414155bf11893ec64ba0f4ffb7de92885090845a0761cf8f6743462aa5991d5e

Analysis

max time kernel
131s
max time network
54s
platform
windows7_x64
resource
win7-20230621-en
resource tags

arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system
submitted
29/06/2023, 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OInstall.exe
Size

10.9MB
MD5

ebc58647462ad9c76395ef451064d115
SHA1

14e470812f13b278b2694a4cec5737a39784e9dd
SHA256

414155bf11893ec64ba0f4ffb7de92885090845a0761cf8f6743462aa5991d5e
SHA512

8a9ef093d151957ae3c4c8e572fcdbd2198398c95ff8186d532853856c12c8f9ae7408c4f24518c5903faa517ea4e1d5779e797c5a4d850073fbee3ab801e8cc
SSDEEP

196608:2ZnMGjZsDEsCaYsGEHy61bgUhufRswPU2/V8Gd83/PALDP0PiaQxhwf+9zYul28S:WnjZhsCOU6ZgfPPPuGdnv0fzfoDYtB

Score

10^/10

upx

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.16529.20154/i640.cab

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.16529.20154/i641033.cab

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	1528	powershell.exe
6	1208	powershell.exe
10	1224	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1588	files.dat
920	OfficeClickToRun.exe

Loads dropped DLL 1 IoCs

pid	Process
2024	OInstall.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2024-68-0x0000000000400000-0x000000000199D000-memory.dmp	upx
behavioral1/memory/2024-70-0x0000000000400000-0x000000000199D000-memory.dmp	upx
behavioral1/memory/2024-84-0x0000000000400000-0x000000000199D000-memory.dmp	upx
behavioral1/memory/2024-100-0x0000000000400000-0x000000000199D000-memory.dmp	upx
behavioral1/memory/2024-509-0x0000000000400000-0x000000000199D000-memory.dmp	upx
behavioral1/memory/2024-510-0x0000000000400000-0x000000000199D000-memory.dmp	upx
behavioral1/memory/2024-511-0x0000000000400000-0x000000000199D000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\e646162cbf24c74d8b974b5f8fba680b.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\52dfb08ee5e9ee4980f3a9250564c5cb.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\9d1d24e343991245aa0f220a73e0ac2a.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.vi-vn.dll	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\098a02a57066fa448b552d7c9e4512b8.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\84fbf12be7b1654aae6f90c5431e5a32.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\404c522cca9e224cba8c96a32db2cb7d.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\d71d35b0266a7d4d9550380f7d48bb8a.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\4b915ea4c3972946b57622620cca4d7e.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\c9339853ec328e4a98d17387c8203cd3.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\29e62c3e883b54499e2d727a8a448650.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\0cee85802219de4cbae94e0c9b3aa602.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\f577946c350c504fa0b6c0d0c418ee7b.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\AppVIsvSubsystems64_msix.dll	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\97c3b2c3f156534fbdb7119f698df28b.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\5cd7817fa2d6814a84102bf891d7246a.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\4ea7bea6b1bc044eaed91a66a8225123.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\4f8c136c78c27441b0d051388fed7b8e.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\05bb764fce198340808a157e4ae022e2.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.en-gb.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.ms-my.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.zh-cn.dll	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\d726797061f38e46be818cc8060fef46.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\33457a800fc6d84fa7db4d9c928acc31.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\msvcr120.dll	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\eb0fdb1ae4b02a4fb7aae3637d7bc157.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\be65e373e0cc3d4292d2633c902c73de.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.pt-br.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\IntegratedOffice.exe	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\63a77acbe4edb445975e513e46d215ca.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\officesvcmgrschedule.xml	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.cs-cz.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\OfficeOEMPlugin.dll	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\59ba66ad44263140b553a3ee06dca1f6.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\AppVIsvStreamingManager.dll	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\2d84af524941fa44842be0d2bb5e92e3.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\FrequentOfficeUpdateSchedule.xml	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\InspectorOfficeGadget.exe	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\224c331094d6cf428f344ce12818312a.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\vcruntime140_1.dll	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\e0dfcfc59e0a994c88c182db86677358.tmp	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\db043d0bd2c5494bab37443674e8de90.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RUI.dll	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\d33d6e5f12587045914a4bae84a97ebf.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\concrt140.dll	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\edada6e4afb6b446a91db821bee9f1fb.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\OfficeClickToRun.exe	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\SharedPerformance.man	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\SubsystemController.man	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\ucrtbase.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\AppVPolicy.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.lt-lt.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\ClientEventLogMessages.man	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\5e50c86506a20e4187ff08b5d9eea877.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\vcruntime140.dll	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\819c26afdd733c45b8291a8ff068af3a.tmp	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.fr-ca.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.pl-pl.dll	expand.exe
File opened for modification	C:\Program Files\Common Files\microsoft Shared\ClickToRun\C2RINTL.zh-tw.dll	expand.exe
File created	C:\Program Files\Common Files\microsoft Shared\ClickToRun\$dpx$.tmp\999e7953db0f7a4ebd8131525857581b.tmp	expand.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1532	reg.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1588	files.dat

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1528	powershell.exe
436	powershell.exe
1208	powershell.exe
1224	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2024	OInstall.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	320	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	320	AUDIODG.EXE
Token: 33	320	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	320	AUDIODG.EXE
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2004	2024	OInstall.exe	28
PID 2024 wrote to memory of 2004	2024	OInstall.exe	28
PID 2024 wrote to memory of 2004	2024	OInstall.exe	28
PID 2024 wrote to memory of 2004	2024	OInstall.exe	28
PID 2004 wrote to memory of 1588	2004	cmd.exe	30
PID 2004 wrote to memory of 1588	2004	cmd.exe	30
PID 2004 wrote to memory of 1588	2004	cmd.exe	30
PID 2004 wrote to memory of 1588	2004	cmd.exe	30
PID 2024 wrote to memory of 1532	2024	OInstall.exe	32
PID 2024 wrote to memory of 1532	2024	OInstall.exe	32
PID 2024 wrote to memory of 1532	2024	OInstall.exe	32
PID 2024 wrote to memory of 1532	2024	OInstall.exe	32
PID 2024 wrote to memory of 1528	2024	OInstall.exe	34
PID 2024 wrote to memory of 1528	2024	OInstall.exe	34
PID 2024 wrote to memory of 1528	2024	OInstall.exe	34
PID 2024 wrote to memory of 1528	2024	OInstall.exe	34
PID 2024 wrote to memory of 1624	2024	OInstall.exe	36
PID 2024 wrote to memory of 1624	2024	OInstall.exe	36
PID 2024 wrote to memory of 1624	2024	OInstall.exe	36
PID 2024 wrote to memory of 1624	2024	OInstall.exe	36
PID 2024 wrote to memory of 436	2024	OInstall.exe	38
PID 2024 wrote to memory of 436	2024	OInstall.exe	38
PID 2024 wrote to memory of 436	2024	OInstall.exe	38
PID 2024 wrote to memory of 436	2024	OInstall.exe	38
PID 2024 wrote to memory of 1208	2024	OInstall.exe	40
PID 2024 wrote to memory of 1208	2024	OInstall.exe	40
PID 2024 wrote to memory of 1208	2024	OInstall.exe	40
PID 2024 wrote to memory of 1208	2024	OInstall.exe	40
PID 2024 wrote to memory of 292	2024	OInstall.exe	42
PID 2024 wrote to memory of 292	2024	OInstall.exe	42
PID 2024 wrote to memory of 292	2024	OInstall.exe	42
PID 2024 wrote to memory of 292	2024	OInstall.exe	42
PID 2024 wrote to memory of 1224	2024	OInstall.exe	44
PID 2024 wrote to memory of 1224	2024	OInstall.exe	44
PID 2024 wrote to memory of 1224	2024	OInstall.exe	44
PID 2024 wrote to memory of 1224	2024	OInstall.exe	44
PID 2024 wrote to memory of 1340	2024	OInstall.exe	46
PID 2024 wrote to memory of 1340	2024	OInstall.exe	46
PID 2024 wrote to memory of 1340	2024	OInstall.exe	46
PID 2024 wrote to memory of 1340	2024	OInstall.exe	46
PID 2024 wrote to memory of 920	2024	OInstall.exe	48
PID 2024 wrote to memory of 920	2024	OInstall.exe	48
PID 2024 wrote to memory of 920	2024	OInstall.exe	48
PID 2024 wrote to memory of 920	2024	OInstall.exe	48
PID 2024 wrote to memory of 1028	2024	OInstall.exe	50
PID 2024 wrote to memory of 1028	2024	OInstall.exe	50
PID 2024 wrote to memory of 1028	2024	OInstall.exe	50
PID 2024 wrote to memory of 1028	2024	OInstall.exe	50
PID 1028 wrote to memory of 1212	1028	cmd.exe	51
PID 1028 wrote to memory of 1212	1028	cmd.exe	51
PID 1028 wrote to memory of 1212	1028	cmd.exe	51
PID 2024 wrote to memory of 1364	2024	OInstall.exe	52
PID 2024 wrote to memory of 1364	2024	OInstall.exe	52
PID 2024 wrote to memory of 1364	2024	OInstall.exe	52
PID 2024 wrote to memory of 1364	2024	OInstall.exe	52
PID 1364 wrote to memory of 1920	1364	cmd.exe	54
PID 1364 wrote to memory of 1920	1364	cmd.exe	54
PID 1364 wrote to memory of 1920	1364	cmd.exe	54
PID 2024 wrote to memory of 1508	2024	OInstall.exe	55
PID 2024 wrote to memory of 1508	2024	OInstall.exe	55
PID 2024 wrote to memory of 1508	2024	OInstall.exe	55
PID 2024 wrote to memory of 1508	2024	OInstall.exe	55
PID 1508 wrote to memory of 740	1508	cmd.exe	57
PID 1508 wrote to memory of 740	1508	cmd.exe	57

C:\Users\Admin\AppData\Local\Temp\OInstall.exe
"C:\Users\Admin\AppData\Local\Temp\OInstall.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c files.dat -y -pkmsauto
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\AppData\Local\Temp\files\files.dat
    files.dat -y -pkmsauto
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1588
- C:\Windows\system32\reg.exe
  "C:\Windows\Sysnative\reg.exe" add HKLM\Software\Policies\Microsoft\Office\16.0\Common\OfficeUpdate /v UpdateBranch /d Current /f
  2⤵
  - Modifies registry key
  PID:1532
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32.cab', 'C:\Users\Admin\AppData\Local\Temp\over987804\v32.cab') }"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1528
- C:\Windows\SysWOW64\expand.exe
  "expand" v32.cab -F:VersionDescriptor.xml C:\Users\Admin\AppData\Local\Temp\over987804
  2⤵
  - Drops file in Windows directory
  PID:1624
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -command "& { Get-Content C:\Users\Admin\AppData\Local\Temp\over987804\VersionDescriptor.xml | Set-Content -Encoding ASCII v32.txt }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:436
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.16529.20154/i640.cab', 'C:\Users\Admin\AppData\Local\Temp\over987804\i640.cab') }"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1208
- C:\Windows\SysWOW64\expand.exe
  "expand" i640.cab -F:* "C:\Program Files\Common Files\microsoft Shared\ClickToRun"
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:292
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -command "& { (New-Object Net.WebClient).DownloadFile('http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/16.0.16529.20154/i641033.cab', 'C:\Users\Admin\AppData\Local\Temp\over987804\i641033.cab') }"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Windows\SysWOW64\expand.exe
  "expand" i641033.cab -F:* "C:\Program Files\Common Files\microsoft Shared\ClickToRun"
  2⤵
  - Drops file in Program Files directory
  - Drops file in Windows directory
  PID:1340
- C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
  "C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe" deliverymechanism=492350f6-3a01-4f97-b9c0-c7c6ddf67d60 platform=x64 productreleaseid=none culture=en-us defaultplatform=False lcid=1033 b= storeid= forceupgrade=True piniconstotaskbar=False pidkeys=XQNVK-8JYDB-WJ9W3-YJ8YR-WFG99,YG9NW-3K39V-2T3HJ-93F3Q-G83KT,PD3PC-RHNGV-FXJ29-8JK7D-RJRJK forceappshutdown=True autoactivate=1 productstoadd=ProPlusVolume.16_en-us_x-none|ProjectProVolume.16_en-us_x-none|VisioProVolume.16_en-us_x-none scenario=unknown updatesenabled.16=True acceptalleulas.16=True cdnbaseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 version.16=16.0.16529.20154 mediatype.16=CDN baseurl.16=http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60 sourcetype.16=CDN displaylevel=True uninstallpreviousversion=True ProPlusVolume.excludedapps.16=onedrive,teams ProjectProVolume.excludedapps.16=onedrive,teams VisioProVolume.excludedapps.16=onedrive,teams
  2⤵
  - Executes dropped EXE
  PID:920
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "AudienceId" /t REG_SZ /d 492350f6-3a01-4f97-b9c0-c7c6ddf67d60
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\system32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "AudienceId" /t REG_SZ /d 492350f6-3a01-4f97-b9c0-c7c6ddf67d60
    3⤵
    PID:1212
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "CDNBaseUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\system32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "CDNBaseUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
    3⤵
    PID:1920
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannel" /t REG_SZ /d http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\system32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannel" /t REG_SZ /d http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
    3⤵
    PID:740
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannelChanged" /t REG_SZ /d True
  2⤵
  PID:1756
- - C:\Windows\system32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateChannelChanged" /t REG_SZ /d True
    3⤵
    PID:1664
- C:\Windows\system32\cmd.exe
  "C:\Windows\Sysnative\cmd.exe" /D /c reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
  2⤵
  PID:1988
- - C:\Windows\system32\reg.exe
    reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\Configuration" /f /v "UpdateUrl" /t REG_SZ /d http://officecdn.microsoft.com/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60
    3⤵
    PID:572

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x584
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:320

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

Filesize
11.3MB

MD5
e9f45c6495018f14ec1448f281d6ff63

SHA1
9abc563f4b1bcde3c253099a7bf6746014d94390

SHA256
e3f51be4fee8aa9ad40ba3a25a9ff18e46e40784dca14e0dd0d95a14d3e5920c

SHA512
569898ce065a3cc05131a8420002b4a165fc42ffb828cdbecebee39dcfe804461bd1d2528728480b8f2f3081a63de0bff51fdea42a3f8526d018df518cc9a792

Download Submit
C:\Users\Admin\AppData\Local\Temp\files\files.dat

Filesize
707KB

MD5
55d21b2c272a5d6b9f54fa9ed82bf9eb

SHA1
32464cba823cd9b7e94e4fa1a32a8f2344b0f33b

SHA256
7a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47

SHA512
1b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725

Download Submit
C:\Users\Admin\AppData\Local\Temp\files\files.dat

Filesize
707KB

MD5
55d21b2c272a5d6b9f54fa9ed82bf9eb

SHA1
32464cba823cd9b7e94e4fa1a32a8f2344b0f33b

SHA256
7a1c82e264258470d14ca345ea1a9b6fc34fa19b393a92077a01be5f1ad08f47

SHA512
1b68d0c61367717529be4a3aa347bb69d3e21de7a89b10e8b0aa54d40af988cc0cc8e63298ba595a93c3372aca3770ace1eee2780a59238d0948499dbb4be725

Download Submit
C:\Users\Admin\AppData\Local\Temp\over987804\VersionDescriptor.xml

Filesize
20KB

MD5
684b9982777d9f6c50f3e6234151af12

SHA1
51c0d37ade0eef45ca470b11aa03ee1cbaa36c38

SHA256
40c21ed8e689792ec927835241653a7ee034999f8dbff61a8d735872d7ff290e

SHA512
b47219ca329c107299273365a1cc40914b36b769c65cd06eff298e497e2607dd45e146fd3fa3dffcc6cc61940de2048d0d52913a4ba06dc8b0ea7307cd9c01cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\over987804\i640.cab

Filesize
30.4MB

MD5
f47dfbd968297fc379fed716164fd2fa

SHA1
69203cafbf64256ffc4991cdd24340f9fa178c6c

SHA256
5a3a1b78a4d5dcd80e8680a8b1e579b1833f8eabc835911dbe120004fdc5dd66

SHA512
3c64c35ec4330ecfd36c09956c46ebba1cd13f1b38eee65e7ec8a5cdab7eafb582b0fe19b1ced299bd89104ec42e5e29a146db0d56c05c9fa2eb48d73020c4c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\over987804\i641033.cab

Filesize
9KB

MD5
ea68e3528c96f4e0faf3e883240bc981

SHA1
e0b5d376d064ba6924942699deee854d8c1190e2

SHA256
37c15b3e3e9dccc67dc99aa86234fbdfa0db9e4d9edb320e9a76ea7f651cf4a3

SHA512
1e3230ffbbd843c16b9ecdbd1b5825b1c282f2015b1ca67ec7d92db567f365a743137de4fa6c84db6991925eb2be119c2d6e23b378688bdb5d80757b1519c0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\over987804\v32.cab

Filesize
11KB

MD5
aa8a46a5c5630bcb494a98efe52043c5

SHA1
eca43c58184645dc0e1bd789678d72a3b2e04fac

SHA256
d5cfbf643696a7ff56e5a5f43605e11358582200da93bb020a236d938718c8a9

SHA512
a203c4755377719db12d2fe845a020b577d85e2ad7134ccf961fefbf71345bfda7a9da80f16737469d0bcd22362a3298294fe077e8ea9ad4aea138ee510dfac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\over987804\v32.txt

Filesize
20KB

MD5
666b99e7fbf8a97594bd92a585c6144c

SHA1
a2ce1d5ec4167874882cfbbcaa5e2b2a3d170e8e

SHA256
74216ebe1341e1b0102c99f01586d2875a7534da735480241fdbf7108863a4a5

SHA512
7abbcdb4e7ff08fdc4e2c63cfa3389d96cbd3220b59d3f0598dabb1ff7cbeb209ade80fe57298c3fe6c9e54acc1798991475edd190bca2e56b2ad455dbf32342

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K7ZTZP7DXIM0QU2287PJ.temp

Filesize
7KB

MD5
f709e390407ae55beac34a0bfeded0dd

SHA1
6024497101ce8190c3109d62e4d5adb02e59dc5b

SHA256
1df46ccb66e2b0366e6b8e0ce723c20240bd67d47701660e41a2f3ceb2aa7ad4

SHA512
4ce6949db56146f04c060d95842f7b7804213b38d15b90112e05a0c90be80f61128fbf02b80ff3384ebdfd44c1e33844d9928ded6f0950a6472b6462cc3e32cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f709e390407ae55beac34a0bfeded0dd

SHA1
6024497101ce8190c3109d62e4d5adb02e59dc5b

SHA256
1df46ccb66e2b0366e6b8e0ce723c20240bd67d47701660e41a2f3ceb2aa7ad4

SHA512
4ce6949db56146f04c060d95842f7b7804213b38d15b90112e05a0c90be80f61128fbf02b80ff3384ebdfd44c1e33844d9928ded6f0950a6472b6462cc3e32cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f709e390407ae55beac34a0bfeded0dd

SHA1
6024497101ce8190c3109d62e4d5adb02e59dc5b

SHA256
1df46ccb66e2b0366e6b8e0ce723c20240bd67d47701660e41a2f3ceb2aa7ad4

SHA512
4ce6949db56146f04c060d95842f7b7804213b38d15b90112e05a0c90be80f61128fbf02b80ff3384ebdfd44c1e33844d9928ded6f0950a6472b6462cc3e32cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f709e390407ae55beac34a0bfeded0dd

SHA1
6024497101ce8190c3109d62e4d5adb02e59dc5b

SHA256
1df46ccb66e2b0366e6b8e0ce723c20240bd67d47701660e41a2f3ceb2aa7ad4

SHA512
4ce6949db56146f04c060d95842f7b7804213b38d15b90112e05a0c90be80f61128fbf02b80ff3384ebdfd44c1e33844d9928ded6f0950a6472b6462cc3e32cd

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
6KB

MD5
d888a772f80cbb4d9ee4eaca9bbdf3a5

SHA1
d96b6cd41900d28540d7022b457821421a0219e0

SHA256
88bc305d4ffb621e4e70f7258b428b433875543600523fd389175fdff1555b77

SHA512
135f37022216bbde063af74476473bc2e64ba1e18a60b2209a6b11c5ad2e169347a9477d7895e826b25c48b2b073b4b661cc2962e2df988b6a1330cfc17e1d96

Download Submit
C:\Windows\Logs\DPX\setupact.log

Filesize
7KB

MD5
f70e63aee5b1cd7eb61358853deedcd2

SHA1
c6ce9773d3fc4ed29f22878312adc97b3bdab3c0

SHA256
1b915f7c8e39fb5de89746a790b65bbeb490bbc9eca6c2d2fbe322ae00166567

SHA512
e077b217243708834c522ffa6d49e87dfbeb2dfe5a9ad1e7be7a7134a067e72e1aa82039182cefc6c5c921027b2719ab9dd1624e234026e1da3a2b76d7fd3a75

Download Submit
\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe

Filesize
11.3MB

MD5
e9f45c6495018f14ec1448f281d6ff63

SHA1
9abc563f4b1bcde3c253099a7bf6746014d94390

SHA256
e3f51be4fee8aa9ad40ba3a25a9ff18e46e40784dca14e0dd0d95a14d3e5920c

SHA512
569898ce065a3cc05131a8420002b4a165fc42ffb828cdbecebee39dcfe804461bd1d2528728480b8f2f3081a63de0bff51fdea42a3f8526d018df518cc9a792

Download Submit
memory/1208-107-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/1208-109-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/1208-108-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/1224-496-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/1224-498-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/1224-497-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/1528-82-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/1528-81-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/1528-83-0x00000000025D0000-0x0000000002610000-memory.dmp

Filesize
256KB

Download
memory/2024-84-0x0000000000400000-0x000000000199D000-memory.dmp

Filesize
21.6MB

Download
memory/2024-70-0x0000000000400000-0x000000000199D000-memory.dmp

Filesize
21.6MB

Download
memory/2024-68-0x0000000000400000-0x000000000199D000-memory.dmp

Filesize
21.6MB

Download
memory/2024-100-0x0000000000400000-0x000000000199D000-memory.dmp

Filesize
21.6MB

Download
memory/2024-509-0x0000000000400000-0x000000000199D000-memory.dmp

Filesize
21.6MB

Download
memory/2024-510-0x0000000000400000-0x000000000199D000-memory.dmp

Filesize
21.6MB

Download
memory/2024-511-0x0000000000400000-0x000000000199D000-memory.dmp

Filesize
21.6MB

Download