c4055410021f0cfc4abd5cd6d37ad77132b7c5fe32bf29ebf99a09b17124e06f

Analysis

max time kernel
216s
max time network
153s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
Size

91KB
MD5

a5a0fdd945fce310ce86428c2c4c5f20
SHA1

58d41b3594e8338eef0a38e9fe0ca904b2fe01b2
SHA256

c4055410021f0cfc4abd5cd6d37ad77132b7c5fe32bf29ebf99a09b17124e06f
SHA512

dcebcdefa1a3e193a939a2d8c32db9e27c8456092c2b329538a3399319f98bce22a3f338cca20bec3ea16528a30c51e556fce055be2472ae86faf756fb8e58f1
SSDEEP

1536:jRsjdEIUFC2p79OCnouy8VD1RsjdEIUFC2p79OCnouy8VDk:jOm9Cshoutd1Om9Cshoutdk

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 7 IoCs

pid	Process
2468	xk.exe
2700	IExplorer.exe
2844	WINLOGON.EXE
744	CSRSS.EXE
1476	SERVICES.EXE
1652	LSASS.EXE
580	SMSS.EXE

Loads dropped DLL 12 IoCs

pid	Process
2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe

UPX packed file 35 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2708-0-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2708-3-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2708-4-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2708-6-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00060000000186c4-10.dat	upx
behavioral1/files/0x002e000000016d72-53.dat	upx
behavioral1/memory/2468-55-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00060000000186c4-58.dat	upx
behavioral1/memory/2468-59-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x00060000000186c4-61.dat	upx
behavioral1/files/0x00060000000186c4-65.dat	upx
behavioral1/memory/2700-68-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0008000000018b0f-69.dat	upx
behavioral1/files/0x0008000000018b0f-71.dat	upx
behavioral1/files/0x0008000000018b0f-76.dat	upx
behavioral1/memory/2844-79-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000018b91-80.dat	upx
behavioral1/files/0x0006000000018b91-86.dat	upx
behavioral1/files/0x0006000000018b91-82.dat	upx
behavioral1/memory/744-89-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000018b98-91.dat	upx
behavioral1/files/0x0006000000018b98-98.dat	upx
behavioral1/files/0x0006000000018b98-94.dat	upx
behavioral1/files/0x0006000000018bbd-101.dat	upx
behavioral1/files/0x0006000000018bbd-104.dat	upx
behavioral1/memory/1652-112-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000018bbd-109.dat	upx
behavioral1/memory/1476-103-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000018bc8-115.dat	upx
behavioral1/memory/1652-117-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/1652-123-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/files/0x0006000000018bc8-122.dat	upx
behavioral1/files/0x0006000000018bc8-118.dat	upx
behavioral1/memory/580-130-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2708-235-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Windows\CurrentVersion\Run\xk = "C:\\Windows\\xk.exe"	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe

Drops desktop.ini file(s) 4 IoCs

description	ioc	Process
File created	F:\desktop.ini	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened for modification	C:\desktop.ini	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File created	C:\desktop.ini	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened for modification	F:\desktop.ini	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened (read-only)	\??\K:	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened (read-only)	\??\N:	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened (read-only)	\??\P:	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened (read-only)	\??\B:	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened (read-only)	\??\E:	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened (read-only)	\??\G:	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened (read-only)	\??\H:	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened (read-only)	\??\S:	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened (read-only)	\??\V:	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened (read-only)	\??\Y:	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened (read-only)	\??\Z:	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened (read-only)	\??\O:	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened (read-only)	\??\U:	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened (read-only)	\??\W:	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened (read-only)	\??\X:	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened (read-only)	\??\I:	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened (read-only)	\??\L:	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened (read-only)	\??\Q:	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened (read-only)	\??\R:	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened (read-only)	\??\M:	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened (read-only)	\??\T:	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File opened for modification	C:\Windows\SysWOW64\Mig2.scr	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File created	C:\Windows\SysWOW64\Mig2.scr	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\shell.exe	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File opened for modification	C:\Windows\xk.exe	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File created	C:\Windows\xk.exe	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 4 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Control Panel\Desktop\	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\Mig~mig.SCR"	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3750544865-3773649541-1858556521-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300B-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F0-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E5-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063083-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063071-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063081-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E4-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063005-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DB-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A7-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063101-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046}\ = "_ExchangeDistributionList"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672ED-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B0-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E1-0000-0000-C000-000000000046}\ = "OlkOptionButtonEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063047-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FF-0000-0000-C000-000000000046}\ = "_SolutionsModule"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063081-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D9-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630ED-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309B-0000-0000-C000-000000000046}\ = "_OrderField"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304A-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C5-0000-0000-C000-000000000046}\ = "_Account"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\ = "_Rule"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307C-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063022-0000-0000-C000-000000000046}\ = "_JournalItem"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EF-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D4-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067367-0000-0000-C000-000000000046}\ = "_OlkTimeZoneControl"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063020-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309E-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063040-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067355-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D4-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063102-0000-0000-C000-000000000046}\ = "_SimpleItems"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063072-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063098-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063096-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305B-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E5-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}\ = "_Columns"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2084	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
2084	OUTLOOK.EXE
2084	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
2468	xk.exe
2700	IExplorer.exe
2844	WINLOGON.EXE
744	CSRSS.EXE
1476	SERVICES.EXE
1652	LSASS.EXE
580	SMSS.EXE
2084	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 2468	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	27
PID 2708 wrote to memory of 2468	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	27
PID 2708 wrote to memory of 2468	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	27
PID 2708 wrote to memory of 2468	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	27
PID 2708 wrote to memory of 2700	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	28
PID 2708 wrote to memory of 2700	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	28
PID 2708 wrote to memory of 2700	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	28
PID 2708 wrote to memory of 2700	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	28
PID 2708 wrote to memory of 2844	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	29
PID 2708 wrote to memory of 2844	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	29
PID 2708 wrote to memory of 2844	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	29
PID 2708 wrote to memory of 2844	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	29
PID 2708 wrote to memory of 744	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	30
PID 2708 wrote to memory of 744	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	30
PID 2708 wrote to memory of 744	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	30
PID 2708 wrote to memory of 744	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	30
PID 2708 wrote to memory of 1476	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	31
PID 2708 wrote to memory of 1476	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	31
PID 2708 wrote to memory of 1476	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	31
PID 2708 wrote to memory of 1476	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	31
PID 2708 wrote to memory of 1652	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	32
PID 2708 wrote to memory of 1652	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	32
PID 2708 wrote to memory of 1652	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	32
PID 2708 wrote to memory of 1652	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	32
PID 2708 wrote to memory of 580	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	33
PID 2708 wrote to memory of 580	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	33
PID 2708 wrote to memory of 580	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	33
PID 2708 wrote to memory of 580	2708	a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe	33

C:\Users\Admin\AppData\Local\Temp\a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\a5a0fdd945fce310ce86428c2c4c5f20_exe32.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Windows\xk.exe
  C:\Windows\xk.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2468
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2700
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2844
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:744
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1476
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1652
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:580

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
230KB

MD5
e532ecb715676a97acde79c769e790b3

SHA1
18809b766dc34c341468f84dba4291ea20fe2452

SHA256
6dd37806341e0fb42ee6411bd4121bcf15cf614599c29b8e7da1a10ece768154

SHA512
196d7aff156b786ab642b0930a9ce653458d91c287df01a02f6390a3cb6885d7a13e449191b84ede66ae71982fe5c06500507b7b5b7a66a28b18ad5c4de6443b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
138c8a113177de0440af2bbe7fec52cb

SHA1
ec6f26f76a953e9f32d78ee1ba587174abbee1bf

SHA256
ceab737b7aded902833b3b6e0e08b1c93eed3897c85ea1d00732d3f18ee66b21

SHA512
f5a22b785825f8386f060622d0fc287b6d18501b3960018a43612a1c9c2293f45d5454f62aada65a58da0488d29c4d6f73bacf39edb74937d76fc90c2a5d1b8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
235KB

MD5
d0c6ef0890bca267b6b280a84a059154

SHA1
493485ce22b912791cf89522c6a0342e9f312110

SHA256
62ac0673072921f1e6fa6e64ce4b09ae0012042904ba2a9bd79ce555ffb6a0d0

SHA512
89c4446691a6d52da964f31855481812f2e1c5101c694573b869057e879e652a460773136763d32c317ffad072d76d354d706b5d4b2b5739f826d9f5a5ae2d8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
235KB

MD5
6e3c073fa1ab80767895fe6100ae7a17

SHA1
4f32b9e9a53894ebeba90d625676e349f5ad9e04

SHA256
e51dd87c538e5f038a9bab7ccb187cc395deaf9169ed12691f43ed5ac9a0c4bb

SHA512
96a945128a2a62521a6b305390c29d27b5d0045b6b11d755c444603197af0e4d1072c6631bf40c3cad504ee3e00ff32743f093a620343bb64e08aadcde402b9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
c065f9e238435dc4a298f6c6b735958f

SHA1
2f7cb2e6505af4b4de5adba344c6dd37cc1a159c

SHA256
fb97e1c52e1b21c388c8bc142023b463744114024c861572020d7d4d14228c0f

SHA512
cd2df9b6a98d2a1be79ac3de87d282c773d49c5e0a91704094a5e0e53f058ef80db51947f50997f41fd313b8547fc5124f9480561e56a704261cfbe3a3e93581

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
094fdf4e65d9a3fcd050297e3e62d204

SHA1
c88c49c0851d49ad2a49759ef0d206b5670576a2

SHA256
39e97afc827efcde5fe2fba22adebc8ab5a44bf1b024be3f07b87c6434aa3192

SHA512
b601993cc4e4aafb44b580e1a18acaf6b4007fe9209c51a0723e6c9994a00229a1ad6f2884f89d780215635bc94690f8a0d3e64cb08ae46fb17086245da311e7

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
df9056b026db5349bbd031f292aa9379

SHA1
e19aecd72975c20fb797abe450ab3faacecaaed9

SHA256
c1b43b09027022780d24462c3f14ac95cc47cde4eda85997a9127abbe88b33d6

SHA512
e8f8d2906ba9eb7fd69514e130073a1ac385b242fa0c973f0b4e504fffc7d5166e232dda219c777965ec3ce8071fd851a872355f4c07de1f9fbcb0e8721299e8

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
a17bd96c6756a5ebbb830b5c94e10b9e

SHA1
7a1155e664c00a95af320dcfbb483e3043381503

SHA256
fdbcb48e807faafe2b1dad552b6e4ee6db14e669590512ed8380ed2c1d8327e6

SHA512
fc1dc54914ec599441875af67873ba8dd9351aa134abf25ea00bd7ceac6eace6b5db0d14943f44757e92b02e7a9291aeb80a85eba448ac7df74493478bed04a1

Download Submit
C:\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
e763cbc85e0658cdc78c4ff39e5ab1c4

SHA1
e3c9c4a950b366a4a05c3a013457d288c688006b

SHA256
4a84cae7938bc3717f6b819100417c23a87166dd1a3c84e41926ac2f236f8779

SHA512
4a244ba71dc69157aa32fa7d305df1a32be21f0b24cd21317e21eaa63cb3ec727f8fff8c3441735f67c61ac4e6e605439571d274f03ed3d400dadb2e49b6b0d7

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
a5a0fdd945fce310ce86428c2c4c5f20

SHA1
58d41b3594e8338eef0a38e9fe0ca904b2fe01b2

SHA256
c4055410021f0cfc4abd5cd6d37ad77132b7c5fe32bf29ebf99a09b17124e06f

SHA512
dcebcdefa1a3e193a939a2d8c32db9e27c8456092c2b329538a3399319f98bce22a3f338cca20bec3ea16528a30c51e556fce055be2472ae86faf756fb8e58f1

Download Submit
C:\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
347eadb6e57eb9a013ef5339cbf11683

SHA1
c10d333f2ae9d87e46c53b84118aba32acd118a0

SHA256
1931ac88b968a99577535ea27a85c9bcc6b0f26d5103b2c4d7d195c31da6e6a6

SHA512
3754fdeb6bc2b27ebefcc303e9cdb6503df14021b66888d29e03d3e714c8424a208745f4172621bc911a1ff8773383604893e85adfcac9cd1ff31781e238df62

Download Submit
C:\Windows\xk.exe

Filesize
91KB

MD5
718bf92c1e438b92f1972ef71b026112

SHA1
86aa5cf7bd07a314fd32dad66217576a414b72e8

SHA256
3484780b64f363ce3914636c11fcc20a86afa626c2d92980c06e449c9cc340bf

SHA512
5317483de521fbd3007b86a17ee677b5389bcc55e3ee34d14a184032fda5014a1cb984681412385cf6b4098cdd33151a4c563a5efd44ce1e94e785cf0bf3d1dd

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
c065f9e238435dc4a298f6c6b735958f

SHA1
2f7cb2e6505af4b4de5adba344c6dd37cc1a159c

SHA256
fb97e1c52e1b21c388c8bc142023b463744114024c861572020d7d4d14228c0f

SHA512
cd2df9b6a98d2a1be79ac3de87d282c773d49c5e0a91704094a5e0e53f058ef80db51947f50997f41fd313b8547fc5124f9480561e56a704261cfbe3a3e93581

Download Submit
\Users\Admin\AppData\Local\WINDOWS\CSRSS.EXE

Filesize
91KB

MD5
c065f9e238435dc4a298f6c6b735958f

SHA1
2f7cb2e6505af4b4de5adba344c6dd37cc1a159c

SHA256
fb97e1c52e1b21c388c8bc142023b463744114024c861572020d7d4d14228c0f

SHA512
cd2df9b6a98d2a1be79ac3de87d282c773d49c5e0a91704094a5e0e53f058ef80db51947f50997f41fd313b8547fc5124f9480561e56a704261cfbe3a3e93581

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
094fdf4e65d9a3fcd050297e3e62d204

SHA1
c88c49c0851d49ad2a49759ef0d206b5670576a2

SHA256
39e97afc827efcde5fe2fba22adebc8ab5a44bf1b024be3f07b87c6434aa3192

SHA512
b601993cc4e4aafb44b580e1a18acaf6b4007fe9209c51a0723e6c9994a00229a1ad6f2884f89d780215635bc94690f8a0d3e64cb08ae46fb17086245da311e7

Download Submit
\Users\Admin\AppData\Local\WINDOWS\LSASS.EXE

Filesize
91KB

MD5
094fdf4e65d9a3fcd050297e3e62d204

SHA1
c88c49c0851d49ad2a49759ef0d206b5670576a2

SHA256
39e97afc827efcde5fe2fba22adebc8ab5a44bf1b024be3f07b87c6434aa3192

SHA512
b601993cc4e4aafb44b580e1a18acaf6b4007fe9209c51a0723e6c9994a00229a1ad6f2884f89d780215635bc94690f8a0d3e64cb08ae46fb17086245da311e7

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
df9056b026db5349bbd031f292aa9379

SHA1
e19aecd72975c20fb797abe450ab3faacecaaed9

SHA256
c1b43b09027022780d24462c3f14ac95cc47cde4eda85997a9127abbe88b33d6

SHA512
e8f8d2906ba9eb7fd69514e130073a1ac385b242fa0c973f0b4e504fffc7d5166e232dda219c777965ec3ce8071fd851a872355f4c07de1f9fbcb0e8721299e8

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SERVICES.EXE

Filesize
91KB

MD5
df9056b026db5349bbd031f292aa9379

SHA1
e19aecd72975c20fb797abe450ab3faacecaaed9

SHA256
c1b43b09027022780d24462c3f14ac95cc47cde4eda85997a9127abbe88b33d6

SHA512
e8f8d2906ba9eb7fd69514e130073a1ac385b242fa0c973f0b4e504fffc7d5166e232dda219c777965ec3ce8071fd851a872355f4c07de1f9fbcb0e8721299e8

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
a17bd96c6756a5ebbb830b5c94e10b9e

SHA1
7a1155e664c00a95af320dcfbb483e3043381503

SHA256
fdbcb48e807faafe2b1dad552b6e4ee6db14e669590512ed8380ed2c1d8327e6

SHA512
fc1dc54914ec599441875af67873ba8dd9351aa134abf25ea00bd7ceac6eace6b5db0d14943f44757e92b02e7a9291aeb80a85eba448ac7df74493478bed04a1

Download Submit
\Users\Admin\AppData\Local\WINDOWS\SMSS.EXE

Filesize
91KB

MD5
a17bd96c6756a5ebbb830b5c94e10b9e

SHA1
7a1155e664c00a95af320dcfbb483e3043381503

SHA256
fdbcb48e807faafe2b1dad552b6e4ee6db14e669590512ed8380ed2c1d8327e6

SHA512
fc1dc54914ec599441875af67873ba8dd9351aa134abf25ea00bd7ceac6eace6b5db0d14943f44757e92b02e7a9291aeb80a85eba448ac7df74493478bed04a1

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
e763cbc85e0658cdc78c4ff39e5ab1c4

SHA1
e3c9c4a950b366a4a05c3a013457d288c688006b

SHA256
4a84cae7938bc3717f6b819100417c23a87166dd1a3c84e41926ac2f236f8779

SHA512
4a244ba71dc69157aa32fa7d305df1a32be21f0b24cd21317e21eaa63cb3ec727f8fff8c3441735f67c61ac4e6e605439571d274f03ed3d400dadb2e49b6b0d7

Download Submit
\Users\Admin\AppData\Local\WINDOWS\WINLOGON.EXE

Filesize
91KB

MD5
e763cbc85e0658cdc78c4ff39e5ab1c4

SHA1
e3c9c4a950b366a4a05c3a013457d288c688006b

SHA256
4a84cae7938bc3717f6b819100417c23a87166dd1a3c84e41926ac2f236f8779

SHA512
4a244ba71dc69157aa32fa7d305df1a32be21f0b24cd21317e21eaa63cb3ec727f8fff8c3441735f67c61ac4e6e605439571d274f03ed3d400dadb2e49b6b0d7

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
347eadb6e57eb9a013ef5339cbf11683

SHA1
c10d333f2ae9d87e46c53b84118aba32acd118a0

SHA256
1931ac88b968a99577535ea27a85c9bcc6b0f26d5103b2c4d7d195c31da6e6a6

SHA512
3754fdeb6bc2b27ebefcc303e9cdb6503df14021b66888d29e03d3e714c8424a208745f4172621bc911a1ff8773383604893e85adfcac9cd1ff31781e238df62

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
91KB

MD5
347eadb6e57eb9a013ef5339cbf11683

SHA1
c10d333f2ae9d87e46c53b84118aba32acd118a0

SHA256
1931ac88b968a99577535ea27a85c9bcc6b0f26d5103b2c4d7d195c31da6e6a6

SHA512
3754fdeb6bc2b27ebefcc303e9cdb6503df14021b66888d29e03d3e714c8424a208745f4172621bc911a1ff8773383604893e85adfcac9cd1ff31781e238df62

Download Submit
memory/580-130-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/744-89-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-103-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-112-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1652-117-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2084-152-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2084-260-0x000000006C831000-0x000000006C832000-memory.dmp

Filesize
4KB

Download
memory/2084-237-0x00000000738FD000-0x0000000073908000-memory.dmp

Filesize
44KB

Download
memory/2084-153-0x00000000738FD000-0x0000000073908000-memory.dmp

Filesize
44KB

Download
memory/2468-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2468-55-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2700-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-124-0x00000000024E0000-0x000000000250F000-memory.dmp

Filesize
188KB

Download
memory/2708-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-75-0x00000000024E0000-0x000000000250F000-memory.dmp

Filesize
188KB

Download
memory/2708-54-0x00000000024E0000-0x000000000250F000-memory.dmp

Filesize
188KB

Download
memory/2708-6-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-4-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-235-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2708-236-0x00000000024E0000-0x000000000250F000-memory.dmp

Filesize
188KB

Download
memory/2708-108-0x00000000024E0000-0x000000000250F000-memory.dmp

Filesize
188KB

Download
memory/2708-114-0x00000000024E0000-0x000000000250F000-memory.dmp

Filesize
188KB

Download
memory/2708-3-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2844-79-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads