3e5b5e9daaf326c7f7ce7bfdaff666ead554b64d38fd8ffe0731f2b492994d84

Analysis

max time kernel
147s
max time network
143s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20/12/2023, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Check out AU23 sessions for AEC industry.msg
Size

144KB
MD5

65e0a3e981046df05a6182c49c2216e1
SHA1

1a798b44c0757197594bcfb7cd7c810ff49cae10
SHA256

3e5b5e9daaf326c7f7ce7bfdaff666ead554b64d38fd8ffe0731f2b492994d84
SHA512

a1d1baecfa04a3cb9eb0f99d3af354d1fdc72e8098694b8b6d7203c704a3ad2723db2d621440a745fb19467ff5e8bed87b94e002b632f83136376e9d85b89cfe
SSDEEP

3072:OWvzsppoPkpjZ/zVWb/5ZkeS1znDjI4lFZ:AppNd/mS1bD

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "4"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C847F261-9F26-11EE-8383-46FAA8558A22} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8E424751-9F26-11EE-8383-46FAA8558A22} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 405fbf723333da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000969d72c3e5a03a40a0257479feadc03a00000000020000000000106600000001000020000000eff9a8ca841e11f575a9942a5051037d0b6f1f3902e59e7f89f12c96d51f87f3000000000e8000000002000020000000b55b9adf9d893afa22cf9a24fd09eda14d4c987b71764074f9b4d1202211ed53200000004a7b8a211054965a5f616e97302f3dea102e8e75866d11f6f85e239e4f4b07ae40000000f9b5da5fa51e07dfab5adf58b0a21fdec6adba7b31df16cb2514bf80f6d9492d1142d7a2d86593698419bd258134bb78730acc017a0382e6c0bfe7275638d2dd	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2560	OUTLOOK.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1824	iexplore.exe
2700	chrome.exe
2700	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2560	OUTLOOK.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe
Token: SeShutdownPrivilege	2700	chrome.exe

Suspicious use of FindShellTrayWindow 39 IoCs

pid	Process
2560	OUTLOOK.EXE
1824	iexplore.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2696	iexplore.exe
2752	iexplore.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe

Suspicious use of SetWindowsHookEx 42 IoCs

pid	Process
2560	OUTLOOK.EXE
2560	OUTLOOK.EXE
2560	OUTLOOK.EXE
2560	OUTLOOK.EXE
2560	OUTLOOK.EXE
2560	OUTLOOK.EXE
2560	OUTLOOK.EXE
2560	OUTLOOK.EXE
2560	OUTLOOK.EXE
2560	OUTLOOK.EXE
2560	OUTLOOK.EXE
2560	OUTLOOK.EXE
2560	OUTLOOK.EXE
2560	OUTLOOK.EXE
2560	OUTLOOK.EXE
2560	OUTLOOK.EXE
2560	OUTLOOK.EXE
2560	OUTLOOK.EXE
2560	OUTLOOK.EXE
2560	OUTLOOK.EXE
2560	OUTLOOK.EXE
2560	OUTLOOK.EXE
1824	iexplore.exe
1824	iexplore.exe
1088	IEXPLORE.EXE
1088	IEXPLORE.EXE
1088	IEXPLORE.EXE
1088	IEXPLORE.EXE
2172	IEXPLORE.EXE
2172	IEXPLORE.EXE
2172	IEXPLORE.EXE
2172	IEXPLORE.EXE
2696	iexplore.exe
2696	iexplore.exe
3012	IEXPLORE.EXE
3012	IEXPLORE.EXE
3012	IEXPLORE.EXE
3012	IEXPLORE.EXE
2752	iexplore.exe
2752	iexplore.exe
2520	IEXPLORE.EXE
2520	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2560 wrote to memory of 1824	2560	OUTLOOK.EXE	31
PID 2560 wrote to memory of 1824	2560	OUTLOOK.EXE	31
PID 2560 wrote to memory of 1824	2560	OUTLOOK.EXE	31
PID 2560 wrote to memory of 1824	2560	OUTLOOK.EXE	31
PID 1824 wrote to memory of 1088	1824	iexplore.exe	32
PID 1824 wrote to memory of 1088	1824	iexplore.exe	32
PID 1824 wrote to memory of 1088	1824	iexplore.exe	32
PID 1824 wrote to memory of 1088	1824	iexplore.exe	32
PID 1824 wrote to memory of 2172	1824	iexplore.exe	36
PID 1824 wrote to memory of 2172	1824	iexplore.exe	36
PID 1824 wrote to memory of 2172	1824	iexplore.exe	36
PID 1824 wrote to memory of 2172	1824	iexplore.exe	36
PID 2700 wrote to memory of 1760	2700	chrome.exe	38
PID 2700 wrote to memory of 1760	2700	chrome.exe	38
PID 2700 wrote to memory of 1760	2700	chrome.exe	38
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 604	2700	chrome.exe	40
PID 2700 wrote to memory of 1560	2700	chrome.exe	41
PID 2700 wrote to memory of 1560	2700	chrome.exe	41
PID 2700 wrote to memory of 1560	2700	chrome.exe	41
PID 2700 wrote to memory of 1724	2700	chrome.exe	42
PID 2700 wrote to memory of 1724	2700	chrome.exe	42
PID 2700 wrote to memory of 1724	2700	chrome.exe	42
PID 2700 wrote to memory of 1724	2700	chrome.exe	42
PID 2700 wrote to memory of 1724	2700	chrome.exe	42
PID 2700 wrote to memory of 1724	2700	chrome.exe	42
PID 2700 wrote to memory of 1724	2700	chrome.exe	42

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\Check out AU23 sessions for AEC industry.msg"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2560
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://secure-web.cisco.com/1vp2MAp82lR0Dmm5xRhLLCfUWfloGEeu9VzC9N-PW9pCJ_MEAzvXsTR831VIz6BHmBHpYrPtxSsBE2-X5Sv_TcEJpNYkvoPnMjXKJb7cRUib5yNEN1ob3GAi1j8Sag3ta_SQc2nxyCToRa0WztZ39VEVO1haRoV1k3NF4WfhpwKuBexgpCNHvf5or7UYnl-Ey3Mabm69sD64EcC2iGVphf6A-MSn4-7Ncit4FaI9P0RIDW5VFTCtBtkpXMSoubA3FjDwALnVphs4dSNqYfpXKa_42G6M2ZvJEy66BCHHctC9wDynbuloM2iv6-2Y3JeLx8OnUArw40lxAufHqTs-U9-SKiu2jCAckw60mYA1yq58TyUmQMzPX0CZFd3Vg3AmXNvKAsmnhZs0FZssnXlYjQZK5RIYbvGB5TVu6icpQkM0/http%3A%2F%2Fclick.autodesk.com%2Fdc%2Fer0Gs8a_OybMS5d-ngHgiovCXMAbDiCz6dz2wWVS6uleD_khpkDGkd_3-EsWxHssc_27EyybgpRBKE0_GhFCpu6cp6g5uBJtf9ySth_YoRKz7jsDtkRxTXhXTcCb-QkRntZbbVjROwVOBIk1vuWOlZ9HT6tyUbOUq-a8gjvRxRlzOfd-9OmsdMibk7HPNMrTTx_wkcm-NJz_SiDpcoTtJMwSANaBqqOHM1jIcd_DP6J9xy0nihrEf7UX_n5_cqr5eP5ELLSOMfKewyaUfqbadStEw9m87gX-IgxRCQOht4kgy227TfFGyWXy2DwCzRhGJLyNLp9un0zmk-ctnEcjJIoFlzgMpXTeEq7Uvz8rvVg%3D%2FOTE4LUZPRC00MzMAAAGQJWJqIX8xeT_0IZ40Puu_huIvoqLlqMIia3-7_wwD-4Er4Dz9TiI2acnciGaBGQeOh9zNL9U%3D
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1088
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:209949 /prefetch:2
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2172
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://secure-web.cisco.com/1mMUqct7DbLyWE5c8mT5PGykiUixcaAv1tF-IaVhWgGGoiB9HrpEiOFZQQQc-SZ4ge-I9Kfh4yLVFJCoAVasT4uyMT8XLxyGB3fC5Hb8I4lUEqidHDyzy_XF589BNlc8jDTbCeCEx38Gr0hvpJyzHb4_-mGNYTPKDIKRjj6LbM_0Kji4sCkEEt2sJGfFI8sOeGE4-DGfrJAqTdjj6gFBCMO_1U8BHJ7Pw9jKi1HU-qrUqOhCMdkv8Wg7oVR2RJN2eXcIcOXYMro-tvHcfoYQLlVUf6iJx6XU7yO8p3otJcttn7QDOInpmWyw2Z95W55lJy6U5OR8ccK2xxypl7e8xzy5SNVzoWiyfjabizv8B1tgWQmi8SpMw07_YtnHjkfOEQIo8Lnd5AIrusLsMFGIL_CR4TcgE9_Iul6c30_klVtc/http%3A%2F%2Fclick.autodesk.com%2Fv%2FOTE4LUZPRC00MzMAAAGQJWJqIUMuNan6oY0MA9bOcMN4Ss583NC1ruiQX26Pvsftc5jP1tXgM3DGTMipku6hT4C0zjU%3D
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2752
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2752 CREDAT:275457 /prefetch:2
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef71d9758,0x7fef71d9768,0x7fef71d9778
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1192 --field-trial-handle=1208,i,4216276457718840467,7926427836866963350,131072 /prefetch:2
  2⤵
  PID:604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1208,i,4216276457718840467,7926427836866963350,131072 /prefetch:8
  2⤵
  PID:1560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1612 --field-trial-handle=1208,i,4216276457718840467,7926427836866963350,131072 /prefetch:8
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2316 --field-trial-handle=1208,i,4216276457718840467,7926427836866963350,131072 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2340 --field-trial-handle=1208,i,4216276457718840467,7926427836866963350,131072 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1388 --field-trial-handle=1208,i,4216276457718840467,7926427836866963350,131072 /prefetch:2
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1304 --field-trial-handle=1208,i,4216276457718840467,7926427836866963350,131072 /prefetch:8
  2⤵
  PID:948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3348 --field-trial-handle=1208,i,4216276457718840467,7926427836866963350,131072 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3608 --field-trial-handle=1208,i,4216276457718840467,7926427836866963350,131072 /prefetch:8
  2⤵
  PID:1424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3620 --field-trial-handle=1208,i,4216276457718840467,7926427836866963350,131072 /prefetch:8
  2⤵
  PID:1048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1108 --field-trial-handle=1208,i,4216276457718840467,7926427836866963350,131072 /prefetch:8
  2⤵
  PID:2280

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2696

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2696
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2696 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ebc83569861bacce4d0eaab815609d10

SHA1
f456be2826968c24baaf304e125d0e89e7d222ee

SHA256
672192b3d918ef2f5be0d9ef2303b6f0c0767c4ccfafd38e8b3ddf79032b965b

SHA512
2a28954d0bf9dc56ccafc6103cb57731cd6e5a2a2721926aba63193ebe8d1e4d349aec5d081272505cf11413cdf3e6e7467f9385d0d62b3780e01cc384a1a0f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2c270b2ab8d4747e8262d907dea12375

SHA1
5867a6b5c0f10981e59effe97e6e4a2274ea574b

SHA256
355120e09e5aa7c110a2f79ee0b8f35dc8cb9c3f2c0e39e3dee63a6ce2e7135e

SHA512
10ff22655186386caf6c83c8978ec514da0d550e4cca0d24e188c4fac80a629590a55595bb026e6d7e136bbb280adc7341907ee298beef69dbb839593e6b80d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e1cac15f009f1b2c2c739944b50e6a52

SHA1
64a6484c203b20fec1b1f560fd130e5db9265533

SHA256
45430de31b413acffdcee29f01238f24bf8f093b081ee4dc6ab3c9da9cec19c9

SHA512
4af9ac08bce8e05afe672fe795fb83cfcbaa193fac7fb1fd284dc49d39f3b8d7362249921d757ef843761b65ee58a859d328252f2a9868e7093439cd1be4e1ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
04af6a4421b17fd88f74845a377fc5ec

SHA1
7ded7cbeb52f1ffcdd44d6907fa2ff66f1fc56f2

SHA256
48241dbc06a2372e2e9319255d2cc5bb1a23c4dc644adab4babc20584b0d96a5

SHA512
a5c25c041bbaab633157ba7b10922f19756a874b298419c59d1f4ddb95c4cf2186b862e21098a0c09fbc953ac7edb0c5e8bfd33667c091abc379963c47310a5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
24db4a689f9100b90ac41b85afda205e

SHA1
5dc77ffcc40d86c647824176b05a7d29b52d4d26

SHA256
aa3bd8f056dbccbf681c47ef91db316149faa7a7e3e593dc3fe15fca2a12f1d6

SHA512
1ec7fb28e6b2afe20839e7d4a2183a4f7c196291275c96d73132cd9a94d646e455959a8d14f8a19144096f53c778c0e23f06f676a19216465d812dfbe580dad8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
62fc60bdf68f85ee793f630d2332470b

SHA1
b763a24852ae1de22317efc7336343a992cda7d1

SHA256
c6c484d52dc37d605ce007358a981de8aea9cb88e6ea036f75029534665b5497

SHA512
265c114dfbfa1bf9caadea8b8018a9a4e95ae561f799c593e787afa902583aa4f65e967d9e48f2e3efa4fbfa05d8e6153889a927095ec6bad53de888c2cb31ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
53ae242963f185742f92dcf35f15cbc2

SHA1
5484c0e178477c6b6e0905b1dd64ba4770c6837b

SHA256
85bc2ab9a2c8b709ad57325c7ccb58a800f27912db87e758867b5fddd1ddb870

SHA512
bd7f5fef94b06c9f8c27ea40cddc326471384431c098c81204cc60bda93c8ec22a2db6d605689908aa928414503ab60d1da97dcfe09b0632538ac4723d2e2c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9dcb39578661c704cfb8dc4015c0ca5a

SHA1
6c9af4fce083644f9433bcff822d77edd1154aa8

SHA256
9b8a42667b34f22db8b143e75c3251d2963e78acb61f2950a22bcac4ab0c8fc1

SHA512
3a7fa45c058ae3dd50594cd95c2bc072d36f7e102b72347c7dc916083302527496f32f404c2b3f57156761a4a43b80b6441ebb6ae3fcb6389999da1b7113180f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2c892d9610dc939c39eaeacda42102e1

SHA1
54996c3a61695b9da1c1fcacec9736fe15504296

SHA256
9c0d73ff1b72dbe3f79e1ee439813ff16f85701e76f53d5b4acea6a84c2cd063

SHA512
fa1729afe26c41ee81214947220c79d42c1394da07dc55829edd8c0c0540ad244ded9a292e19389136592eaabcc97eab8f39fa4fdc84704c509f557357a92a56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
32939560fd7b08b0c305a1ed9d442316

SHA1
9f51b3a884314612a670cc3bd18c9c725fa980df

SHA256
cd2a8c5d644bff7584d3b366fb1895904110612da74a58979ccdf406cfc4663a

SHA512
fd1eba9be942c9a122738fc7e8d8d85269e4721c273507dea0368381ae8980f0b5603a49b4985f9b476490dbbb22452a3511473f436be404e1a67f98b5a8b6b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ba744314a27ec9c08b73633dbb020c0d

SHA1
9c4fb1814fef943be6a838ddebfe2890adbbfd7f

SHA256
d5deccef57c7207a511c6717de654f9d99d2e5aa27a934bfb2787dbdb8298dbc

SHA512
31b27e5c75d9b0852f1c730cab469ca809f60361c33b09bd1cf32a849a02f2bab60174eae0a11b1e548f7ce2fbc463e4b32ae95b733cffa9d0eee3243986b641

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0f6880687a22e3989c3f0615a1591e94

SHA1
f74b576a07130b4d10b225243056f5f4e1f385d1

SHA256
1daf62cf660ff2396a2d9142d6cd8b465dc6eee177560728bc9cce930e174a88

SHA512
61b8b48e5c6088ecbba9bc6100b7fd7a1496a8dcd061ccc7a5ab7f8608ab379ceca26b193be9d7ebfeeea0b74cca456e8755c2e963b21d6dd11979c11b2447df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c3be326d4fdee3d1a62be78fd3defa0

SHA1
791213afaab5ea1f53aabb3e51e9bc51ba79d105

SHA256
3659449877f7ee2653c303f1699355bf68aaa9d8d24d963d5013c7804622408a

SHA512
15ea8cc46612a4f885e76558c2df01f4b5ea49924e2a3266d1a98f38c9e879266590e4ea69fd0309ec8f844fb9d3ff0e51598e390146a6cc9c4e9b316bda1485

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8fcb0d0ecc58944ef1f707945c44b0e3

SHA1
0905718351ba12419518080201927d0a263eba0f

SHA256
2eabda094891c623614e147380abb5df186fca50d5d840dd7c836515fad156a2

SHA512
b5fdf660c141500ae154e00fcecde0e85dd72599e0a20e44a83d2bcff376d461ed66a39f160b094d2517c53f12b8df09af2dfdb2702de6346c3d4ccf25956828

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
712dddb6cb04cfcd0758ad1828474b14

SHA1
446e4f7180da91c9a8ca5fec1e9b09a33431333b

SHA256
46a405cce0d11e69346623fa5be8f1950e2cd05a5b1b73d82240d3dcb1f55d39

SHA512
1b544a4fec0d3ac0844d762f09239caf5126665e40341dcac3628bfa5fb007de40344338810541d76c0f5d13ca14d8531b4576810d370ec68a6e148bf2f13234

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
42d52691330c9c7748475f2e09c5a29a

SHA1
68ca03cb3ed718f7d1f79c4ab5949f194f3da606

SHA256
16a3139686832e8074fe14d6e76a884a9b4940e6d0f6d8c44a55afccb947b2ae

SHA512
978710f84bf26530121072e8e3ef8a547485f495b81a3a4bc744fa93a10032c6fb66aaab1223da776a5981d9f78616d1ea569e68fc52c15e89a9caed8f046f69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e241dbd92385f4353733cd2cd2828189

SHA1
caf73d17f9139e42951adbac2c4be14adf420968

SHA256
8b270a6a9a3c27d30c4d41d27bdce8a06027c31b3684d2f37a7aed1e5ba6b3a4

SHA512
c41485e82308efb0861344ece2a8a311cc04b0e734fd5401b4f7189550e771482fffa861073d142d3beb517bdc8cfe4018f8f666ea27e8f8e45270e244d610e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
08bccff4c58ae3750b77e3b7779c65ec

SHA1
ddd36c655d827a3a9b8da68f5652a975be68ef1f

SHA256
e0cd8cf75fae3a1f5268dbfee114e7c42b6dab2762a404665c36d5a01f2cb075

SHA512
837f261ba44003ee44ebc6f41dd8ee93ce682446cc03df06286e25400c31ec00745f20981b2880af6b5f33e3363da41767382450ef5b7c9309caf0199038e22d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\8d5014dd-ff51-4f84-ada3-4525cb5e3f73.tmp

Filesize
224KB

MD5
d886ce80ab8dea0ed289dba79285c48d

SHA1
a7ba0097027f4109bfac609f4ea327532d58c662

SHA256
d405237c3f8640c8bad3931462c1fd1b4a04caa8767a21e8082b273094d1b8e6

SHA512
0004148b412046a24252bf8de84713d09ea635ebb2afd8258ffe7f275242cfee7344396156a0b1d4b52ae667127cf3a21db05a65574f08396fd87b070e3fbcb0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
263KB

MD5
49ef136587649966cc78191c0438c8be

SHA1
f7d6e7da0a3e02ee949971c2e14ae177d3ea6f2d

SHA256
cb039dd2583c6d9a543e7ca6f682095259f96cb5123dc4e2269afc5bcd37a528

SHA512
09ebed2f0dced9bf2e4d0671d6b10ba265cb49d812e5ca1408e850b4c867bd88e964ae99d0fe093bb28111dec1de0130ba17c1e399f7dedd977ef63b9e2dad14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{9F3BD240-9B54-11EE-A46D-E6B52EBA4E86}.dat

Filesize
6KB

MD5
e49c1a834a7caab6a0ec88a9d0372475

SHA1
8918e5f1acd2322d89335cacf17b964c7d776d5a

SHA256
8c1514dc96b44f142c9d4a59e5a2b5c27bff2ab0199f92fcb1d4b4fef061b204

SHA512
31071723e88ae7e9f7b10296bd349ced645b420857a45ab44f4d58b6708d219585d2d2a4d0bd8f2df027d8f87c921841e54e934a98e5a2efc6c80f9def73040e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{9F3BD240-9B54-11EE-A46D-E6B52EBA4E86}.dat

Filesize
5KB

MD5
07835746acb4e1fc0244550685780e38

SHA1
f60ed8ccff8e0e6acf6633616a776585befd2e9e

SHA256
edd09969ec025dc0755647ce8ca3f8fc934b6263d9a5b001900862b428437994

SHA512
2a9b1f41a9881ec23ab56fd77855822aa57ec912ae75688692b0230d47b929284073cf8593a3d26b251a088ada204711f8ef3980a8940cf8305ccbd8b985c97a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{9D3AAD10-9F26-11EE-8383-46FAA8558A22}.dat

Filesize
5KB

MD5
452f28d6f5de92f23940cbf0e1ebe8d2

SHA1
cf7de6b8c18940b777c3d1f036091d13f5f38657

SHA256
b54275a5a7de0d2712e0de67b0c0dc438b1340b21f6f304650c81b68aa116a4d

SHA512
405833e30537b0fecb1888e4f47f510effeeab8d4a0cd3a2282bea5c549694262854c53a4815a76672fa58f035e4b791fe2c39e3587f9db0a2510900a392a10b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{9D3AAD11-9F26-11EE-8383-46FAA8558A22}.dat

Filesize
6KB

MD5
3b3fd09ded664e3d1bf17520f5f92324

SHA1
9e920f918dd224a7339360c87c13b13b67288a7d

SHA256
12dd9bc2888cb3098df142238bf16feb98a49f0d4a4dd81cf9924dbc6cb1de98

SHA512
276c575cc53c238c12f106ecd59e473ceef13ce87231c56f9aba2aaa78e3d3d3e361a051026bfc1ac309b4d69da4fc4de88f345200ef2cd5c4197c15f2d0bc33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{AC4D6905-9F26-11EE-8383-46FAA8558A22}.dat

Filesize
4KB

MD5
18eb68602f2252dafbd20c617b5c572a

SHA1
9fda5f3cb55fa6a3f6d0dee271863aec273e11a8

SHA256
cd6aeebb71a236e93a06c22a6731f0a5a050f94b19866140003d10e21767d968

SHA512
3c9a4ec3beb03402276c9dd040da991703ff001f5bc94c778ae1b63fbe5c64cc13d71d8d56a6ddc090a27225f251bbc79df82d13d6061cf2065a02e41620a102

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCA53.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCAE3.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\{813B2B47-A0D2-4561-AAB5-C764A1A0BF48}.html

Filesize
6KB

MD5
adf3db405fe75820ba7ddc92dc3c54fb

SHA1
af664360e136fd5af829fd7f297eb493a2928d60

SHA256
4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476

SHA512
69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF1D5EC3686B914E1B.TMP

Filesize
16KB

MD5
0457e89ea370580c1a9521c1fc4fa8b1

SHA1
9cffb659aa1e51513d44eaa2ff1a0c52dd757019

SHA256
b240bf08129a39b88c4808f484207ff1ea5829dfc0d63ccdc2d98f7ae527245f

SHA512
d93af1e1a2f567856fc06a60bf13bb14496844b9ad22e4e46a97307089594d903ecd54309b1cfbd46d702e77eea48e64f7a2ae30d88f79460a3784bd2cbc8c0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2560-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2560-165-0x0000000069BC1000-0x0000000069BC2000-memory.dmp

Filesize
4KB

Download
memory/2560-197-0x0000000073DED000-0x0000000073DF8000-memory.dmp

Filesize
44KB

Download
memory/2560-1-0x0000000073DED000-0x0000000073DF8000-memory.dmp

Filesize
44KB

Download