27b0887d18811457b7e67bcbba6e11cd4f2693911efa971fe7ab254bf9e279c9

Analysis

max time kernel
157s
max time network
175s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
16/11/2023, 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Google Account Disabled.msg
Size

127KB
MD5

46110b98a5a1530f7fb9d432b68edd3e
SHA1

3cfec97db23daddfa599784cb3d7822fc0815eba
SHA256

27b0887d18811457b7e67bcbba6e11cd4f2693911efa971fe7ab254bf9e279c9
SHA512

a2bc44b8cca56d35cdd3a379aa0394860d43f8a28f50f1915d81255dd19df51a642dd60f9dbf96b2f5567c2eabb7c7323cf17238dbd1deb2445b0a31d6aeec16
SSDEEP

1536:aSO4LsWVU65Gva5gL1h36ySEdRbpnQqUht6eBVE9Mfx5OSdl8c7bdSNj6C04GQuq:aSO4L1G6gCE6hIgyM6al8c/ccCVG6

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2920	Update.exe

Loads dropped DLL 3 IoCs

pid	Process
2920	Update.exe
2920	Update.exe
2920	Update.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 70f25db28418da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e71718400000000020000000000106600000001000020000000e4c1ac13b5f284f1ab4a95f95fe85707264760acda5c719478b0d1af0f2bf94e000000000e80000000020000200000004cea576fe8bcb9f71de1954c3d52516f2a86bdc5179f9fad5a1152c1a26cd426900000006fe4f7633f3e12cdacb8fe9141e5f6513107e4b1859bc7281182b0c396065e13032b892f4bb76213418ab6044660f9712f7ac4f80dfcec759fe62bffe7fbbcd4c0d265a6874eaeae428c9cf572502952b94ae7482e86c6c71934b624afb51fe897d4a6f0f56abdc34b89a01affdc1ecf197c623fac9154b34914e42fc2a6fab3ab2548c28e13ad68833e3a3cf7f2d164400000006ed9f169018b87c9e46c805c60ec3e2dc4f5acbe235f641d497da93e0c8f12e3163aeba99b83385850c29834776261127e06ca47803b0537eafe0b66684950df	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ED80A5F1-8477-11EE-AEB6-5E10D214D0C9} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10cb0fc48418da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002e1e81ecbc95de49994f369c3e717184000000000200000000001066000000010000200000006fe4783ba684ae3e8da2b160b50f93e137d6ae5e5978a62fe968fc86a815393e000000000e8000000002000020000000f8b8149437df14b16904998e6a7908591652d5553c38480ec6890693b9bcd6d2200000003017bd883af0c9fd7cf3569f04c67148378a88a706d70f213bb19aac379af4c94000000091418310462a5b0d033b814c055ec0cc81ae66b115842ce8e63ca97586ed5f39ccc16db9620c5c056d9eef584a214fb3843e4472937935e6e4770ced9f13d205	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2788	OUTLOOK.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2788	OUTLOOK.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	Update.exe
Token: SeRestorePrivilege	2920	Update.exe
Token: SeBackupPrivilege	2920	Update.exe
Token: 33	2516	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2516	AUDIODG.EXE
Token: 33	2516	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2516	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2788	OUTLOOK.EXE
608	iexplore.exe
608	iexplore.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
2788	OUTLOOK.EXE
608	iexplore.exe
608	iexplore.exe
2320	IEXPLORE.EXE
2320	IEXPLORE.EXE
2320	IEXPLORE.EXE
2320	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 608	2788	OUTLOOK.EXE	33
PID 2788 wrote to memory of 608	2788	OUTLOOK.EXE	33
PID 2788 wrote to memory of 608	2788	OUTLOOK.EXE	33
PID 2788 wrote to memory of 608	2788	OUTLOOK.EXE	33
PID 608 wrote to memory of 2320	608	iexplore.exe	34
PID 608 wrote to memory of 2320	608	iexplore.exe	34
PID 608 wrote to memory of 2320	608	iexplore.exe	34
PID 608 wrote to memory of 2320	608	iexplore.exe	34
PID 608 wrote to memory of 2920	608	iexplore.exe	36
PID 608 wrote to memory of 2920	608	iexplore.exe	36
PID 608 wrote to memory of 2920	608	iexplore.exe	36
PID 608 wrote to memory of 2920	608	iexplore.exe	36
PID 608 wrote to memory of 2920	608	iexplore.exe	36
PID 608 wrote to memory of 2920	608	iexplore.exe	36
PID 608 wrote to memory of 2920	608	iexplore.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\Google Account Disabled.msg"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://protect2.fireeye.com/v1/url?k=4fe196a6-107aac74-4fe6cd52-000babe405e0-e0828c6408fbb519&q=1&e=ebb3e6eb-f7b8-412e-bb04-ae9070ac2a97&u=http%3A%2F%2Fmyshare.vodafoneldea.com%2Ftest%2F%3Frid%3D1759271
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:608
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:608 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2320
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNDI6Z3B\Update.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNDI6Z3B\Update.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    PID:2920

