edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

Analysis

max time kernel
145s
max time network
148s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20/04/2023, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

toba22bbc.exe
Size

977KB
MD5

13348cb1966e434e5cb63b82e42291b7
SHA1

0c8c616bbdf2b7996358142af6a6ba886fc2b2a9
SHA256

edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275
SHA512

0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b
SSDEEP

24576:8FUrdbfahvepYoeyAmzhocZn+M+WGDBGkV:8Yb1bPhoCnD+WGIkV

Score

7^/10

collection spyware stealer

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
740	svchost.exe
268	svchost.exe
748	svchost.exe
828	svchost.exe
2036	svchost.exe
1312	svchost.exe

Loads dropped DLL 15 IoCs

pid	Process
868	WerFault.exe
868	WerFault.exe
868	WerFault.exe
868	WerFault.exe
868	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1420	WerFault.exe
1440	WerFault.exe
1440	WerFault.exe
1440	WerFault.exe
1440	WerFault.exe
1440	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 12 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	toba22bbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	toba22bbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	toba22bbc.exe
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 7 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ipinfo.io
24	ipinfo.io
3	ipinfo.io
4	ipinfo.io
12	ipinfo.io
17	ipinfo.io
18	ipinfo.io

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1304 set thread context of 1904	1304	toba22bbc.exe	27
PID 740 set thread context of 268	740	svchost.exe	37
PID 748 set thread context of 828	748	svchost.exe	48
PID 2036 set thread context of 1312	2036	svchost.exe	58

Program crash 4 IoCs

pid	pid_target	Process	procid_target
816	1904	WerFault.exe	27
868	268	WerFault.exe	37
1420	828	WerFault.exe	48
1440	1312	WerFault.exe	58

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	toba22bbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	toba22bbc.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1688	schtasks.exe
1328	schtasks.exe
1768	schtasks.exe
1716	schtasks.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	toba22bbc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	toba22bbc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	toba22bbc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	toba22bbc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	toba22bbc.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	toba22bbc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1904	toba22bbc.exe
Token: SeDebugPrivilege	268	svchost.exe
Token: SeDebugPrivilege	828	svchost.exe
Token: SeDebugPrivilege	1312	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 1904	1304	toba22bbc.exe	27
PID 1304 wrote to memory of 1904	1304	toba22bbc.exe	27
PID 1304 wrote to memory of 1904	1304	toba22bbc.exe	27
PID 1304 wrote to memory of 1904	1304	toba22bbc.exe	27
PID 1304 wrote to memory of 1904	1304	toba22bbc.exe	27
PID 1304 wrote to memory of 1904	1304	toba22bbc.exe	27
PID 1304 wrote to memory of 1904	1304	toba22bbc.exe	27
PID 1304 wrote to memory of 1904	1304	toba22bbc.exe	27
PID 1304 wrote to memory of 1904	1304	toba22bbc.exe	27
PID 1304 wrote to memory of 1312	1304	toba22bbc.exe	28
PID 1304 wrote to memory of 1312	1304	toba22bbc.exe	28
PID 1304 wrote to memory of 1312	1304	toba22bbc.exe	28
PID 1304 wrote to memory of 1312	1304	toba22bbc.exe	28
PID 1304 wrote to memory of 608	1304	toba22bbc.exe	30
PID 1304 wrote to memory of 608	1304	toba22bbc.exe	30
PID 1304 wrote to memory of 608	1304	toba22bbc.exe	30
PID 1304 wrote to memory of 608	1304	toba22bbc.exe	30
PID 1304 wrote to memory of 268	1304	toba22bbc.exe	32
PID 1304 wrote to memory of 268	1304	toba22bbc.exe	32
PID 1304 wrote to memory of 268	1304	toba22bbc.exe	32
PID 1304 wrote to memory of 268	1304	toba22bbc.exe	32
PID 608 wrote to memory of 1688	608	cmd.exe	34
PID 608 wrote to memory of 1688	608	cmd.exe	34
PID 608 wrote to memory of 1688	608	cmd.exe	34
PID 608 wrote to memory of 1688	608	cmd.exe	34
PID 1524 wrote to memory of 740	1524	taskeng.exe	36
PID 1524 wrote to memory of 740	1524	taskeng.exe	36
PID 1524 wrote to memory of 740	1524	taskeng.exe	36
PID 1524 wrote to memory of 740	1524	taskeng.exe	36
PID 740 wrote to memory of 268	740	svchost.exe	37
PID 740 wrote to memory of 268	740	svchost.exe	37
PID 740 wrote to memory of 268	740	svchost.exe	37
PID 740 wrote to memory of 268	740	svchost.exe	37
PID 740 wrote to memory of 268	740	svchost.exe	37
PID 740 wrote to memory of 268	740	svchost.exe	37
PID 740 wrote to memory of 268	740	svchost.exe	37
PID 740 wrote to memory of 268	740	svchost.exe	37
PID 740 wrote to memory of 268	740	svchost.exe	37
PID 740 wrote to memory of 608	740	svchost.exe	38
PID 740 wrote to memory of 608	740	svchost.exe	38
PID 740 wrote to memory of 608	740	svchost.exe	38
PID 740 wrote to memory of 608	740	svchost.exe	38
PID 740 wrote to memory of 1596	740	svchost.exe	39
PID 740 wrote to memory of 1596	740	svchost.exe	39
PID 740 wrote to memory of 1596	740	svchost.exe	39
PID 740 wrote to memory of 1596	740	svchost.exe	39
PID 740 wrote to memory of 1976	740	svchost.exe	40
PID 740 wrote to memory of 1976	740	svchost.exe	40
PID 740 wrote to memory of 1976	740	svchost.exe	40
PID 740 wrote to memory of 1976	740	svchost.exe	40
PID 1596 wrote to memory of 1328	1596	cmd.exe	44
PID 1596 wrote to memory of 1328	1596	cmd.exe	44
PID 1596 wrote to memory of 1328	1596	cmd.exe	44
PID 1596 wrote to memory of 1328	1596	cmd.exe	44
PID 1904 wrote to memory of 816	1904	toba22bbc.exe	45
PID 1904 wrote to memory of 816	1904	toba22bbc.exe	45
PID 1904 wrote to memory of 816	1904	toba22bbc.exe	45
PID 1904 wrote to memory of 816	1904	toba22bbc.exe	45
PID 268 wrote to memory of 868	268	svchost.exe	46
PID 268 wrote to memory of 868	268	svchost.exe	46
PID 268 wrote to memory of 868	268	svchost.exe	46
PID 268 wrote to memory of 868	268	svchost.exe	46
PID 1524 wrote to memory of 748	1524	taskeng.exe	47
PID 1524 wrote to memory of 748	1524	taskeng.exe	47

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe

C:\Users\Admin\AppData\Local\Temp\toba22bbc.exe
"C:\Users\Admin\AppData\Local\Temp\toba22bbc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Users\Admin\AppData\Local\Temp\toba22bbc.exe
  "C:\Users\Admin\AppData\Local\Temp\toba22bbc.exe"
  2⤵
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 1880
    3⤵
    - Program crash
    PID:816
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  PID:1312
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:608
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:1688
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\toba22bbc.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  PID:268

C:\Windows\system32\taskeng.exe
taskeng.exe {98FC7A0D-9E39-448B-949A-4A77115BBFDF} S-1-5-21-3499517378-2376672570-1134980332-1000:MLXLFKOI\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1524
- C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:268
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 268 -s 1860
      4⤵
      Loads dropped DLL
      Program crash
      PID:868
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
    3⤵
    PID:608
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
    3⤵
    PID:1976
- C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:748
- - C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:828
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 1860
      4⤵
      Loads dropped DLL
      Program crash
      PID:1420
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    PID:240
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:1768
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
    3⤵
    PID:820
- C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2036
- - C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1312
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 1852
      4⤵
      Loads dropped DLL
      Program crash
      PID:1440
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
    3⤵
    PID:432
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    PID:784
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
    3⤵
    PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27460d35aab910c3681f70c8288657c2

SHA1
a56ae2f5a1061f05837eb5443498b68d9b4a2334

SHA256
4455f30a28bc5d57d1668bc202478f593bec192af0b577c5580d4ecce1b3c49a

SHA512
00c4f91f15f85f409b9411ca5af68f088784e7c56344416db0b379d3a63928dc6562f6f8715925e2577dcb133006ac02c46d4ee103a4d70acd399dede12384da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb268e39b4661d2201d404539aec9ddf

SHA1
986862a903b7e1af6608cc5e2fe664771e4a400e

SHA256
26d7485360bfceb0719c8927d0f7ed56b1703424d0db899ae930a1c4095a8dcf

SHA512
083e9a516724e7571b75242118c4f58812163a8179ae2ddc5371da6ad6ea4c6e8dcdaa427e0b877d048fb1b41fdeca3781a5a43a785cd8e51acccaefb3d795c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b2fa6412c3d07baa5472630935210c6

SHA1
6a542655b3322afca967ffb64b46e581c5bbd205

SHA256
36ea235c3a0e09bd8363b47a4e4687eb9570f0c452b15b3602d49a001407a7c6

SHA512
2031c3d1bc0c64fe6a7efd44c5003eecd491830c6095f5990d8d78caa3bd5924fb1de773a1bb0eb05d8d75616645b29d9ce33b3db98b56c688d5cd24321f4978

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ce6ae023ad2867dc8a7b977a525cc49

SHA1
deec50d14af3a906b2980f6015f31d14a351b968

SHA256
b0444a8958fb648c26e369cdb197d7892fa6347add8b3e6fda25a5a074df3052

SHA512
f49352a55b87efb8e943874a6d4aaabf5cc1fbf5ee300248b1eb84ef708d9150c644d05cb18c1ca4e5e482a314148425e3eddd21fb80cc6611af09023d2f0af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3F93.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar415E.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\h4zpzbll.04g\userinfo.txt

Filesize
179B

MD5
67166d911ef27350cd77a0cf483782ad

SHA1
fbc9c8e0509eefa1664d4adf7d77c929f48d5928

SHA256
3ffd953fa8ee215bd699d47cda50c6fc68e94b8f268d56186d17ad7be038b304

SHA512
33c3d8e027641defe22b479aa6b683f25aedfcda26e00d424d68186f935cc776d9c0b2cf56646e675fa009bd148cf5d5d40d7d80382b246c226beb82f2d13ac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\hb3otloc.as4\Cookies\Chrome-Default.json

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4635.tmp.tmpdb

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp57CA.tmp.tmpdb

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp57FC.tmp.tmpdb

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6948.tmp.tmpdb

Filesize
288KB

MD5
8acfd68044a7fa57661e3f78d52e4a25

SHA1
f63e713c9fea4565f7ee27968dcb9c18b6d58670

SHA256
548d2fdb63e184bf89af7320689fe0e2f001e82fcea6b48d61518e8beb9197c8

SHA512
e768e38cacee462ce50750d0c8cfedf91855838c60034b6a08b6ceb8d6bf9f7acafd05b57bbb194c008a33bfbbb666fcca0eaba72c789dfa6de5af60b6fae2d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvg3wsor.lva\SensitiveFiles\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvg3wsor.lva\SensitiveFiles\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvg3wsor.lva\SensitiveFiles\NewConnect.txt

Filesize
575KB

MD5
add238b90ea51f41c39b68a71200d2fa

SHA1
a825cc624a51eebf53048099c20787d825526a68

SHA256
f5004b12214f9bbc8ecb4377b50c1d3df0a70d86a9ab4b2fe91a86e23219e815

SHA512
107ddab9b5a114579d0cda3de3addfcdbfa40945c3a0c60eb91dd3fda93d0cf1fb8bbec98c467ea7a6387292a7c70dd9332c2bbeca690b7e2fe22aefabd0f605

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvg3wsor.lva\SensitiveFiles\Opened.docx

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvg3wsor.lva\SensitiveFiles\Recently.docx

Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvg3wsor.lva\SensitiveFiles\RegisterBackup.docx

Filesize
636KB

MD5
d01013a4b07e9d8d922832d61083b6c0

SHA1
1290035f458594206c71621228b5d43ed27cd677

SHA256
a2469d6fcc5b36bad2a2cb076d707922031422874dc2d724aba8b1f7fbfa3978

SHA512
a6bb91dbf0fbd9a4746671061c409cd5151ba2a79df1397b0e1f24f8b5556be20ae7c11cc0826824693914425cb4425890dfeed7c6be9425a284fbd8a572eb0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvg3wsor.lva\SensitiveFiles\RemoveRegister.docx

Filesize
424KB

MD5
c1deb990cf0728be1f2816804a613f0b

SHA1
285df9e7a4527604a6e61e6fd4c2ec777365b5bb

SHA256
7c3ba0fd877617cb603cb73b7f8661a1de759ddd8c18efc27454a2b196c75fa1

SHA512
8eb151959fe5fd581dcc655c62ebd96b17849141f0c7cd33497d751885467d580df3482761b5b5523b66194165d41aa0b074e0f5b4da7cf874a784c88a33595a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvg3wsor.lva\SensitiveFiles\RestartImport.doc

Filesize
817KB

MD5
3c77a37cafaee73a6578191a875fd601

SHA1
8b6c937bf1c2c0af7b55bfce90741f1c76076764

SHA256
b6b211346725364d860461b4b62de41f17fe20455dcbd6c6817676e6120f593e

SHA512
b512fb02c000788648f8c485b30148bd76ac6104d63bb9de8dd6f1e8cac0af46da4f6c73fab4a7eea2abc3cb567869a82ec62b7cdaede326e5c1b041d666f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvg3wsor.lva\SensitiveFiles\These.docx

Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\zvg3wsor.lva\SensitiveFiles\UnprotectCompare.doc

Filesize
969KB

MD5
fb492fb8c40c3cc6f9ff3a6ea4f25009

SHA1
1a7c7d9c1e0ac8b7adfd3a8dced1ca570398c6c4

SHA256
d52b48fbfe8160a9a9d8a446f35f7a06b6c5b762f37aa7e0780ad124d83d43d4

SHA512
159684744f810625d8999ec7af12aeeaabc856e040a562ca2f4d211b582cfe7f8c39de5ff887574d57cf07888ebf6078ae31a27d368d94a14ba0a32eadef9193

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
977KB

MD5
13348cb1966e434e5cb63b82e42291b7

SHA1
0c8c616bbdf2b7996358142af6a6ba886fc2b2a9

SHA256
edcf7182460deb84c07d79968ebb518cc9c8611148a4eb0e1e37b78ff175f275

SHA512
0c9f23bd9e17dad82ae5a634ac92f252e522f76de693e82210449bcb08e6038880a8a4a028632cd74764d2778f141d0cfd39754ee06348007e1b90968654643b

Download Submit
memory/268-309-0x0000000004EF0000-0x0000000004F30000-memory.dmp

Filesize
256KB

Download
memory/268-176-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/268-220-0x0000000004EF0000-0x0000000004F30000-memory.dmp

Filesize
256KB

Download
memory/740-73-0x0000000004900000-0x0000000004940000-memory.dmp

Filesize
256KB

Download
memory/740-72-0x0000000000C00000-0x0000000000CFA000-memory.dmp

Filesize
1000KB

Download
memory/748-311-0x0000000000660000-0x00000000006A0000-memory.dmp

Filesize
256KB

Download
memory/828-410-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/828-323-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/1304-55-0x0000000000A80000-0x0000000000AC0000-memory.dmp

Filesize
256KB

Download
memory/1304-54-0x00000000010D0000-0x00000000011CA000-memory.dmp

Filesize
1000KB

Download
memory/1304-56-0x0000000000EA0000-0x0000000000F76000-memory.dmp

Filesize
856KB

Download
memory/1312-424-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

Filesize
256KB

Download
memory/1904-62-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1904-221-0x0000000000D40000-0x0000000000D80000-memory.dmp

Filesize
256KB

Download
memory/1904-59-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1904-60-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1904-58-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1904-143-0x00000000087A0000-0x0000000008852000-memory.dmp

Filesize
712KB

Download
memory/1904-57-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1904-61-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1904-163-0x0000000000540000-0x000000000054E000-memory.dmp

Filesize
56KB

Download
memory/1904-64-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1904-66-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1904-69-0x0000000000D40000-0x0000000000D80000-memory.dmp

Filesize
256KB

Download
memory/2036-412-0x0000000002370000-0x00000000023B0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads