bd456a902ea03b9832f591f858829997826c356fe0746400cb381e891680ee21

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
01/01/2024, 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1.exe
Size

2.5MB
MD5

39dd164fd6cf3c0c7ffc63a654c01a8d
SHA1

ef36ccb87b338c94e67a6c7c4a5293e7222436af
SHA256

4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1
SHA512

373ff3350b876ed9691ef1c8e920eb4b18ba887de8e8028899b9d294a055148810d2d368b57ff623aedd17605ddb8295a089641ac3a0431c02e282cfbb152412
SSDEEP

49152:1TjxpDC2v28vf+yGNbnIzLNckkmTmAl6xBaUmUUshTsdfIl+nMXf5H:xPCL6fpGNDQRc6T8VRx8nMP5H

Score

10^/10

google collection discovery evasion persistence phishing spyware stealer trojan

Malware Config

Signatures

Detected google phishing page
phishing google

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	5Hq1WH4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	5Hq1WH4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	5Hq1WH4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	5Hq1WH4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	5Hq1WH4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	5Hq1WH4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	5Hq1WH4.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	5Hq1WH4.exe

Executes dropped EXE 4 IoCs

pid	Process
2656	YV3li16.exe
2756	rJ6nY27.exe
2716	2vK7960.exe
2636	5Hq1WH4.exe

Loads dropped DLL 15 IoCs

pid	Process
2332	4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1.exe
2656	YV3li16.exe
2656	YV3li16.exe
2756	rJ6nY27.exe
2756	rJ6nY27.exe
2716	2vK7960.exe
2756	rJ6nY27.exe
2636	5Hq1WH4.exe
2636	5Hq1WH4.exe
2636	5Hq1WH4.exe
2464	WerFault.exe
2464	WerFault.exe
2464	WerFault.exe
2464	WerFault.exe
2464	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	5Hq1WH4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	5Hq1WH4.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5Hq1WH4.exe
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5Hq1WH4.exe
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5Hq1WH4.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	YV3li16.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	rJ6nY27.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	5Hq1WH4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
65	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2636	5Hq1WH4.exe
2636	5Hq1WH4.exe
2636	5Hq1WH4.exe
2636	5Hq1WH4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2464	2636	WerFault.exe	32

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1996	schtasks.exe
2304	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6028a152ed3cda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000969d72c3e5a03a40a0257479feadc03a00000000020000000000106600000001000020000000617caaa260c0fa0a7f97edae7f014012bd16d7fb7c08782fa8ef14238433d603000000000e80000000020000200000009d63a989645146f62ace32d0b69557198ff05b98f93e8d777b2a5673f8c1d10120000000e9c40059e2ae36a3bf5461510fee12a618a147a7e7b5b248b12bc24f9b4d9b4140000000df83fb1bed5d5a83e26286bd8ec74de80f37c8b18a739b3de48df623c164ee9cea1d764723bcc0e563da92da5d33de9acc344c8afd03156e875022d1fada3545	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{79FE55E1-A8E0-11EE-8A35-62DD1C0ECF51} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7A009031-A8E0-11EE-8A35-62DD1C0ECF51} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000969d72c3e5a03a40a0257479feadc03a000000000200000000001066000000010000200000006b2e280aff47f7be90037a4ea65f52891d727337dd259bf8b57a50fa88678e64000000000e8000000002000020000000fe3c9783209133018d96c434d982df2c472e9048c0f6e07d38847cf873f789dc9000000082c0bf007c15b0418ce488c2845f0880880b7033bc90e5898b687f8948178c6a4ca5b6be67d21a0ea79c110fae2afc3561f4285ad683d68fc958e0dc5cc6d508f6a4cb226c5a41f9a876babd36361a79327d4dc1370b0fe4bdf676d483d1753c2f361c80d1b080aa28caf1e9d222316b424272945b9ff7be8c220a9895f0364172e4a82d8d84db129b97a9118fa9f6a1400000000cb847e6dc3ca7664d0d44f2b536227c43979f1ccc5ceec997af1f03f8a047574bb6abc6b0d0756cbec5044b268e82a52eeffd62fe49c7aa9c76ce736091a4b9	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	5Hq1WH4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	5Hq1WH4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	5Hq1WH4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	5Hq1WH4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	5Hq1WH4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	5Hq1WH4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2544	powershell.exe
2636	5Hq1WH4.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2636	5Hq1WH4.exe
Token: SeDebugPrivilege	2544	powershell.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2716	2vK7960.exe
2716	2vK7960.exe
2716	2vK7960.exe
2744	iexplore.exe
2868	iexplore.exe
2724	iexplore.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2716	2vK7960.exe
2716	2vK7960.exe
2716	2vK7960.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2636	5Hq1WH4.exe
2724	iexplore.exe
2724	iexplore.exe
2868	iexplore.exe
2868	iexplore.exe
2744	iexplore.exe
2744	iexplore.exe
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE
1204	IEXPLORE.EXE
1204	IEXPLORE.EXE
356	IEXPLORE.EXE
356	IEXPLORE.EXE
1988	IEXPLORE.EXE
1988	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2656	2332	4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1.exe	28
PID 2332 wrote to memory of 2656	2332	4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1.exe	28
PID 2332 wrote to memory of 2656	2332	4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1.exe	28
PID 2332 wrote to memory of 2656	2332	4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1.exe	28
PID 2332 wrote to memory of 2656	2332	4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1.exe	28
PID 2332 wrote to memory of 2656	2332	4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1.exe	28
PID 2332 wrote to memory of 2656	2332	4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1.exe	28
PID 2656 wrote to memory of 2756	2656	YV3li16.exe	45
PID 2656 wrote to memory of 2756	2656	YV3li16.exe	45
PID 2656 wrote to memory of 2756	2656	YV3li16.exe	45
PID 2656 wrote to memory of 2756	2656	YV3li16.exe	45
PID 2656 wrote to memory of 2756	2656	YV3li16.exe	45
PID 2656 wrote to memory of 2756	2656	YV3li16.exe	45
PID 2656 wrote to memory of 2756	2656	YV3li16.exe	45
PID 2756 wrote to memory of 2716	2756	rJ6nY27.exe	44
PID 2756 wrote to memory of 2716	2756	rJ6nY27.exe	44
PID 2756 wrote to memory of 2716	2756	rJ6nY27.exe	44
PID 2756 wrote to memory of 2716	2756	rJ6nY27.exe	44
PID 2756 wrote to memory of 2716	2756	rJ6nY27.exe	44
PID 2756 wrote to memory of 2716	2756	rJ6nY27.exe	44
PID 2756 wrote to memory of 2716	2756	rJ6nY27.exe	44
PID 2716 wrote to memory of 2724	2716	2vK7960.exe	37
PID 2716 wrote to memory of 2724	2716	2vK7960.exe	37
PID 2716 wrote to memory of 2724	2716	2vK7960.exe	37
PID 2716 wrote to memory of 2724	2716	2vK7960.exe	37
PID 2716 wrote to memory of 2724	2716	2vK7960.exe	37
PID 2716 wrote to memory of 2724	2716	2vK7960.exe	37
PID 2716 wrote to memory of 2724	2716	2vK7960.exe	37
PID 2716 wrote to memory of 2868	2716	2vK7960.exe	36
PID 2716 wrote to memory of 2868	2716	2vK7960.exe	36
PID 2716 wrote to memory of 2868	2716	2vK7960.exe	36
PID 2716 wrote to memory of 2868	2716	2vK7960.exe	36
PID 2716 wrote to memory of 2868	2716	2vK7960.exe	36
PID 2716 wrote to memory of 2868	2716	2vK7960.exe	36
PID 2716 wrote to memory of 2868	2716	2vK7960.exe	36
PID 2716 wrote to memory of 2744	2716	2vK7960.exe	33
PID 2716 wrote to memory of 2744	2716	2vK7960.exe	33
PID 2716 wrote to memory of 2744	2716	2vK7960.exe	33
PID 2716 wrote to memory of 2744	2716	2vK7960.exe	33
PID 2716 wrote to memory of 2744	2716	2vK7960.exe	33
PID 2716 wrote to memory of 2744	2716	2vK7960.exe	33
PID 2716 wrote to memory of 2744	2716	2vK7960.exe	33
PID 2756 wrote to memory of 2636	2756	rJ6nY27.exe	32
PID 2756 wrote to memory of 2636	2756	rJ6nY27.exe	32
PID 2756 wrote to memory of 2636	2756	rJ6nY27.exe	32
PID 2756 wrote to memory of 2636	2756	rJ6nY27.exe	32
PID 2756 wrote to memory of 2636	2756	rJ6nY27.exe	32
PID 2756 wrote to memory of 2636	2756	rJ6nY27.exe	32
PID 2756 wrote to memory of 2636	2756	rJ6nY27.exe	32
PID 2724 wrote to memory of 356	2724	iexplore.exe	30
PID 2724 wrote to memory of 356	2724	iexplore.exe	30
PID 2724 wrote to memory of 356	2724	iexplore.exe	30
PID 2724 wrote to memory of 356	2724	iexplore.exe	30
PID 2724 wrote to memory of 356	2724	iexplore.exe	30
PID 2724 wrote to memory of 356	2724	iexplore.exe	30
PID 2724 wrote to memory of 356	2724	iexplore.exe	30
PID 2868 wrote to memory of 1988	2868	iexplore.exe	31
PID 2868 wrote to memory of 1988	2868	iexplore.exe	31
PID 2868 wrote to memory of 1988	2868	iexplore.exe	31
PID 2868 wrote to memory of 1988	2868	iexplore.exe	31
PID 2868 wrote to memory of 1988	2868	iexplore.exe	31
PID 2868 wrote to memory of 1988	2868	iexplore.exe	31
PID 2868 wrote to memory of 1988	2868	iexplore.exe	31
PID 2744 wrote to memory of 1204	2744	iexplore.exe	29

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5Hq1WH4.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	5Hq1WH4.exe

C:\Users\Admin\AppData\Local\Temp\4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1.exe
"C:\Users\Admin\AppData\Local\Temp\4b8896554332d025010afb7c2d634ae9ff5294433f534652aa1cf0cf2a0b1ac1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YV3li16.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YV3li16.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rJ6nY27.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rJ6nY27.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2756

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:275457 /prefetch:2
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1204

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2724 CREDAT:275457 /prefetch:2
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:356

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2868 CREDAT:275457 /prefetch:2
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1988

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Hq1WH4.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Hq1WH4.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:2636
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
  2⤵
  PID:1552
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
  2⤵
  PID:964
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2636 -s 2420
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2464

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2744

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://facebook.com/login
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2868

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
1⤵
- Creates scheduled task(s)
PID:1996

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
1⤵
- Creates scheduled task(s)
PID:2304

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2vK7960.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2vK7960.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YV3li16.exe

Filesize
321KB

MD5
6279dc967f093ec05e3f43d2581f8e9b

SHA1
dc9d4c123e94a28f4f857b8e3a0f7be3abb604f3

SHA256
5a5d40d6fdac8958aa3ef175d19f3dec9a7d7bf9c39b38a9f8d56267df53606d

SHA512
c3de828e6964d049177c2131f41c4ca3488b35da1ed536db8113955d19f45fcdf2d1ee82adaf470e492f4daa01f4be8e21079713c5a84c13d1fad80043bca050

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\YV3li16.exe

Filesize
385KB

MD5
5589871c0ac0833afdb4390c75dd1b9a

SHA1
ef1f2ff8502e8ec0cea6b42f2abf64f1c01045d6

SHA256
f2ec65f8df8a1a0c77fba0a1369a3721f70fab041412f1d36606a10db1372a36

SHA512
30fdb7168e51dff83c9ff2cbfb1b8bec80842b9535dd6f393de0df39c324d2f1def13090bdaded47440592a6ff305ab354146e580950bd2d9bb9be16fdd5bb39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rJ6nY27.exe

Filesize
1.4MB

MD5
a8a69a7c47472b9ea70e3623f098a8b3

SHA1
4c78be82b30c1a95a4a452358495d3f28d601ac1

SHA256
8e976f19b628e6f5a8aa4cd494031484d9a821eee3ac37b327fb7740124d9de4

SHA512
679362a79927753d2e1b6ebf05f4c98a315e7158ef725408bcfb93161ac6ecd0485cd877d3dd2d165f5aa3d46ba0b0743e590974898bb50d105b48cedab66467

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\rJ6nY27.exe

Filesize
1.4MB

MD5
811f3b2e720a8cbd15d8656920a97c6a

SHA1
2abaa1926965b5f6784e3fbcd54b9712244f8782

SHA256
6e876b96d39010fa6827062c090700cd796a77c5e427922608105cca9c751b7b

SHA512
bc2e3b3baf939881665c4fc5f91dd1322f4328cf00bb540d910c1deba4478a82d088fb237d0c4af801f2dfdeb8ae216f0064be83a76465675f23c164f6ba0ecc

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\YV3li16.exe

Filesize
1024KB

MD5
4d5136be4bd2696f9e789cc17bfb0bca

SHA1
d7282c780605f1946c0e6e14c505fe5fba563c5c

SHA256
0429911d3978dac894dce34d537b34e08d448a359a8c31378f8178379b4b0a4b

SHA512
141e761244ed2e19b5cfe6a9fde72b007b75feb8f63f99282c04e0eb8f2b2960422bf9828875a137576761e7ff0392948320d9cc7e80929a9866270176e0288d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\YV3li16.exe

Filesize
377KB

MD5
2ce861e210af85a2e3d07f0ea9967552

SHA1
7c09d98a4143706544df5d61ccbb36a415666643

SHA256
9bd748aa7062d6cde2b8d30bc194b0e54c308712c26fe34e3740334f6ddddd0d

SHA512
17b9b0501b3c92b24547355915f54db8f8387411d5268979d7a58ae86be7a92aa80b95b36d2ff8ca01bc7bf656eb9170f9db987b7948aea97369545983b242ba

Download Submit
\Users\Admin\AppData\Local\Temp\IXP001.TMP\rJ6nY27.exe

Filesize
92KB

MD5
3774b826e7e33990cbf7aaae2188e825

SHA1
faa58be407053658ab97755e8922c69a371ad6cc

SHA256
2a4772bebb753ba61d49bebcb8caf0d4e390b660bb95000e59fd00004d93d2b9

SHA512
1f6ebd221264f1f8cb22a3e772b5975d30180f6f788e4d8f4f2f387dae7d7eec9ecf1e1ac901096a2026e8d324807654dc7494aee5cd69ca241fc0359e99f6be

Download Submit
memory/2544-102-0x000000006D820000-0x000000006DDCB000-memory.dmp

Filesize
5.7MB

Download
memory/2544-115-0x000000006D820000-0x000000006DDCB000-memory.dmp

Filesize
5.7MB

Download
memory/2544-103-0x0000000002860000-0x00000000028A0000-memory.dmp

Filesize
256KB

Download
memory/2636-37-0x00000000011D0000-0x000000000162E000-memory.dmp

Filesize
4.4MB

Download
memory/2636-124-0x00000000007C0000-0x00000000007D0000-memory.dmp

Filesize
64KB

Download
memory/2636-42-0x0000000000B90000-0x0000000000FEE000-memory.dmp

Filesize
4.4MB

Download
memory/2636-38-0x0000000000B90000-0x0000000000FEE000-memory.dmp

Filesize
4.4MB

Download
memory/2636-257-0x0000000000B90000-0x0000000000FEE000-memory.dmp

Filesize
4.4MB

Download
memory/2636-584-0x00000000011D0000-0x000000000162E000-memory.dmp

Filesize
4.4MB

Download
memory/2636-659-0x0000000000B90000-0x0000000000FEE000-memory.dmp

Filesize
4.4MB

Download
memory/2636-761-0x0000000000B90000-0x0000000000FEE000-memory.dmp

Filesize
4.4MB

Download
memory/2636-843-0x0000000000B90000-0x0000000000FEE000-memory.dmp

Filesize
4.4MB

Download
memory/2756-36-0x0000000002990000-0x0000000002DEE000-memory.dmp

Filesize
4.4MB

Download
memory/2756-308-0x0000000002990000-0x0000000002DEE000-memory.dmp

Filesize
4.4MB

Download