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2632

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x554
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
329fea1ae9435826bed2547663a9354e

SHA1
365b49525d749bca79ecc6f9174297e0ff39b866

SHA256
52610fd83dec22a7112c1580d6c75fe20827dd6f26f71a1fbec898dfe9de6b96

SHA512
3479ee1a25b2bb33ef820c73cd6248a913b5be26b937650a416cf3290d466498b507595f75105a5524c41aee356e716f481a2ded92134c5703bb68017a82b60b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_0D52D82D706B4C9789F3FD04086157E3

Filesize
727B

MD5
ff157559f2ba44b85c5353a77b6b6992

SHA1
0445f579fd1cd95da1e8ba5e3882fdd5e11ecf15

SHA256
68b544a4d15c4f3b4cb129951576f1704a3fca5efa868ae6b72fa72adab08687

SHA512
4e979bf1ba3d76cc8be1a1d6bc6fa1d362df1198c29999f8ef99c57f42263e92fa6442c0d2955b4460995ea0cb39597704108d9cba58c33f37ed355daaaed617

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
7516a28b30f7665e68de83fe56ab5830

SHA1
4adf0a7a49e72eaea4ceb3e4d2b4c14377dd73c0

SHA256
7c8a2bfbd15b30ad9072b37e1743e5456da5ad16bfa63072e93a8f675ed5163c

SHA512
56d99cf19214cc42cac94841b36bcee74930c06c9b835e3bfa6afb6f9f5f947c11eb7b05279fe98dc6241ead0ca9ebc5196a8d3368aebeb94b6e00b19f69a3bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
5761be564787b25d4e463de1b92c42f7

SHA1
d8ba37d9132523aa5e8952c58286898bdbe3c485

SHA256
8114aec17f07f5fc4cb93613ee86e1529f37353427c5aba11678aaf7739558b5

SHA512
6e0d0ced1d4a354e027cef30dfa220c6355515f8882a40b8989b8bf888c79197320ee89673c2ae374515979f9f36a869975d0da6acd9631a3ba80cfa19a5776d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_0D52D82D706B4C9789F3FD04086157E3

Filesize
408B

MD5
dbee452e3f570d4b8a7340e5aedc891b

SHA1
9d253469f57942a182918d61fae4f457cbe22c74

SHA256
bac0433a6fe48c1918b531ae39ea881a23b9c086079f81e5d5973347d013225b

SHA512
e34b6490b5d336573590d730582d2fa171c6bcd678719724292be3d743271dac2e431d85f2765f382a952cc5b4821fd89c6edd77aac151738f88db9b77930ddf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c4cccb96875cf01d1f530b4ea2986b6e

SHA1
d99c0d01e9af496a43b7a4cc0acbc94e0239cd06

SHA256
b3f69c624e847c944e86ff96ca6a20094aff8d0139d75201e21e773ce95e864e

SHA512
83efce31eacedf602389bd69895799f18f7e9a3818fcf58a2a386deae9dcae28180d2a33136ebeb626b6623bf59caefc95ad02d65858204c4b93c908ae18a1ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a14a17b14dd6e36859758696c87715a1

SHA1
9f8727b93c0b3f9deba5f314a50738359de92b5a

SHA256
bf38f3be594aa45e394e685c3c202b648707125310c129eac9037218354632f9

SHA512
196ccf77acffce55a15b97fab05b5f99d3c2d9bb0957c661f11c4495abec5e5be9364a6acc68ca2f6418d361f35e29104adbcb5ce6c4efefa654a5efc1f516d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b444cccebd80a6437055f73a672f02dc

SHA1
00af781495584ffa867897589ae169afbeb1829b

SHA256
be02d202b73cdb3f67790c1bc441a31c2d5076ad516cfa54720dc2f42d7bf905

SHA512
b9d8dcb2b42c2ea2e0a97af3fe1b26635d383c03f27f6536f169ce73f0f5673e2176ce6152c5330b1a0afe30b185f644d104533490557042d4e06aa673d617d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f568791f7ac70218ae1dd8269691e9f2

SHA1
9fba58abef933383cca2dee9f7bddc3999ea09ab

SHA256
77e838990d6ab2f749da99312c5de5ee924cfbfd20d616e290c85a9e321d0336

SHA512
066c92a628caaef9ea63fc578cebb5cd181d1c5f42ddd6dd88dd4fed3216104db007772e0c84b6f26c77ed41b2dff976d4d41bf5724a4daf7eef50f0ed7202a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9264407e1835730a6ad46318fdfafb44

SHA1
18ec522f4468a8414f9687e642b222978c33a845

SHA256
624d97dd21558e259db8e663ca55856311a81fd982356535bb60834ad785950a

SHA512
6b17dac2608e4a2884f959f403acfab2245c8dc713d9ab07ab90123bdaa13db6ffcf850502e8b1a8730531745d42d85f7ef17837e339446601f973cfebf1a240

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
717aae9ff071b080100b85fc4b123690

SHA1
7cd1ec037e425257f2a94c1958a0ac7f63566cc5

SHA256
e3eef6d01c7f333b5394e3646f1745d8376982e2fd251333fbdfc030d0452c31

SHA512
1d3bb5deeb5585b00cef738dd8b490165ca210d5837b5bc8a95470d84afc64fba300f5ff0c608788de20052f71cebbae190df98767d577872627b06aaf86ef23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
02f9f80def69b2c45f796cc9a86ef740

SHA1
e5d31fdc9e353b2a161a8803705a515aef5ba199

SHA256
805bcd1f83a52f25163d884bd283be215f73466ee8d78ce3f55efcd822cbc6e7

SHA512
e1628db32968f9fd45787e30f01f1a93ca39b0c6b7440cca1810b9cfcc057852885f861737e54f1ddfa32e296324fe1829159129bd8f368a5ec1a5009a78f7b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f96f7d0600b2bb9da87e2bda89aeaa24

SHA1
7b490cd99d60ac1595d4c87d0b9cc9580e6a761f

SHA256
46a35df196efab6ea201119a087bbf6d7bb6451064c800fb496e9989b7dd5895

SHA512
ee2400d63990bbb7f4f52c8890e690e3b6b370a7c6ff4de7156e2088b0bab03774fd80ecfbd1b0371301ccd57d74043f577e22da9d48bc1b730c2ac69c59254c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
41d740070d1e1f41e83fd4f24591f330

SHA1
bab438da37620e3375967a7b4f6414f5d8601078

SHA256
f93b4fe92083ae699bffeb4f72b8e106de084c737d01c59ff797cfc6fe0fd4a6

SHA512
e145f37cd20307545e6897881def16f56ac1e974a1b277c9e5088bd97366686806aa333ed0015cd3186ae9fc9e1396f887c4a5acd725880c3432a2bae869d9c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9847febd33b7eb8e83ea26265ea7124e

SHA1
668c10a94b6f6231f4d78f99f6a8b3e967bbf38e

SHA256
01ac16c4eec1bc8f88e8e84af9d90d61a0492989715d3f0fa80ec96c7cc8ec01

SHA512
532af5b9d8d1d6a19c4a85d440f2d1efb5e782b3045630ed7325bfc6a1078ac4e0ee556c8103844cfffb182122845528246457001edcae4940a4b09eccb71087

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
504ec0c6203d5877e80df5d1dc76e70a

SHA1
b736aa1175552699a2447dbd7297906ee34f1ea2

SHA256
2903aa181c8a412d4075994ebd7d654c7467f679876242ce97715e100611d23e

SHA512
92f765bc43f6f8990bfa799d703c314e34350352f36cc9950bcd7e980d83efcad085913eafd4796fd1e2961c8884714fd4f9834cdf911f3d040ee77c9abb4af6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3d087d8c0775e093cafd827be7af506e

SHA1
abd732c84cc8822cd04588a67580676b4851801a

SHA256
29c8e71583f8ce5ca4129cd0aca0f13966acae7f6904d916a1911c4c9812a33b

SHA512
9a5e7f2a30c4a42dbba84fea57bf96d58f8950ee90aec5cbd90f54e36aff1714b48e70144d0fe541615ed6b78cec3ea10d2c07df1a1fcf445d8f71909998c12f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1bb7e21b0d42c7b8c99464cf3bc17309

SHA1
26536021399604cbbd01e93d188b77dd39340824

SHA256
fb004d4d9a54b70e298aa0f81c916df0f1b99d46aafbd0b0a42d26e505f205d8

SHA512
fa10b0e0cc6913071427878594baa0672d65df13b270e1063caa37e2ef6da75e94f3404090db9ff1b59b1d7a5bd19c877f27911334efee65bc7b57a30d46622b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3b35cd00cb4039e3d9642189583350ce

SHA1
763122d86a617873191b3d7d8fdf27845f5978e0

SHA256
024729ef8b55e500bf6b1554291fec71ab97262d5725582d78d53337340483b6

SHA512
9ed08531aec0843d12193f51ea37a4b6db155833af5505046dff335decc084cab4c0226d44e88fe3746e5c67a00e64d847194d0996382701dded889b306549d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ffe0c4c3222d021e4a26935beba417df

SHA1
edeb20e86a68217fbe4b8fd5a85f165a450ab27b

SHA256
128a47f16ed233f8a7e9730c84458563c1b06828e78008735b412f5883121b8a

SHA512
ee3b119314b1919829b7195db9e9c21559eefb98a0e891e27456bfe41e51de1e6b2cada38b9af3fe7b463d50989b926d472fd8d7d5093bdb90938227cbc2eb73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ca443822b21f0cce6deb0533009bc2eb

SHA1
1eddd600f684c4b852ab299ef074bf5c3fcc2c81

SHA256
3bc999f81f8e2fd9be92149ab2239e9015b2bd91e8b258129e22df741039d3ea

SHA512
1db873d1eb8c8de03ffba4e75cf3461b49983112ce0b2297c5727b069fbce5e4a27bbe3ce8e4b204acad2e76eaa5173b0b6456ecbd05502bd9782654f04f9da5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d724a2713581a6cd08bc0ea98adcbfbe

SHA1
ce7fefdc4de3c250fa1d791c4d77241800dfe43f

SHA256
5677dae6d2c55b3832eba522a010c10ee4ee39d69ccdbaf15d686afa8420f056

SHA512
16754a683fd51a9e14bc08f20e6e735bf4c31d7e52115b3202501fc0bba02b3502960e795b049cd2be56c814e17e8031e697bc74c44f247a5ea79f2f9db28048

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
081e720d9557d6154b029a58afd0ec05

SHA1
e94824f96e9b6b866273e3993d7670ef2ad7349a

SHA256
3ebaf12f9fccde8223904701eaeaff6d4e5a9ef41987a258b0895a98510c08de

SHA512
88e707c67a2a41e6ff27065a26afb12487d5549a29eaf1f78e7bab304af0b5a2304823280c25260c08ca8b8b2a6ab3636178ccc277880f08c43546eb7f18587b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b4910a6681fc6d35bc05f05fb599573e

SHA1
de473fba92e4f279809bff2bf244dd73811bd4f4

SHA256
65270584f8ee066ff0fc3cb031100977df2bf0997f43d78dbeeecf4f42b44dcf

SHA512
eb557e3bf4118f0fd711ff74625145293d273d62ed7fd8464a9256fee287005e3d12099bb70d7120c651a67f6622e1cb33405816a19c55e6165e57462f100055

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e51c42fc3502c7172d2417aed457816d

SHA1
12fa5aab6183c393f3172e8d91a14a54e8ba0fb5

SHA256
a0554c1e62eb4e5f81ee5ae1534a4b1034e28340fd3d904fa196a2fcd9afddea

SHA512
d2aede6308832a8e6fc2ce0b2f017b92a08e22b6c5b1b85a0ceda4d53aed8e22506155120e193a61d8c4f4cdfdd9329a30f09d77905dd4c0eaa51713bff92943

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1e22d34d8649c7ce3d950dc3481e004f

SHA1
bc5763c61cd96a44ad56ae2f0599329155f72176

SHA256
d2b4c6d9412c7679d64efd82b900e03ce6ebe3c3fa4c8a4d5998b5feb26d66f8

SHA512
b029eb00187b675467881940142f67b0c02cb3042b81d9ecb63d19f711379171650f2593288a43bd93a92a97afe93693e9456786a87a17da5b1bc13339c9fb2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45fdb6544bf249ce161bb6abe8ed2ec7

SHA1
724aa299899fd3ac1b4e7177a56260c5ee377f78

SHA256
efbfe4f0fd9c4e3ed24747f78539e8cdfbd2fb190c2da279c59e2acef3d2ef83

SHA512
ea7411891220a45c9b0409656cb49800d387a2d447fad672735bd9875660222ed4bb8c7ba98795eccc6a833f37443bd4c82cd67c96b16468f9a6e6cf86c5e0fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
45fdb6544bf249ce161bb6abe8ed2ec7

SHA1
724aa299899fd3ac1b4e7177a56260c5ee377f78

SHA256
efbfe4f0fd9c4e3ed24747f78539e8cdfbd2fb190c2da279c59e2acef3d2ef83

SHA512
ea7411891220a45c9b0409656cb49800d387a2d447fad672735bd9875660222ed4bb8c7ba98795eccc6a833f37443bd4c82cd67c96b16468f9a6e6cf86c5e0fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9f2694522cab60ea8b6abc9ab83d6e74

SHA1
7c50f95bd244c9560b45128c6c43cdf039ea222f

SHA256
61f3a6c8f8fc147cf8e4d8f122c2cb781913a9f838c2ad2c0568e133762db96d

SHA512
b5808d667973c21507b237963ca0c52252b8baa41b7ff9f7a52c2c8f856d08e085b625851c82c78b96c771d8c0070dff06293a9a5625049207f1344be063bbcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4f17aa9b59500a63da9c84f70eb6f00

SHA1
728eae2e0868f1ffeb98afb0e6f490f2be0a0798

SHA256
8a86892c911f713040d369ee22bb816376d4973573538afb2cc2b26778f63b34

SHA512
edaefe277da8af1700ceed5ede45f12bae0ef873609ebeed717ccc4914a31cc031aeaf3a90fb9222e8c48f1eab8f872592333860c92925f5eca44c8a4e718a77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ec94e0f0e6424ac8abc62e00338f283e

SHA1
69643fec9732b931fe65b4915463e3e6ae66f376

SHA256
49a7254f27ecf9a7d21601bbd0a98bbd01821c1ca9c90421321eef92f61bd37d

SHA512
8be16f58adff1ff31b6bfebfe5b4349888924b547df61df370e2711d06bc243a1bf9b1dc213b553868df35f1d61cfa1959289d84737302a84d6332cdb3efa9fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
07c9806909d1899ede5c4a4e5072f876

SHA1
9f2ca7651ba0935a0e8be3df6fbbaa2c8adb1ccf

SHA256
43c82d23d967fd2e7b497245b643416e8eb4e5ffab0ac189c11476bb9c21bf30

SHA512
009989651d97b1ef5c3c97b33dfeb3546091df0fa8ad65e91e991153dbba338f278756cf765614b2c1ff84e7358cff69fa9c442b54624df20e8f8af26e2b9c60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
50c8cf76391c64369a31e192cf57f7fc

SHA1
93928055cf5b03e1dcb5444d40a5900c7f9ef8c4

SHA256
5ff0819f2e6c3c88f4c498af56f219a6baa120e36f514edb57e2c9e0ca33b34b

SHA512
dd5f0ea09642c1cbc2a60591e962b2b61329d6731d751cf9ad8f5f62d6d2cc34ac0dba1265d1f91ea4855afe83525f8c1e0684881895616336e678fd80672f5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
09a182ab5d0169e5f7a5df7144409017

SHA1
0d75fcc0fd7dcefc389626f9c279390c653d0b8b

SHA256
5ded438fb1a4b0860c4b7b025b24012d9f976e43850c13626e4ebccf0308c419

SHA512
900097f017f5874a723fd2137b60dfd7b5787743dec4a58698c774e49bfe648067494cf6c15d738b4000acad74d61442a7a6f8270632709fa7a08d620d36b3ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
d58dc625befa8be16dc713b162e66b7d

SHA1
4289ba8377cd9024280c0fc0d1dd6c833cee6e11

SHA256
527f556c95ac4fcaf5a001079985ff9f7bbbb110a41536e89fc2c150536b235d

SHA512
367caf4f90a9cfbe1988b56983d8e52bf2ab91376b9224c9bdf1752c10d3f5a911971bfd5d4a86f2bebf8ff7a73e358f68f74345bfe216a2cb437c25ee328d02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
d58dc625befa8be16dc713b162e66b7d

SHA1
4289ba8377cd9024280c0fc0d1dd6c833cee6e11

SHA256
527f556c95ac4fcaf5a001079985ff9f7bbbb110a41536e89fc2c150536b235d

SHA512
367caf4f90a9cfbe1988b56983d8e52bf2ab91376b9224c9bdf1752c10d3f5a911971bfd5d4a86f2bebf8ff7a73e358f68f74345bfe216a2cb437c25ee328d02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\Outlook.sharing.xml.obi

Filesize
185B

MD5
90a5f31d1d04ecc69d631cbde515f545

SHA1
99a070e1f4a26f7724d6128caa5b5e3fd4171ad8

SHA256
95088a249cbef608bb217b901a705dbfcead6ac7ba85094d1311f77e33196e34

SHA512
faa7e11af5273048774c953758e8a33913bf1034f19ee9efa8fe6057c57999269ad1c6122749edd6531aad3d49442be57977702786a043b45af098021c45e1b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7TVQOT0Y\Update[1].exe

Filesize
908KB

MD5
d2ab912c003bf20b0ee9d60d772722c9

SHA1
ac03788acc56479a3f982a5305d8aadade88350a

SHA256
5c4ccb1ba672cd4ba65f5ff61dc9ffa748e74d943768fe17f334422a55e4fbc4

SHA512
dcf8d6c6ac3ba6e1c8cc5a83224d536d1c3cd9ad2c3c3069d84618ccd72b6923fb90bcb81b31c0edf3613cbe3a35c0223c194f822406c9b8ff42d8810413ac5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNDI6Z3B\Update.exe

Filesize
908KB

MD5
d2ab912c003bf20b0ee9d60d772722c9

SHA1
ac03788acc56479a3f982a5305d8aadade88350a

SHA256
5c4ccb1ba672cd4ba65f5ff61dc9ffa748e74d943768fe17f334422a55e4fbc4

SHA512
dcf8d6c6ac3ba6e1c8cc5a83224d536d1c3cd9ad2c3c3069d84618ccd72b6923fb90bcb81b31c0edf3613cbe3a35c0223c194f822406c9b8ff42d8810413ac5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNDI6Z3B\Update.exe.zknek3i.partial

Filesize
908KB

MD5
d2ab912c003bf20b0ee9d60d772722c9

SHA1
ac03788acc56479a3f982a5305d8aadade88350a

SHA256
5c4ccb1ba672cd4ba65f5ff61dc9ffa748e74d943768fe17f334422a55e4fbc4

SHA512
dcf8d6c6ac3ba6e1c8cc5a83224d536d1c3cd9ad2c3c3069d84618ccd72b6923fb90bcb81b31c0edf3613cbe3a35c0223c194f822406c9b8ff42d8810413ac5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDD45.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDDE6.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9214861D-171F-4518-9DC2-CD72B24EE1E5}.html

Filesize
6KB

MD5
adf3db405fe75820ba7ddc92dc3c54fb

SHA1
af664360e136fd5af829fd7f297eb493a2928d60

SHA256
4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476

SHA512
69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNDI6Z3B\Update.exe

Filesize
908KB

MD5
d2ab912c003bf20b0ee9d60d772722c9

SHA1
ac03788acc56479a3f982a5305d8aadade88350a

SHA256
5c4ccb1ba672cd4ba65f5ff61dc9ffa748e74d943768fe17f334422a55e4fbc4

SHA512
dcf8d6c6ac3ba6e1c8cc5a83224d536d1c3cd9ad2c3c3069d84618ccd72b6923fb90bcb81b31c0edf3613cbe3a35c0223c194f822406c9b8ff42d8810413ac5c

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNDI6Z3B\Update.exe

Filesize
908KB

MD5
d2ab912c003bf20b0ee9d60d772722c9

SHA1
ac03788acc56479a3f982a5305d8aadade88350a

SHA256
5c4ccb1ba672cd4ba65f5ff61dc9ffa748e74d943768fe17f334422a55e4fbc4

SHA512
dcf8d6c6ac3ba6e1c8cc5a83224d536d1c3cd9ad2c3c3069d84618ccd72b6923fb90bcb81b31c0edf3613cbe3a35c0223c194f822406c9b8ff42d8810413ac5c

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HNDI6Z3B\Update.exe

Filesize
908KB

MD5
d2ab912c003bf20b0ee9d60d772722c9

SHA1
ac03788acc56479a3f982a5305d8aadade88350a

SHA256
5c4ccb1ba672cd4ba65f5ff61dc9ffa748e74d943768fe17f334422a55e4fbc4

SHA512
dcf8d6c6ac3ba6e1c8cc5a83224d536d1c3cd9ad2c3c3069d84618ccd72b6923fb90bcb81b31c0edf3613cbe3a35c0223c194f822406c9b8ff42d8810413ac5c

Download Submit
memory/2788-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2788-128-0x000000007334D000-0x0000000073358000-memory.dmp

Filesize
44KB

Download
memory/2788-1-0x000000007334D000-0x0000000073358000-memory.dmp

Filesize
44KB

Download
memory/2920-821-0x0000000004FD0000-0x0000000005010000-memory.dmp

Filesize
256KB

Download
memory/2920-820-0x0000000004FD0000-0x0000000005010000-memory.dmp

Filesize
256KB

Download
memory/2920-819-0x0000000004FD0000-0x0000000005010000-memory.dmp

Filesize
256KB

Download
memory/2920-513-0x0000000000CB0000-0x0000000000D96000-memory.dmp

Filesize
920KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads