52972a23ab12b95cd51d71741db2cf276749e56030c092e2e4f0907dcb1fbd56

max time kernel
15s
max time network
6s
platform
windows7_x64
resource
win7-20220901-ja
resource tags

arch:x64arch:x86image:win7-20220901-jalocale:ja-jpos:windows7-x64systemwindows
submitted
30/10/2022, 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fucker script.exe
Size

104KB
MD5

db0655efbe0dbdef1df06207f5cb5b5b
SHA1

a8d48d5c0042ce359178d018c0873e8a7c2f27e8
SHA256

52972a23ab12b95cd51d71741db2cf276749e56030c092e2e4f0907dcb1fbd56
SHA512

5adc8463c3e148a66f8afdeefc31f2b3ffeb12b7641584d1d24306b0898da60a8b9b948bb4f9b7d693185f2daa9bd9437b3b84cebc0eabfa84dfcef6938e1704
SSDEEP

1536:m5iT3FccnYWkyjWpOku3yUyJCbyVAvy7+fRo:3LOcxkyjW3wvHq

Score

6^/10

collection

Malware Config

Signatures

Accesses Microsoft Outlook profiles 1 TTPs 5 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	helppane.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2D30A5B1-580F-11ED-8C54-7AE8F1290C9B} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2D2470B1-580F-11ED-8C54-7AE8F1290C9B} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Suspicious behavior: AddClipboardFormatListener 9 IoCs

pid	Process
840	vlc.exe
760	vlc.exe
1732	vlc.exe
1712	vlc.exe
1216	vlc.exe
2188	OUTLOOK.EXE
2636	vlc.exe
2700	vlc.exe
2868	vlc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1400	chrome.exe
1400	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 8 IoCs

pid	Process
840	vlc.exe
760	vlc.exe
1712	vlc.exe
1216	vlc.exe
1732	vlc.exe
2636	vlc.exe
2700	vlc.exe
2868	vlc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	572	helppane.exe
Token: SeTakeOwnershipPrivilege	572	helppane.exe
Token: SeTakeOwnershipPrivilege	572	helppane.exe
Token: SeTakeOwnershipPrivilege	572	helppane.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
572	helppane.exe
1180	iexplore.exe
1780	iexplore.exe
840	vlc.exe
760	vlc.exe
1216	vlc.exe
1712	vlc.exe
1732	vlc.exe
840	vlc.exe
1216	vlc.exe
760	vlc.exe
1712	vlc.exe
1732	vlc.exe
840	vlc.exe
1216	vlc.exe
760	vlc.exe
1712	vlc.exe
2636	vlc.exe
2636	vlc.exe
2700	vlc.exe
2700	vlc.exe
1732	vlc.exe
2636	vlc.exe
2700	vlc.exe
2868	vlc.exe
2868	vlc.exe
2868	vlc.exe
2984	chrome.exe
1180	iexplore.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
840	vlc.exe
1216	vlc.exe
760	vlc.exe
1712	vlc.exe
1732	vlc.exe
840	vlc.exe
1216	vlc.exe
760	vlc.exe
1712	vlc.exe
1732	vlc.exe
2636	vlc.exe
2636	vlc.exe
2700	vlc.exe
2700	vlc.exe
2868	vlc.exe
2868	vlc.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
572	helppane.exe
572	helppane.exe
1180	iexplore.exe
1780	iexplore.exe
1180	iexplore.exe
1780	iexplore.exe
1348	IEXPLORE.EXE
1348	IEXPLORE.EXE
1060	IEXPLORE.EXE
1060	IEXPLORE.EXE
840	vlc.exe
760	vlc.exe
1216	vlc.exe
1732	vlc.exe
1712	vlc.exe
2188	OUTLOOK.EXE
2188	OUTLOOK.EXE
2188	OUTLOOK.EXE
2188	OUTLOOK.EXE
2636	vlc.exe
2700	vlc.exe
1180	iexplore.exe
1180	iexplore.exe
2868	vlc.exe
1060	IEXPLORE.EXE
1060	IEXPLORE.EXE
2824	IEXPLORE.EXE
2824	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 1348	1180	iexplore.exe	31
PID 1180 wrote to memory of 1348	1180	iexplore.exe	31
PID 1180 wrote to memory of 1348	1180	iexplore.exe	31
PID 1180 wrote to memory of 1348	1180	iexplore.exe	31
PID 1780 wrote to memory of 1060	1780	iexplore.exe	32
PID 1780 wrote to memory of 1060	1780	iexplore.exe	32
PID 1780 wrote to memory of 1060	1780	iexplore.exe	32
PID 1780 wrote to memory of 1060	1780	iexplore.exe	32
PID 1180 wrote to memory of 2824	1180	iexplore.exe	50
PID 1180 wrote to memory of 2824	1180	iexplore.exe	50
PID 1180 wrote to memory of 2824	1180	iexplore.exe	50
PID 1180 wrote to memory of 2824	1180	iexplore.exe	50
PID 2984 wrote to memory of 2996	2984	chrome.exe	54
PID 2984 wrote to memory of 2996	2984	chrome.exe	54
PID 2984 wrote to memory of 2996	2984	chrome.exe	54
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 328	2984	chrome.exe	56
PID 2984 wrote to memory of 1400	2984	chrome.exe	57
PID 2984 wrote to memory of 1400	2984	chrome.exe	57
PID 2984 wrote to memory of 1400	2984	chrome.exe	57
PID 2984 wrote to memory of 2512	2984	chrome.exe	58
PID 2984 wrote to memory of 2512	2984	chrome.exe	58
PID 2984 wrote to memory of 2512	2984	chrome.exe	58
PID 2984 wrote to memory of 2512	2984	chrome.exe	58
PID 2984 wrote to memory of 2512	2984	chrome.exe	58

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE

C:\Users\Admin\AppData\Local\Temp\fucker script.exe
"C:\Users\Admin\AppData\Local\Temp\fucker script.exe"
1⤵
PID:1292

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1780 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1060

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1180 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1348
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1180 CREDAT:1061890 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2824

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:572

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1216

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:760

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1712

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:840

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:1616

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2056

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2172

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- outlook_win_path
PID:2188

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:2196

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2228

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2360

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2476

C:\Windows\system32\calc.exe
"C:\Windows\system32\calc.exe"
1⤵
PID:2516

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2636

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2700

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2788

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2868

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef2424f50,0x7fef2424f60,0x7fef2424f70
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1048,1722819964655067387,15524307700668473219,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1076 /prefetch:2
  2⤵
  PID:328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1048,1722819964655067387,15524307700668473219,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1048,1722819964655067387,15524307700668473219,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1684 /prefetch:8
  2⤵
  PID:2512

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
"C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE"
1⤵
PID:3048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{2D30A5B1-580F-11ED-8C54-7AE8F1290C9B}.dat

Filesize
5KB

MD5
ea4eefaed43a5ebb24ab5a66e1dcd2cb

SHA1
50289eb2082060aa388dc8d4da869f5d820e3b1d

SHA256
c19957109acd28f45259e44b6fb33187fdb6bf5df4c0dc4077e0a0a0cdf7aa3c

SHA512
3842d46c6129dac6bffe81790bcfff5fc31ba72af1525d0985a903a2b1d4068e82943979466a49a8d44df815a464d9fdaee85b895964389589c11e9d803997f0

Download Submit
memory/572-54-0x000007FEFB611000-0x000007FEFB613000-memory.dmp

Filesize
8KB

Download
memory/2188-65-0x0000000070671000-0x0000000070673000-memory.dmp

Filesize
8KB

Download
memory/2188-68-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2188-70-0x000000007165D000-0x0000000071668000-memory.dmp

Filesize
44KB

Download
memory/2188-71-0x0000000075641000-0x0000000075643000-memory.dmp

Filesize
8KB

Download
memory/2188-72-0x00000000696D1000-0x00000000696D4000-memory.dmp

Filesize
12KB

Download