5548

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5032

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5536

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5884

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2280

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:5832

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:2832

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:2936

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3900

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4032

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
PID:2532
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2532 CREDAT:275457 /prefetch:2
  2⤵
  PID:6608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
PID:3996
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3996 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  PID:1248

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
PID:4392
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4392 CREDAT:275457 /prefetch:2
  2⤵
  PID:6692

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6248

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:6552

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:6880

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\shell32.dll,Options_RunDLL 1
1⤵
PID:7060

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
1⤵
PID:7144
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /prefetch:1
  2⤵
  PID:4520

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
1⤵
PID:6256

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5948

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE"
1⤵
PID:4800

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:1140

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
PID:5448

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:4900

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:3460

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:5160

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:4756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0BD88F21-46FF-11ED-9351-5A21EB137514}.dat

Filesize
11KB

MD5
ac4845c6f393c58680ae3c45ab526ea3

SHA1
5e9c67a4587b76c2441fecd3e213748781d42673

SHA256
ae32f398e6b0280dc445aa745528509fccb70cdab439063147fc12fc170dc307

SHA512
42a94fec60dc9397717894a6703a44a873b088683fea29e2d648959438534aac77a6fe66435d1a67a20f34e12b7825bd0cac6d6ca535e84d63f2d8aa1eae2092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0BD88F21-46FF-11ED-9351-5A21EB137514}.dat

Filesize
11KB

MD5
66e4bd1dae1df756537f45d59b4e424b

SHA1
b8096710868a36a3b2f2b631e07111023ef40b6f

SHA256
b38f5e22f66c7ce1e804dab28b895a8805cf90865e35bfa76eb3d8742ec31815

SHA512
001441170a934389355ed579776b427b32ba14a9165090f4c19fa8ee3a82846b4b9db512d0cc8426b95ba7675fb78a2e9b10586e23f48ba57c796001771b7583

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0BD88F21-46FF-11ED-9351-5A21EB137514}.dat

Filesize
3KB

MD5
b0bcedb19caa394b16d8d48e82a1faae

SHA1
8eea1c0b8901d1425ac32ead87ca7b3c54aaddfd

SHA256
551eb170526860e13c74f6909324725d07cb3ef85629c37d07548cd67af9e9ad

SHA512
c3b3132ab2346abf64e22767a133e5cb707cf59ed5bd58806bd91a7ab0dd9ef9987216b4ea297866336494466868a05b1a55e8916b8dcd9b7d95804fd566f058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0BDFBB11-46FF-11ED-9351-5A21EB137514}.dat

Filesize
5KB

MD5
f4950342086f3b5c344af93af8eabb39

SHA1
d871d0a66a2c4b9e78326c9825f48f29941a9c98

SHA256
bdebec03d91545ca214675c738f2f0e475ce3368e8ad0e00249ec78858033b3e

SHA512
d6ec1397a97b1a282bc8442c6151532232f90ba1dc125dd346bfbdacb44cb517617393429b5c702ee78bc552a802242e797d74ea22b7d9015f4129326844837b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{238A3BA1-46FF-11ED-9351-5A21EB137514}.dat

Filesize
5KB

MD5
1845aff35876c2271e7b9b5653563204

SHA1
599b25abc724d009da1db0f3a701f5c85d20d371

SHA256
6161dfabddb8797361228b60b0e92ce399b976fb01117ca82450af9ca0767b54

SHA512
53c887553391577826748dd131d0cd4a795a2d4a6ab5ff9fd6b4c9e074145086dca69927f326dbfe5f4b700f6416f2a48fdd150908a135c70ab287f3e172e7de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{238A3BA1-46FF-11ED-9351-5A21EB137514}.dat

Filesize
4KB

MD5
75221c8dfd0b4153709e4f46ee44a127

SHA1
fbf776f033a6df2f064af5c6792355df6bf4495e

SHA256
d868b0d4d988f95c012d49e54c60112dffd8f8c5fcadb93e892aae71e3e13160

SHA512
8c89923398c6e76369673158a3fc99f083bac02698b5052e19eaee2794104a74dce29d9d12e0c07e209da50d110304879f80f9d4ee87c0467e57cd954d28d1bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CJ7GZYY9.txt

Filesize
603B

MD5
8065d9635908b1d93625532a743b15ab

SHA1
67ff66e2f00ad66934811c01f8f1e259d9f80f97

SHA256
f7a8bd64b5b1b8dd1d0e45d95c0cf9400dce03cd2b65e5d3695218f0d1579a4b

SHA512
2ccc4bc781df4864d526785c8c0e68e3ea1d7820860854728573b924b2dbe2d597ee8b11527069d0dbb3931149a10953b2805f3367b8e43b4fddbd22738a87cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
3KB

MD5
77058a2e19bf8022901e15d0fb31e772

SHA1
c8e28ab49678894ffe632b66387c195631883396

SHA256
63563b8c45fca6084208e126b9bd4754bc9ef9055e8a32d295684409a1ca5dea

SHA512
347ebd2955415c334dcd3732b90e9fa73cf9c180bcb0d9e9ef956c9dd7e82249199f7e32a9e49bba656f2a50c0b6b2518df2b1df357c33801b2a8d5a82eeed0d

Download Submit
memory/544-55-0x0000000076091000-0x0000000076093000-memory.dmp

Filesize
8KB

Download
memory/1952-54-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp

Filesize
8KB

Download
memory/2012-61-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2012-111-0x000000007179D000-0x00000000717A8000-memory.dmp

Filesize
44KB

Download
memory/2012-65-0x0000000069B91000-0x0000000069B94000-memory.dmp

Filesize
12KB

Download
memory/2012-63-0x000000007179D000-0x00000000717A8000-memory.dmp

Filesize
44KB

Download
memory/2012-59-0x00000000707B1000-0x00000000707B3000-memory.dmp

Filesize
8KB

Download