05781583e80208267be31f913d547d6c7f635073cd7437ba12b5c7a25e906c30

Analysis

max time kernel
270s
max time network
267s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/01/2023, 18:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RV Proveedor En Aire Comprimido y Servicio de Mantenimiento.msg
Size

1.2MB
MD5

cddd3048c6275232c86db4c0054b6e75
SHA1

f6e45b8afd8e2d76df1148f92111f9dd32d56cc1
SHA256

05781583e80208267be31f913d547d6c7f635073cd7437ba12b5c7a25e906c30
SHA512

9749930f4105e8a6c0576fac9a21e86799a87015d14c51bde635605f1ebf0955f6bfddabe94c125fa62d4549f33b87c492c4256e541bc54acfa16deaedee6025
SSDEEP

24576:E3beQWpgSzTrcfmtpH4oKHW8ogSGAKSOU6m:E3beQQLDcfmtpH4oKHW8ogSGAKSOU6m

Score

6^/10

collection

Malware Config

Signatures

Accesses Microsoft Outlook profiles 1 TTPs 7 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key opened	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE
Key enumerated	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	OUTLOOK.EXE

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a71b0bd401a34c4498283406a6d0ba3000000000020000000000106600000001000020000000662b6f1b303f2bebfd1c5672f761ba2a8262e478a3cf0d7d023c8ac2d424bb6f000000000e80000000020000200000004fd4e8243de3a3e3b75735ee16cf341789a62a4939d91ba32e43d055db47b1a02000000046633ae9f764a4c0e20fb245c664999193a291f87342210de6d552158b0fdd1e40000000af86fb587f49996c5a8ad50da1f55034260b59de507fbd6abdefdc19ec4a5d52f87d1e0e732d9d445c0aa7a17f8a4ca1e6d9209d8e1515cbbf24eb8d29162da4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "379538829"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0a2e1fda81fd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{34DA05C1-8B9C-11ED-98C6-66397CAA4A34} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = 00000000ffffffff	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 19002f433a5c000000000000000000000000000000000000000000	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\MRUListEx = ffffffff	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\ComDlg\{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}\{82BA0782-5B7A-4569-B5D7-EC83085F08CC}\FFlags = "1"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile	OUTLOOK.EXE

NTFS ADS 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\6YGLKWSL\WhatsApp Image 2022-12-17 at 11 23 47 AM.jpeg:Zone.Identifier	OUTLOOK.EXE
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\6YGLKWSL\WhatsApp Image 2022-12-17 at 11 23 47 AM (2).jpeg\:Zone.Identifier:$DATA	OUTLOOK.EXE
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\6YGLKWSL\WhatsApp Image 2022-12-17 at 11 23 46 AM.jpeg:Zone.Identifier	OUTLOOK.EXE
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\6YGLKWSL\WhatsApp Image 2022-12-17 at 11 23 46 AM (2).jpeg\:Zone.Identifier:$DATA	OUTLOOK.EXE
File created	C:\Users\Admin\Downloads\WhatsApp Image 2022-12-17 at 11.23.47 AM.jpeg\:Zone.Identifier:$DATA	OUTLOOK.EXE
File created	C:\Users\Admin\Downloads\WhatsApp Image 2022-12-17 at 11.23.46 AM.jpeg\:Zone.Identifier:$DATA	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1364	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2176	chrome.exe
1044	chrome.exe
1044	chrome.exe
1968	iexplore.exe
2688	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1364	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1968	iexplore.exe
956	msdt.exe
1160	DllHost.exe
1160	DllHost.exe
1160	DllHost.exe
1160	DllHost.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe
1044	chrome.exe

Suspicious use of SetWindowsHookEx 36 IoCs

pid	Process
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1968	iexplore.exe
1968	iexplore.exe
1360	IEXPLORE.EXE
1360	IEXPLORE.EXE
1360	IEXPLORE.EXE
1360	IEXPLORE.EXE
1364	OUTLOOK.EXE
1364	OUTLOOK.EXE
1360	IEXPLORE.EXE
1360	IEXPLORE.EXE
1564	IEXPLORE.EXE
1564	IEXPLORE.EXE
1564	IEXPLORE.EXE
1564	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 1968	1364	OUTLOOK.EXE	30
PID 1364 wrote to memory of 1968	1364	OUTLOOK.EXE	30
PID 1364 wrote to memory of 1968	1364	OUTLOOK.EXE	30
PID 1364 wrote to memory of 1968	1364	OUTLOOK.EXE	30
PID 1968 wrote to memory of 1360	1968	iexplore.exe	31
PID 1968 wrote to memory of 1360	1968	iexplore.exe	31
PID 1968 wrote to memory of 1360	1968	iexplore.exe	31
PID 1968 wrote to memory of 1360	1968	iexplore.exe	31
PID 1360 wrote to memory of 956	1360	IEXPLORE.EXE	33
PID 1360 wrote to memory of 956	1360	IEXPLORE.EXE	33
PID 1360 wrote to memory of 956	1360	IEXPLORE.EXE	33
PID 1360 wrote to memory of 956	1360	IEXPLORE.EXE	33
PID 1968 wrote to memory of 1564	1968	iexplore.exe	38
PID 1968 wrote to memory of 1564	1968	iexplore.exe	38
PID 1968 wrote to memory of 1564	1968	iexplore.exe	38
PID 1968 wrote to memory of 1564	1968	iexplore.exe	38
PID 1044 wrote to memory of 1684	1044	chrome.exe	40
PID 1044 wrote to memory of 1684	1044	chrome.exe	40
PID 1044 wrote to memory of 1684	1044	chrome.exe	40
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2168	1044	chrome.exe	41
PID 1044 wrote to memory of 2176	1044	chrome.exe	42
PID 1044 wrote to memory of 2176	1044	chrome.exe	42
PID 1044 wrote to memory of 2176	1044	chrome.exe	42
PID 1044 wrote to memory of 2288	1044	chrome.exe	43

outlook_win_path 1 IoCs

description	ioc	Process
Key queried	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	OUTLOOK.EXE

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\RV Proveedor En Aire Comprimido y Servicio de Mantenimiento.msg"
1⤵
- Accesses Microsoft Outlook profiles
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_win_path
PID:1364
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/LearnAboutSenderIdentification
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1968 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1360
  - - C:\Windows\SysWOW64\msdt.exe
      -modal 131692 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\Admin\AppData\Local\Temp\NDF5319.tmp -ep NetworkDiagnosticsWeb
      4⤵
      Suspicious use of FindShellTrayWindow
      PID:956
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1968 CREDAT:1127433 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1564

C:\Windows\SysWOW64\sdiagnhost.exe
C:\Windows\SysWOW64\sdiagnhost.exe -Embedding
1⤵
PID:2012

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:1160

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef64d4f50,0x7fef64d4f60,0x7fef64d4f70
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1132 /prefetch:2
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1252 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1760 /prefetch:8
  2⤵
  PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2092 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2036 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1132 /prefetch:2
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3524 /prefetch:8
  2⤵
  PID:2724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3628 /prefetch:8
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1892 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1744 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4504 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=536 /prefetch:8
  2⤵
  PID:2412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1632 /prefetch:1
  2⤵
  PID:1088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1864 /prefetch:8
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4260 /prefetch:8
  2⤵
  PID:2568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
  2⤵
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1124,3309401479117400098,3627630702773804266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3492 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
36fb1d3c3d0d6a59768e1000ebcefa26

SHA1
46fe3359b1532b37900773d3b59480f68b13eda8

SHA256
a7266d90b6c550abb09c1b701c3e0ffe01ff8604057d7736ac9db235566a9263

SHA512
073158e194e44a7c6fee7944753a2ffacb37252acd47b39de141e96d019b0ad3e4b9f9d241c609a0712238dd05605250ff6c5de7ceb90228569aff4646465233

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e71a1d3928b12277cfcaf89a2b534422

SHA1
99ae09f68206b5d2a8ea1d07659a94f10fdd247a

SHA256
3047a40318c4141deda48a6b902bc597e85d522b950b39dd8c34924226e827e9

SHA512
b422bd53fc71dc54db53962aaa801f1d89ca064e3698da1cd6204e7ebd05fe03ecded9f93cad684865092b4ddd590d33f60b6cd66c320edd0b60f35d9ac297ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
699490c8bdf8affe86eadd5b8ab6bfc5

SHA1
8ed39e525346c26c89d69492a0868592979d4048

SHA256
7154ee772493500347523c3aafbba062f1434c5520bfe9976536f2aecd380ea1

SHA512
16ba696ba8954512c8e6f85b0439cf81b883ee59ecf9efb3c0e342e7a5b495a3fd7dd56ec5389fc96d35333ad121392da330ea51b2282f1d42d4fefc711d01a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
614875a3713e455f2668fe07d467bde2

SHA1
c8c13ae251eed427746ab18ac9abeeaa81ce3510

SHA256
9a426708f3035f60600cffe0ab7779b439a216001c4f2d5d1819b5c13ee33094

SHA512
623df38a093cb3932bbc2b7097c96254dcd5113b0b246446f91211e534bacdb7a439fb8047dedbaf66e5211f6de392aa7a0c35a59bed458a3179def2fa79bd43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\6YGLKWSL\WhatsApp Image 2022-12-17 at 11 23 46 AM.jpeg

Filesize
100KB

MD5
0a1b07b8b905c1ed652f41b38ced06a8

SHA1
2245c6536bbe7aa9c8ee134476be55dc3e183496

SHA256
e87cf0c0ca30c19517e9fd36bb2c07d911e09bd2540acb465bfc8e245f675a39

SHA512
5f8fc6968829c7ce3df8151e62e2620fd3f1427a85d36429b3487014f8e613e945323f1db198ebfe19a59462fd3103841dcdbe4bd8481a5751df75447ec46e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDF5319.tmp

Filesize
3KB

MD5
f610544c505542b8577d7a914fb6f727

SHA1
36dad084610eaaa06cb94e37470d79e6f1f0811b

SHA256
57fad649e9e915d529a348a35c242c44a82753afd8373267eb2fd5ba5198a6c5

SHA512
3774e7c2e5c839aa89e3e855e422a86fdaa086d829626381f77c0a50c1f7ddbd1cce5a03c3022b3d74dbf380c6b353a3aa3dbf0e81cbbd1ce0c77afcda4afdcd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\K2T6HF5U.txt

Filesize
601B

MD5
5758719c06d2a0eba1e8c70d7079318b

SHA1
784f43a4394421f49479cfb6c6b8bf59b2a40e78

SHA256
2d97a700c919bc585d7e814e64298b8a529f5763203e2e15697778cfda14d4ee

SHA512
af72a5e59eb6e3b198474318b5e57abd5492df0bbeb9269cc5d8fab0a7729610cc247320651ee5ea9581be6a3285ead177e1fa0489b01f4257388a653d8af12b

Download Submit
memory/956-62-0x000000006A461000-0x000000006A463000-memory.dmp

Filesize
8KB

Download
memory/1364-67-0x00000000085F0000-0x0000000008635000-memory.dmp

Filesize
276KB

Download
memory/1364-54-0x00000000728B1000-0x00000000728B3000-memory.dmp

Filesize
8KB

Download
memory/1364-58-0x0000000008A60000-0x0000000008AA5000-memory.dmp

Filesize
276KB

Download
memory/1364-57-0x000000007389D000-0x00000000738A8000-memory.dmp

Filesize
44KB

Download
memory/1364-56-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/1364-55-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2012-65-0x00000000636A0000-0x0000000063C4B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-64-0x00000000636A0000-0x0000000063C4B000-memory.dmp

Filesize
5.7MB

Download