559c556615dc2d9a938c71fc7161bc864f7f9a8aa022253c63e2791c2ef29904

Resubmissions

14/11/2023, 21:49

231114-1pjqdahd7v 5

14/11/2023, 18:07

231114-wqjdsaea81 5

Analysis

max time kernel
461s
max time network
369s
platform
windows7_x64
resource
win7-20231025-es
resource tags

arch:x64arch:x86image:win7-20231025-eslocale:es-esos:windows7-x64systemwindows
submitted
14/11/2023, 18:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

RADICADO;344057980 2023 0901-00.msg
Size

121KB
MD5

02c1e35c3af928a00557892885f04a9a
SHA1

af5de43218f128a3aa18031f123d4791e361eac3
SHA256

559c556615dc2d9a938c71fc7161bc864f7f9a8aa022253c63e2791c2ef29904
SHA512

8e0c4ec263b220dd57e3e2050b592c6721f82e8cb1c6ff5cb31385cb383ffec8e5c9ea260357490ea144ab5b6e928a75815ed812af1d42bd2de28e20e10d312b
SSDEEP

1536:0/bZuFaSE5FIZKM/KM22JFIH63FJW0WaZxUaWFHFsFSnMZWRWoM71:0TZySFIZKyK/SFIH6ils+2O21

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 50aa0f972517da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 63 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "406147180"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D240A611-8318-11EE-8D10-E68CCE7D41F6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\.tar	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\tar_auto_file\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open"	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000_CLASSES\tar_auto_file\shell	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2456	OUTLOOK.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1592	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2456	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
2456	OUTLOOK.EXE
2264	iexplore.exe
2264	iexplore.exe
2264	iexplore.exe
2264	iexplore.exe
2264	iexplore.exe
2264	iexplore.exe
2264	iexplore.exe
2264	iexplore.exe
2264	iexplore.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
2456	OUTLOOK.EXE
2456	OUTLOOK.EXE
2456	OUTLOOK.EXE
2456	OUTLOOK.EXE
2456	OUTLOOK.EXE
2456	OUTLOOK.EXE
2456	OUTLOOK.EXE
2456	OUTLOOK.EXE
2456	OUTLOOK.EXE
2456	OUTLOOK.EXE
2456	OUTLOOK.EXE
2456	OUTLOOK.EXE
2456	OUTLOOK.EXE
2456	OUTLOOK.EXE
2456	OUTLOOK.EXE
2456	OUTLOOK.EXE
2456	OUTLOOK.EXE
2456	OUTLOOK.EXE
2456	OUTLOOK.EXE
2456	OUTLOOK.EXE
2456	OUTLOOK.EXE
2264	iexplore.exe
2264	iexplore.exe
2408	IEXPLORE.EXE
2408	IEXPLORE.EXE
2456	OUTLOOK.EXE
2264	iexplore.exe
2264	iexplore.exe
1048	IEXPLORE.EXE
1048	IEXPLORE.EXE
2264	iexplore.exe
2264	iexplore.exe
1048	IEXPLORE.EXE
1048	IEXPLORE.EXE
2264	iexplore.exe
2264	iexplore.exe
1048	IEXPLORE.EXE
1048	IEXPLORE.EXE
2264	iexplore.exe
2264	iexplore.exe
1048	IEXPLORE.EXE
1048	IEXPLORE.EXE
2264	iexplore.exe
2264	iexplore.exe
1048	IEXPLORE.EXE
1048	IEXPLORE.EXE
2264	iexplore.exe
2264	iexplore.exe
1048	IEXPLORE.EXE
1048	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 2264	2456	OUTLOOK.EXE	32
PID 2456 wrote to memory of 2264	2456	OUTLOOK.EXE	32
PID 2456 wrote to memory of 2264	2456	OUTLOOK.EXE	32
PID 2456 wrote to memory of 2264	2456	OUTLOOK.EXE	32
PID 2264 wrote to memory of 2408	2264	iexplore.exe	33
PID 2264 wrote to memory of 2408	2264	iexplore.exe	33
PID 2264 wrote to memory of 2408	2264	iexplore.exe	33
PID 2264 wrote to memory of 2408	2264	iexplore.exe	33
PID 2264 wrote to memory of 1592	2264	iexplore.exe	35
PID 2264 wrote to memory of 1592	2264	iexplore.exe	35
PID 2264 wrote to memory of 1592	2264	iexplore.exe	35
PID 1592 wrote to memory of 2244	1592	rundll32.exe	38
PID 1592 wrote to memory of 2244	1592	rundll32.exe	38
PID 1592 wrote to memory of 2244	1592	rundll32.exe	38
PID 2264 wrote to memory of 1048	2264	iexplore.exe	39
PID 2264 wrote to memory of 1048	2264	iexplore.exe	39
PID 2264 wrote to memory of 1048	2264	iexplore.exe	39
PID 2264 wrote to memory of 1048	2264	iexplore.exe	39
PID 2456 wrote to memory of 1032	2456	OUTLOOK.EXE	42
PID 2456 wrote to memory of 1032	2456	OUTLOOK.EXE	42
PID 2456 wrote to memory of 1032	2456	OUTLOOK.EXE	42
PID 2456 wrote to memory of 1032	2456	OUTLOOK.EXE	42
PID 2264 wrote to memory of 2900	2264	iexplore.exe	44
PID 2264 wrote to memory of 2900	2264	iexplore.exe	44
PID 2264 wrote to memory of 2900	2264	iexplore.exe	44
PID 2264 wrote to memory of 2824	2264	iexplore.exe	45
PID 2264 wrote to memory of 2824	2264	iexplore.exe	45
PID 2264 wrote to memory of 2824	2264	iexplore.exe	45
PID 2264 wrote to memory of 2544	2264	iexplore.exe	46
PID 2264 wrote to memory of 2544	2264	iexplore.exe	46
PID 2264 wrote to memory of 2544	2264	iexplore.exe	46
PID 2264 wrote to memory of 2940	2264	iexplore.exe	47
PID 2264 wrote to memory of 2940	2264	iexplore.exe	47
PID 2264 wrote to memory of 2940	2264	iexplore.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\RADICADO;344057980 2023 0901-00.msg"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://docs.google.com/uc?export=download&id=1Xw-HwqDHTkW-Hrw3Z4z1DEMnqEx3h6Xw
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2264 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2408
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\RADICADO;344057980 2023 0901-00.tar
    3⤵
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\RADICADO;344057980 2023 0901-00.tar
      4⤵
      PID:2244
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2264 CREDAT:668678 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1048
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MQDFJ88W\RADICADO;344057980 2023 0901-00.tar
    3⤵
    PID:2900
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MQDFJ88W\RADICADO;344057980 2023 0901-00.tar
    3⤵
    PID:2824
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MQDFJ88W\RADICADO;344057980 2023 0901-00.tar
    3⤵
    PID:2544
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MQDFJ88W\RADICADO;344057980 2023 0901-00.tar
    3⤵
    PID:2940
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://docs.google.com/uc?export=download&id=1Xw-HwqDHTkW-Hrw3Z4z1DEMnqEx3h6Xw
  2⤵
  PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
20dc1ab7df4aac78349ba48202af4933

SHA1
bf1e357080256b614970a0c3de0d87265fa0b323

SHA256
3ab5d802edfc037bc668b72625ba6f5ba2afe591e94e96409eb1d38fe55420a1

SHA512
f6859d47e8f45969b2dbdff6fa93e679403fc48dc03f29c8fff7af0dc1d451960ea8adba3a9abb3554832778b92c101238e69345e6fc655e7411a77a0bd98344

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_5A8DA7E75009D0EA2C79217981FF930C

Filesize
472B

MD5
61e292f56796fc11863f987d753d6012

SHA1
f9bbc9f7e68bdb952693e1718513422bad433aea

SHA256
86f8880d182822be0cb01d20107c362208b461dd0bc3dfc608cd0b09c49f56bb

SHA512
987a875a92d70d5fc82f3777d70043596c4dcbc71871626f6f417b7dc8e35db724ce19939e332efa11b6efd966a622818b627523272bfe296fa3fb97d72c0141

