1a7f056ce9300cab56867c738f70095239b9d4d29daa1b392617b803a47176c6

Analysis

max time kernel
208s
max time network
210s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/01/2023, 18:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PTL Capital Lnc.msg
Size

308KB
MD5

4c9b0e82fb4ec788346215bf878e4869
SHA1

62c064db4cd8d212c7c67bef35f227a4d2037833
SHA256

1a7f056ce9300cab56867c738f70095239b9d4d29daa1b392617b803a47176c6
SHA512

6df878f974acc522e69dab520fdca76dd635dffa98ca7b43ef9b80850be4acfdd593a4e52175605d068fabbd5499a8d416ef3984bdbb74bdb8a7c3c29e65ddc2
SSDEEP

6144:YBFbfTLmFdnKSCF1Kz3ykgYxCxNrJxnA4GnGS0FhekB/QbrlCQxcyH:U7XGQ1Kz3yk9xCxdJh1Gnx0FheIArlCK

Score

6^/10

collection link pdf

Malware Config

Signatures

Accesses Microsoft Outlook profiles 1 TTPs 7 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key enumerated	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key opened	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral1/files/0x0006000000014ae8-61.dat	pdf_with_link_action

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af0000000002000000000010660000000100002000000075358a17e99c89ac69fb7bff7970c3d6ac532ef34c2f25335137c3d9ff47ac98000000000e800000000200002000000066688b4c9111f29e4c28ac2bad55fef10ed56f29ef184f9df77eeeb9337d8289900000005b77b7bd27ad0da3cd5373af0c2ecbe055567af3c1a1af811ad192133e61f09591967e555c77648829b403c21b410531307ff2e9193c3c6f8e572553d3378143788aa43f940d57c1ba9ee27ddc42cd3538522994a9eba6fc3747523f2f92b4a660b19f6172f06b3cd7b316b3d414e00ee504cc5c3c383cad7bccdf31413ab5d74295f34c680a249be190568a3be5802740000000713136604afa43310361afac790435dcc6bf40c33827f0a3b261f7b67decfc54bc0f2ebe121c2a9bd1e3e8e9b6240c6021db918e4abea6687a9bd7930f333760	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5B3D0C91-8AD8-11ED-91F2-D2F8C2B78FDE} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "379454711"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0c50934e51ed901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\ftp\shell\open\command\ = "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --single-argument %1"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\.html\ = "ChromeHTML"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\.xht	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\ftp\shell\open\ddeexec	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\ftp\shell\open	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\ftp	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\http\shell\open	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\https\shell\open\command	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\https\shell\open\command\ = "\"C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe\" --single-argument %1"	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\https\URL Protocol	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\http\shell\open\ddeexec\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\https\DefaultIcon	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\http\URL Protocol	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\.xhtml	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\ftp\shell\open\command	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	OUTLOOK.EXE

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\O0KJJ6N4\PTL Capital Inc Tax Clearance Letter for Reinstatement Letter Comptroller TX.pdf:Zone.Identifier	OUTLOOK.EXE
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\O0KJJ6N4\PTL Capital Inc Tax Clearance Letter for Reinstatement Letter Comptroller TX (2).pdf\:Zone.Identifier:$DATA	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1264	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
964	chrome.exe
1944	chrome.exe
1944	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1264	OUTLOOK.EXE
672	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	2756	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2756	AUDIODG.EXE
Token: 33	2756	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2756	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
1264	OUTLOOK.EXE
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
2348	iexplore.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe
1944	chrome.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
1264	OUTLOOK.EXE
1264	OUTLOOK.EXE
1264	OUTLOOK.EXE
1264	OUTLOOK.EXE
1264	OUTLOOK.EXE
1264	OUTLOOK.EXE
1264	OUTLOOK.EXE
1264	OUTLOOK.EXE
1264	OUTLOOK.EXE
1264	OUTLOOK.EXE
1264	OUTLOOK.EXE
1264	OUTLOOK.EXE
1264	OUTLOOK.EXE
1264	OUTLOOK.EXE
1264	OUTLOOK.EXE
1264	OUTLOOK.EXE
1264	OUTLOOK.EXE
1264	OUTLOOK.EXE
1264	OUTLOOK.EXE
1264	OUTLOOK.EXE
1264	OUTLOOK.EXE
672	AcroRd32.exe
672	AcroRd32.exe
672	AcroRd32.exe
1264	OUTLOOK.EXE
672	AcroRd32.exe
2348	iexplore.exe
2348	iexplore.exe
2400	IEXPLORE.EXE
2400	IEXPLORE.EXE
2348	iexplore.exe
2400	IEXPLORE.EXE
2400	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 672	1264	OUTLOOK.EXE	32
PID 1264 wrote to memory of 672	1264	OUTLOOK.EXE	32
PID 1264 wrote to memory of 672	1264	OUTLOOK.EXE	32
PID 1264 wrote to memory of 672	1264	OUTLOOK.EXE	32
PID 1944 wrote to memory of 1364	1944	chrome.exe	34
PID 1944 wrote to memory of 1364	1944	chrome.exe	34
PID 1944 wrote to memory of 1364	1944	chrome.exe	34
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 968	1944	chrome.exe	35
PID 1944 wrote to memory of 964	1944	chrome.exe	36
PID 1944 wrote to memory of 964	1944	chrome.exe	36
PID 1944 wrote to memory of 964	1944	chrome.exe	36
PID 1944 wrote to memory of 1448	1944	chrome.exe	37
PID 1944 wrote to memory of 1448	1944	chrome.exe	37
PID 1944 wrote to memory of 1448	1944	chrome.exe	37
PID 1944 wrote to memory of 1448	1944	chrome.exe	37
PID 1944 wrote to memory of 1448	1944	chrome.exe	37
PID 1944 wrote to memory of 1448	1944	chrome.exe	37
PID 1944 wrote to memory of 1448	1944	chrome.exe	37
PID 1944 wrote to memory of 1448	1944	chrome.exe	37
PID 1944 wrote to memory of 1448	1944	chrome.exe	37
PID 1944 wrote to memory of 1448	1944	chrome.exe	37
PID 1944 wrote to memory of 1448	1944	chrome.exe	37
PID 1944 wrote to memory of 1448	1944	chrome.exe	37
PID 1944 wrote to memory of 1448	1944	chrome.exe	37

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\PTL Capital Lnc.msg"
1⤵
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:1264
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\O0KJJ6N4\PTL Capital Inc Tax Clearance Letter for Reinstatement Letter Comptroller TX.pdf"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:672

C:\Windows\system32\prevhost.exe
C:\Windows\system32\prevhost.exe {DC6EFB56-9CFA-464D-8880-44885D7DC193} -Embedding
1⤵
PID:816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6614f50,0x7fef6614f60,0x7fef6614f70
  2⤵
  PID:1364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1096,8156147023883769514,15254966897468809438,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1108 /prefetch:2
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1096,8156147023883769514,15254966897468809438,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1096,8156147023883769514,15254966897468809438,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1708 /prefetch:8
  2⤵
  PID:1448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1096,8156147023883769514,15254966897468809438,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2024 /prefetch:1
  2⤵
  PID:576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1096,8156147023883769514,15254966897468809438,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2072 /prefetch:1
  2⤵
  PID:940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,8156147023883769514,15254966897468809438,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1096,8156147023883769514,15254966897468809438,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3292 /prefetch:2
  2⤵
  PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1096,8156147023883769514,15254966897468809438,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,8156147023883769514,15254966897468809438,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3504 /prefetch:8
  2⤵
  PID:2268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,8156147023883769514,15254966897468809438,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3612 /prefetch:8
  2⤵
  PID:2276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1096,8156147023883769514,15254966897468809438,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
  2⤵
  PID:2884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1096,8156147023883769514,15254966897468809438,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1576 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1096,8156147023883769514,15254966897468809438,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2500 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1096,8156147023883769514,15254966897468809438,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1096,8156147023883769514,15254966897468809438,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4476 /prefetch:8
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1096,8156147023883769514,15254966897468809438,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4492 /prefetch:8
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1096,8156147023883769514,15254966897468809438,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=532 /prefetch:8
  2⤵
  PID:2728

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2348
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2348 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2400

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x524
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
1KB

MD5
2b9179faa2145fa981d380bde0393c95

SHA1
afd3856d1cf629d1ea270cde22bcabc31352d34f

SHA256
99306eb457a239c7131fe8e040fda1512b928de590908067a62a3f6f3d93fb26

SHA512
4f2826d6475a84dc3d3afb199773021300a29f090af733bb30f478a55758f54cc4d7b13d0b3343827b5db37d91d84486190ff633209a5f0e40a384d3f101a579

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
416B

MD5
a57797919e4251c79e4f8cdb11528cc1

SHA1
bc176efb7a30e4feefa63232c47c7023a88368e3

SHA256
0f7b72fc172eb23bd41657f1bb7476651c5aea2905e91de8ac0e8c75c9019536

SHA512
63e07c7bca1924801cca5fca72db8d44a699bf0825d6fbf340362e93f36b62725d5aa3b7224bf1ff8e58b790471d1dc7ee1d64ae4ec10a98b15360a9d77f41ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5b3efd2f7fd6dfab0714f5b077b45cd2

SHA1
444f37526dbfb145f4d8dbc626254f00437f945c

SHA256
1582bf17d9421bd2fb6ba13bc0a045a3112f7392400d50fe02c0a36951210048

SHA512
50b20d2a7ccb752eeaeb4dac0f5436d3a33fe677d002e1a56f5ab8f110f1ab7e258ddb288c49d01a84c157031bb451e62888f884d8d402a9790272364a9109e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
24c8626731dd7369f4dd6ec549d43443

SHA1
173d1065b7c56e893eca58dd564fe540b9de0aff

SHA256
f55b27b9978b16b66d935b89e91984f6b4aa1926498c5313a6b948621cc4494b

SHA512
32489130564d1621a111064fdcef0a12ccfbee262c0c00659cad10d730650db30d9d7022c352aad64d15b816c10dd4c5edc5e60f785a2d7034dd499263fbc564

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ef7c31932419490c079c0877b31a3093

SHA1
1d0014ff6f915c39c4896f2d398200c8156f3bc2

SHA256
3fdcbb9f94d1616f7f6cbf1982002f004af9f368942b07c8ce79ac8cecfa5317

SHA512
434243f05a8fc2dad5224be0a01f753cfa5038204abc9f635f53e715b064e5fd7dfcb145fca40f825c246b26fe09dea4fc9cd48966334d5f7c376fe6d73cf35a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\try74lz\imagestore.dat

Filesize
4KB

MD5
c5ee0d65d798fdcdea04908abf2a2ca5

SHA1
3601c42f38f0f96303caaf51a3449706964cda74

SHA256
dc4a30446385aaa679b9e8e6084abeb50e89a0ec5befeb0e51315a6b2c6e36cb

SHA512
d89f074f7012a94fcb8f4e36fc9fd3ba30208b13516797cb65fe51f28eab6ecadb1af7194075fe7d24fe74a8f5c8d6e1bfaecede309db1f52b654918603669b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\try74lz\imagestore.dat

Filesize
8KB

MD5
3efee513d8469edc1549262c4833bbe2

SHA1
477414731c0a171fbb8688cb1b407d2917b69049

SHA256
858f4b1f06f735adcb7e30cc0ce2d3ffaa2d2d0a73fee85f020b45a2ad5c0077

SHA512
965cf5acb2fb7b663b8ebe886636a94069e3ebd13a8327f845ce1e53fa43ab3d6be4e0c9b62c9e36a8cf8a82e04e758adb5eb952d4bc51beb9ea09cb2bb65fcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\O0KJJ6N4\PTL Capital Inc Tax Clearance Letter for Reinstatement Letter Comptroller TX.pdf

Filesize
207KB

MD5
2d5759be563a786b821a33da0ffa4064

SHA1
101ef7badeb56ae28d88499215ce9ec067ce0139

SHA256
ca725d6ad7d142f1d384cd9c6c4732730fcd4feb2fcb7d24217f7f91a2098d4e

SHA512
27fd65a431e78a8f5083127bc193620c121df6954a13dcf11b5944bf9f974f58595073003c243e3bde4901640d617419356a157528077c201f85bebdcd09f785

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\XI1YQ7F0.txt

Filesize
608B

MD5
9ced97dc2d14148407b5e0ba19d83add

SHA1
ad4eb2f73a11d762710c02b0a0daeba3da575fea

SHA256
12bde514a30e05b88618c891879b3edd7b2945ebc60328143eec6146a8a0eb4d

SHA512
c8ad804ab5daf706ec597dd4a5926f2143c002a1bd1a546c95490513019fec43dacf73aea588508c2cedf13395388577dce141b152ce808ee9e1017713fd5e37

Download Submit
memory/816-58-0x000007FEFB8E1000-0x000007FEFB8E3000-memory.dmp

Filesize
8KB

Download
memory/1264-54-0x00000000722D1000-0x00000000722D3000-memory.dmp

Filesize
8KB

Download
memory/1264-57-0x00000000732BD000-0x00000000732C8000-memory.dmp

Filesize
44KB

Download
memory/1264-56-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download
memory/1264-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download