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_11314361DFE3E655E02EC2E7F9346EC1

Filesize
472B

MD5
3e5a4c88fc312abae282a128fdaae94a

SHA1
c7f47a95f9433ae2741a6fb9878654abfc7982a0

SHA256
392e5362733d7fbc7eafb64b1664d2aa5421bc7b13ff68c294a2cec092308e3a

SHA512
4d33eff7326610908252beef8ae23330cf8f80470fdcceddb00e05be0c4153d6a2daed1330a27605d3bf6142ba130493c068ac09f4629866b187afaa9066433c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
1e3bff8b9c7cd32c3f232a7f95f92f42

SHA1
e0756d786de4f26027a942bf5a9c643dd7eb4e43

SHA256
d7feba263b1147b6c40e98f1e800e02565716ac1f6138eb968b25ba88723d93f

SHA512
ad2bcb3575b737cf6aa99352c9afe35c8184456587846c812ee1b162023936b79555742a67936c5f5eee79b67c09971b63e781608415530f28779bff8110b54e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
590e6bc9d64ca526c3f2944d4823a239

SHA1
67e946416892db59ee261b633cbcb5199218c5d3

SHA256
8b5b17d80281c9bcd412d7ef2b322ab32eac1790d60f42ebf7a9e56bdbddf241

SHA512
e39767dd26860075879e76d1c83bdba20a2e9614898b129ffb6fa2c428ff79c26a8309ca7f75f33aae66e6a1b5ce7137f2a53bdaffc052a641842b1fecc3904c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d4b716011786fcafa4e80e3541f0168

SHA1
8a4849fa348618963600a6667849b050e051b0c9

SHA256
3a627244e52de29e509471532988a70b960d1a39a3856de94e38b815cc19a588

SHA512
fef5d8fcac222749738e7acad67601aaf6932a0e44182960b53cf858f7cd162a6623a0c34660a2f357e37d50e2dea3a0a836df3e5427b062562d9473444230a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2c0ccabcd00d4ee43fa6190229e2afe8

SHA1
4ebf016ad6e81ae334cf3c1eac83c6d820c1d281

SHA256
da78b0d2a1b5deb3fd5664367f0aa536cc8205ddba475d2f1c1a2526b385ff00

SHA512
09e14d7e60c445642753573ee93a3e4a7415ef6e44e90190c2dc6be804da997a422dfb1e842f715076b98afe853ddde47449c42871618d715cd764db4b3b1c37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d9070bdde057dadf29163ad13d257500

SHA1
071408cdc53040ea5ceb796f1955210885e6d601

SHA256
f9804534d6de4a59b95b862e7d8481d053d8117f8309bfc6c8d84ef5bf94b61c

SHA512
d834bcb8b3395d786aed47ec163be94604eeb9157eced044704a0fcc24316050e766121afde2dee0df9d869713dd241235c96f28977a5af154048c5c3201adbb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8fb459d57e9d339ce5023528c6504f0f

SHA1
8b40d93f2b239d1adf000f173d83cdc89201db27

SHA256
de8e2e2794961adb4b3e3bf79b2a21b41bcc0fa242640058c851ad01dfa5c28b

SHA512
8f3789419fe266afc459c083016c80413c230dcf79a6a9dafae6dca66de9e9948978091384828e7556a578065a99e7ce39f1ad32550ac39cb00c75fd10caf31a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bff2601378bb1008175f6bb7cf6b5d56

SHA1
f34b9ff741b53d33cad74402c078617a5a556ef3

SHA256
457ea8d840cd31a322b4284a11dfc94e62c52df589a4ef6a5b0d383c29ce0132

SHA512
16e7f82da327dc793bddc0521043abd0cadcc08bbaadd143cc5f9add28134f194be179fe621f07027f74a617de7b9a274859049600796e17f7ee1eaf3033dc77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
be18a6d8a996dde158fe0de33d9e510c

SHA1
3258925bbf39270944ff1548fdbd9cc6ed525ecd

SHA256
e799503800473b8a971867bb64f219a6598cd607ec79b1c3b77cf0c3316e57a3

SHA512
737f070718f2c1f0d77f4e5877986e7e5f73db688f8afac50ee97fa3c70715b7b9007903ed353491bd50ec43d0980c30ee48c618fddf6a9e1ba824fd82dad672

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c938e2f00632901941b4f17c2630bc0e

SHA1
1c6a9a098ddabe4a86f5b6bb103d2f49f5c94c1a

SHA256
b7ed96b6f2b3d3a6160c81aff060a0457c494023c3fbccca0065dd1dfeafb207

SHA512
3ef1ef48b76b9bff4db03178fa206d171d81c972606ce840298f583589635da94377b7fab8d6288b48ef0b9d9724baa7ac98bdca28daa73e4045314cda8343a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d1db034874c6e6b9eee1f5f08dc11dc0

SHA1
b834c6ac856f80acafc1377265d79ca1d78078f4

SHA256
855ebb4668a74d5b0359faddd38a80a340446d549d6c1a380a87e706b50d3105

SHA512
436fc5d4b29c599a65df2f810f890c139ec8d2281a303e1ebb5d714a6ad691cfcd31e7624bcfabbe785d5a7a513ab84ba248262603f992a14d0c310c0056fee8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
901559b76ab954af2d9eb5ee2f9911dd

SHA1
127d6731b1dc88843d3d25cd858885234620aa39

SHA256
b0093b347c17f2e841a9845e10c5baa332cf1c8cf9f4a51b9ed7401b4557fd08

SHA512
543cf1c4938c38a342f3623f53f85f608dce7ab981a87b8eb019b1a047342a86a2a0a55d0e81557a7aa39a870e80218601fe548f46cddd1ecd150fed1020f4c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
668afd795eec46222d58e5a918b4be5c

SHA1
4b2f441cf838235799247b3f105f34b78c2a57a6

SHA256
64075edb35ca0cee4b333e6e287733d2725896aa309fefd4160035dbbf5e76d6

SHA512
2313c9f8cee591745140e1883e939a556953f1980de0a4ec7a54b1b3064c20e31f0d0efadf93e48ecb95e37427a15e2adb76b91f87158c622ccde5c57f6e8fec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_5A8DA7E75009D0EA2C79217981FF930C

Filesize
402B

MD5
66135a22ae483ed97197530bc8b28084

SHA1
f262b3138657d27f143e8af33e7bade217b6ae28

SHA256
e462e26cefc6747eafffffa0ed01bfb4efa389b58c1b3f97bfe26adcfa7982fa

SHA512
d0a08e541ea9fa411386706fd838eb7c98e9c0a600e52700c716deb81b16e7cc39001f7a14dfda3842d3311bf0a1ba7593f4417b0e755475b350afa21290216c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
47b4a96db3444e9c318ee00949571253

SHA1
51bb62baf5e3feeffdf9314a57b52930282a2393

SHA256
0e3bd28831812dcb806acfe2aa34db8ee29205c684205fd4178b55f8f4557ecd

SHA512
f8fcb3f2e442385a4fe0d158028b3cbee2ab02ae8730ffc08e31a8e0367992b9318038337ee95ba638d986a21e4ce036be1f90a7580016a66b775a9cac444721

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_11314361DFE3E655E02EC2E7F9346EC1

Filesize
410B

MD5
4f6ba3b8f3c3052991cb50e164bf346f

SHA1
1a8a0e9b169877a1b7504d09e5b7405b87a54c2d

SHA256
4f5930fd1757d0fce55c43e2594d465c7bc443b6220ea492b8474683f3fa1429

SHA512
d25a244aea7aa6243b3d7312c41a33174046952e0c8f638640931c14f185461137766591ea838c20d99f35734709ff25df760d11ff7be9bf1b2b391bddcd3c76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
787eb2233e2c2ddbc8b132921f8224a4

SHA1
3648042697dd694c2cf3e8b6a3ec6380858f86f5

SHA256
717d3204681bdad8d727fbd32ae74c98d98379e24d361480f36be1694575446c

SHA512
b425e4934e8e31369d438a47f5b9189b144856fc16e5df1b7b7ce0e4a705176c9ad12313fcf5220371c7387ae077123a6a372f9139b87c782d9519ad77763d05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNDI6Z3B\RADICADO;344057980%202023%200901-00[1].tar

Filesize
1.5MB

MD5
1e1db131f0c71a87552b14444759f30d

SHA1
fdc65235c46aa116d420977fbec30cfc081c3383

SHA256
b150e9a876963b689e4726e922a049d54e2c87a08df9170f94badb7841b116ce

SHA512
abe0b0d4d5f0150a21577bcac8790e384a28e04c81801cfda413e6717ea73935c7961bfeabd2c5829a10ade2b123c32bd3d5c480da88b6ea60621204af4ec1a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MQDFJ88W\RADICADO;344057980 2023 0901-00.tar.qgwmuq9.partial

Filesize
1.5MB

MD5
1e1db131f0c71a87552b14444759f30d

SHA1
fdc65235c46aa116d420977fbec30cfc081c3383

SHA256
b150e9a876963b689e4726e922a049d54e2c87a08df9170f94badb7841b116ce

SHA512
abe0b0d4d5f0150a21577bcac8790e384a28e04c81801cfda413e6717ea73935c7961bfeabd2c5829a10ade2b123c32bd3d5c480da88b6ea60621204af4ec1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEB87.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEB8A.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{92C1F7D2-5E80-4EB6-B969-985776CF26CD}.html

Filesize
6KB

MD5
adf3db405fe75820ba7ddc92dc3c54fb

SHA1
af664360e136fd5af829fd7f297eb493a2928d60

SHA256
4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476

SHA512
69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFB1EF7470054B7A0E.TMP

Filesize
16KB

MD5
a7eba7c0d3c3758828815a3b78262601

SHA1
ca555ed1ecf68f19860780d22b2228bac6efc7d0

SHA256
8ecc56592fee3d0dd17985cc2741a50e8c9b709fc2489421d91498f256eeec7f

SHA512
3b66d1ad790140c5683b60c0481aabae1b91eeef4534acd1cba8328aad79ec2feac297218735bf0b89d8e90d6e111014d762131e56f5235067454992a6b0c5b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
3KB

MD5
c13bda05c457cd6c2b4fc90061834753

SHA1
e4f88bda2aa32abea5a8eb6cbf058761076a5c69

SHA256
ea88b1c681cf5758bc1ee97281c7e2a4a999358e11f54860b105fd599992a344

SHA512
9937dd94d717132885d5f5e966733d1f704552337fe831a3e174c1e244b97e403ae6def5719ccd16e365e7facf5bfe757575ce9a1703e3291a766c5bba1ba3ec

Download Submit
C:\Users\Admin\Downloads\RADICADO;344057980 2023 0901-00.tar.uikpiej.partial

Filesize
1.5MB

MD5
1e1db131f0c71a87552b14444759f30d

SHA1
fdc65235c46aa116d420977fbec30cfc081c3383

SHA256
b150e9a876963b689e4726e922a049d54e2c87a08df9170f94badb7841b116ce

SHA512
abe0b0d4d5f0150a21577bcac8790e384a28e04c81801cfda413e6717ea73935c7961bfeabd2c5829a10ade2b123c32bd3d5c480da88b6ea60621204af4ec1a9

Download Submit
memory/2456-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2456-163-0x0000000069E21000-0x0000000069E22000-memory.dmp

Filesize
4KB

Download
memory/2456-124-0x0000000073D6D000-0x0000000073D78000-memory.dmp

Filesize
44KB

Download
memory/2456-1-0x0000000073D6D000-0x0000000073D78000-memory.dmp

Filesize
44KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads