2dfe7ea962b7c5fd23e9d710bae5aec1d2936c2500775658e410f8d68c5b4619

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
04/05/2024, 16:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

renmae.exe
Size

23KB
MD5

6838d8f7a93b769099e6b534398a3260
SHA1

924154b1197b58e783fea2507c071081bdde3b51
SHA256

2dfe7ea962b7c5fd23e9d710bae5aec1d2936c2500775658e410f8d68c5b4619
SHA512

402909e024f30418ff0c9dc8738e4b363a1234e481c5d9dba237b15e6bb82de550562fe6a105625a2395c850bdaf4f2f43391ee9ab031f9aa9baa4e01ff9f12d
SSDEEP

384:ILAkZtonVrxXDlX7sudaLi83hPLTuOm1sICJbt5j8KoQrJKdjT0:2AkZtK1lX7sxTITRBA

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BSOD = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmd.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AVAADA = "C:\\Windows\\renmae.bat"	reg.exe

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\renmae.bat	cmd.exe
File opened for modification	C:\Windows\renmae.bat	cmd.exe
File opened for modification	C:\Windows\win.ini	cmd.exe
File opened for modification	C:\Windows\system.ini	cmd.exe
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063007-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A8-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063002-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063021-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063005-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063074-0000-0000-C000-000000000046}\ = "_OutlookBarShortcuts"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309A-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063001-0000-0000-C000-000000000046}\ = "_Application"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DD-0000-0000-C000-000000000046}\ = "_FormNameRuleCondition"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C9-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D5-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063095-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063073-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A5-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C7-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D8-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EB-0000-0000-C000-000000000046}\ = "_OlkContactPhoto"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FA-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300F-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304C-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063098-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063024-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063038-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\ = "_OlkFrameHeader"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063086-0000-0000-C000-000000000046}\ = "SyncObjects"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063077-0000-0000-C000-000000000046}\ = "ItemsEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063036-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046}\ = "_OlkOptionButton"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F0-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DE-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063077-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308C-0000-0000-C000-000000000046}\ = "NameSpaceEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F8-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302F-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309E-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E9-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F4-0000-0000-C000-000000000046}\ = "_OlkCategory"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046}\ = "_NotesModule"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063026-0000-0000-C000-000000000046}\ = "_ReportItem"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C2-0000-0000-C000-000000000046}\ = "Conflicts"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CA-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063071-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063107-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE

Modifies registry key 1 TTPs 50 IoCs

Modify Registry

T1112

pid	Process
2316	reg.exe
2028	reg.exe
2352	reg.exe
2652	reg.exe
2232	reg.exe
284	reg.exe
2692	reg.exe
2268	reg.exe
292	reg.exe
1216	reg.exe
1588	reg.exe
1320	reg.exe
2392	reg.exe
1544	reg.exe
2860	reg.exe
928	reg.exe
1928	reg.exe
2548	reg.exe
1996	reg.exe
920	reg.exe
2388	reg.exe
2116	reg.exe
2796	reg.exe
2664	reg.exe
1932	reg.exe
576	reg.exe
2164	reg.exe
1752	reg.exe
2464	reg.exe
1548	reg.exe
1032	reg.exe
1524	reg.exe
2536	reg.exe
800	reg.exe
872	reg.exe
1848	reg.exe
404	reg.exe
2920	reg.exe
980	reg.exe
928	reg.exe
2396	reg.exe
1668	reg.exe
652	reg.exe
1624	reg.exe
2300	reg.exe
2372	reg.exe
1972	reg.exe
1940	reg.exe
2880	reg.exe
2760	reg.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1152	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1152	OUTLOOK.EXE
1152	OUTLOOK.EXE
1152	OUTLOOK.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1152	OUTLOOK.EXE
1152	OUTLOOK.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1152	OUTLOOK.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2580	2552	renmae.exe	28
PID 2552 wrote to memory of 2580	2552	renmae.exe	28
PID 2552 wrote to memory of 2580	2552	renmae.exe	28
PID 2580 wrote to memory of 2364	2580	cmd.exe	30
PID 2580 wrote to memory of 2364	2580	cmd.exe	30
PID 2580 wrote to memory of 2364	2580	cmd.exe	30
PID 2580 wrote to memory of 2536	2580	cmd.exe	31
PID 2580 wrote to memory of 2536	2580	cmd.exe	31
PID 2580 wrote to memory of 2536	2580	cmd.exe	31
PID 2580 wrote to memory of 2880	2580	cmd.exe	32
PID 2580 wrote to memory of 2880	2580	cmd.exe	32
PID 2580 wrote to memory of 2880	2580	cmd.exe	32
PID 2580 wrote to memory of 2796	2580	cmd.exe	33
PID 2580 wrote to memory of 2796	2580	cmd.exe	33
PID 2580 wrote to memory of 2796	2580	cmd.exe	33
PID 2580 wrote to memory of 2056	2580	cmd.exe	34
PID 2580 wrote to memory of 2056	2580	cmd.exe	34
PID 2580 wrote to memory of 2056	2580	cmd.exe	34
PID 2580 wrote to memory of 1864	2580	cmd.exe	35
PID 2580 wrote to memory of 1864	2580	cmd.exe	35
PID 2580 wrote to memory of 1864	2580	cmd.exe	35
PID 2580 wrote to memory of 868	2580	cmd.exe	36
PID 2580 wrote to memory of 868	2580	cmd.exe	36
PID 2580 wrote to memory of 868	2580	cmd.exe	36
PID 2580 wrote to memory of 2268	2580	cmd.exe	37
PID 2580 wrote to memory of 2268	2580	cmd.exe	37
PID 2580 wrote to memory of 2268	2580	cmd.exe	37
PID 2580 wrote to memory of 872	2580	cmd.exe	38
PID 2580 wrote to memory of 872	2580	cmd.exe	38
PID 2580 wrote to memory of 872	2580	cmd.exe	38
PID 2580 wrote to memory of 2728	2580	cmd.exe	39
PID 2580 wrote to memory of 2728	2580	cmd.exe	39
PID 2580 wrote to memory of 2728	2580	cmd.exe	39
PID 2580 wrote to memory of 1760	2580	cmd.exe	40
PID 2580 wrote to memory of 1760	2580	cmd.exe	40
PID 2580 wrote to memory of 1760	2580	cmd.exe	40
PID 2580 wrote to memory of 1160	2580	cmd.exe	42
PID 2580 wrote to memory of 1160	2580	cmd.exe	42
PID 2580 wrote to memory of 1160	2580	cmd.exe	42
PID 2580 wrote to memory of 284	2580	cmd.exe	43
PID 2580 wrote to memory of 284	2580	cmd.exe	43
PID 2580 wrote to memory of 284	2580	cmd.exe	43
PID 2580 wrote to memory of 2920	2580	cmd.exe	85
PID 2580 wrote to memory of 2920	2580	cmd.exe	85
PID 2580 wrote to memory of 2920	2580	cmd.exe	85
PID 2580 wrote to memory of 472	2580	cmd.exe	45
PID 2580 wrote to memory of 472	2580	cmd.exe	45
PID 2580 wrote to memory of 472	2580	cmd.exe	45
PID 2580 wrote to memory of 1224	2580	cmd.exe	46
PID 2580 wrote to memory of 1224	2580	cmd.exe	46
PID 2580 wrote to memory of 1224	2580	cmd.exe	46
PID 2580 wrote to memory of 1016	2580	cmd.exe	47
PID 2580 wrote to memory of 1016	2580	cmd.exe	47
PID 2580 wrote to memory of 1016	2580	cmd.exe	47
PID 2580 wrote to memory of 2232	2580	cmd.exe	48
PID 2580 wrote to memory of 2232	2580	cmd.exe	48
PID 2580 wrote to memory of 2232	2580	cmd.exe	48
PID 2580 wrote to memory of 2300	2580	cmd.exe	49
PID 2580 wrote to memory of 2300	2580	cmd.exe	49
PID 2580 wrote to memory of 2300	2580	cmd.exe	49
PID 2580 wrote to memory of 2404	2580	cmd.exe	50
PID 2580 wrote to memory of 2404	2580	cmd.exe	50
PID 2580 wrote to memory of 2404	2580	cmd.exe	50
PID 2580 wrote to memory of 344	2580	cmd.exe	51

C:\Users\Admin\AppData\Local\Temp\renmae.exe
"C:\Users\Admin\AppData\Local\Temp\renmae.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:2364
- - C:\Windows\system32\reg.exe
    Reg Add "" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    PID:2536
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2880
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2796
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:2056
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:1864
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    - Adds Run key to start application
    PID:868
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2268
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:872
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:2728
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:1760
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    - Adds Run key to start application
    PID:1160
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:284
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2920
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:472
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:1224
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    - Adds Run key to start application
    PID:1016
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Modifies registry key
    PID:2232
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2300
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:2404
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:344
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    - Adds Run key to start application
    PID:2272
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2028
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1624
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:488
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:2892
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    - Adds Run key to start application
    PID:972
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:292
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:928
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:2228
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:2928
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    - Adds Run key to start application
    PID:2616
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Modifies registry key
    PID:2664
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Modifies registry key
    PID:2396
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:2676
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:2292
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    - Adds Run key to start application
    PID:1260
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1216
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2352
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:908
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:2968
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    - Adds Run key to start application
    PID:272
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:920
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2860
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:1656
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:2664
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    - Adds Run key to start application
    PID:2388
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2536
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1668
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:1532
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:1624
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    - Adds Run key to start application
    PID:2164
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1848
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1972
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:2920
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:1580
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    PID:2172
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1932
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1940
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:3060
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:2504
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    - Adds Run key to start application
    PID:2672
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1588
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Modifies registry key
    PID:1032
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:2176
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:1160
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    - Adds Run key to start application
    PID:2988
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:800
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:576
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:1636
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:2524
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    PID:2396
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2372
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2388
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:1604
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:2736
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    - Adds Run key to start application
    PID:336
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1320
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2164
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:112
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:2320
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    - Adds Run key to start application
    PID:2496
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2392
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2116
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:1628
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:324
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    - Adds Run key to start application
    PID:2200
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:404
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:652
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:916
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:1572
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    - Adds Run key to start application
    PID:2548
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1752
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2692
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:1848
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:448
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    PID:2944
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:928
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Modifies registry key
    PID:2760
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:2388
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:1640
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    - Adds Run key to start application
    PID:2272
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2464
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1928
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:2896
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:2384
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    - Adds Run key to start application
    PID:2112
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2548
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2652
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:1296
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:2768
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    - Adds Run key to start application
    PID:1912
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Modifies registry key
    PID:1544
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:980
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:2296
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:652
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    - Adds Run key to start application
    PID:2236
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2316
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Modifies registry key
    PID:1548
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:2092
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\msg.vbs"
    3⤵
    PID:576
- - C:\Windows\system32\reg.exe
    Reg Add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "BSOD" /t "REG_SZ" /d "C:\Users\Admin\AppData\Local\Temp\cmd.bat" /f
    3⤵
    - Adds Run key to start application
    PID:2316
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1524
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\renmae.bat /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1996

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
144KB

MD5
d59f5ecefc6170cf2f4324b2457d5aff

SHA1
cb8ad7ebebd360964bbf24e4f8e29e6c46c4140b

SHA256
7518903afbaf6a0cc275fdab39465f659e0d1a06ff11b09872c4fc187a97174c

SHA512
202be944ad3f691c7e010791c26bd9832ffba72b95f2f71b144dd9d6cb706e83ff6a144a82cecf8111fb7221cac9856a0c236f35903df5867c9965c040db544b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
235KB

MD5
6ebb36b990d896ee0b59c00662741f22

SHA1
921b4ac7bf24381542ed5fa67511ae43e982a40c

SHA256
a8341b67a415604c986d06eeb865caf89820dae0386df2a912fe9a1f53ba02ae

SHA512
18a6f95842a452d54114ed1b1bf7749af6a71d5d36d3a8abc2b3aef40efc74b2319f1981bf2457b5ab3090e50ace777872b0580bc600ec5ede45e03b24429584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
5737edd23af90d4aeaa04badfd586512

SHA1
e0eb9ab5b6bc7b78417959bbbc6a58626fe8086a

SHA256
edc2ffb2cbd7e581119a6b1e90f7a54c64fa18f68c863c94091b0ac5ce879a17

SHA512
6e3e713c3bd14fb8196567498f05b916a390665a74343cc72af6f9adcaba471f064559bfa6e422a6593756dfcfa95013dce6fbac19c79ce4418ed92e66a1076e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.bat

Filesize
5KB

MD5
a74b0ff9929d26f6d322b40eabf678e9

SHA1
7c333309d0ae4bb3532ee04f914c10b881f52159

SHA256
8eea2eb46bf78c89ebcbc1fb433e4924e050430a4a7b206e666a1ca3435c52d3

SHA512
a76b6acbf2f27e0486622e94945ea6081994332c560e5af781a88568c824b4e4f4f1f8b648b40da1e475149024d4bf80887452eb139e44fe5e99b9d7bdc306d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
455B

MD5
d941c912706c17e0f306f74bd0e10886

SHA1
01b3e38ea2988d3ccd3f44df9ae15858d2b1374e

SHA256
a13c3cf269db4c9e0bc649418c85842ae924cc6d9ce8c37116536be15062b654

SHA512
bff825f5e30a2cbc5b9d6a685fe4bd2b5c2c1c1cf448db18a05a811e04b2c01259e29afee26fbdc815c3fae5c0d74e36d49809099e3bb2c8472ced0b38d15bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
490B

MD5
873e185277fd7701341b5d232776961a

SHA1
89b52d8d40067696eaf07269e7797a661f2ef4eb

SHA256
28bfa2a16c8f2cb05da01668e45286b7d5b2a8d0c2e987f6285bff82bb8340a4

SHA512
b2baae3b72fea5038c74bf6eb9b476165584835ba2c63f5cf00de33c24acf1e883abc6ba086fea14b3293dc94b227173bc93eef05d35ead47829a82574fc5bf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
70B

MD5
ebcb9ae9660e34eef3af5ea9b31e34d5

SHA1
6f201d5bd6154ad84f2bcdcca274bec12fd19c30

SHA256
4e2c660f39850b1be843631c6b466a2de1730ae1f22143df0bbee3081a07b3bb

SHA512
3eda195774d93147893053910e9b6801434c643da7b95e85ebe81b3e06d2b5fa395b8057d3f04a90661d6e06fb7a43ca59de58a689200e2a909379c8faa380cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
525B

MD5
feff56ac7fc0d50306f40ca4c7300963

SHA1
95894ee7485ef5c84fdbddddf7a9f60bebd37415

SHA256
1b2af9052fa95a1164e99b07c2e7bce213a442e342a0107a047ebff06bc9fc34

SHA512
1081de2436b11d6a59a55df1f16285fc55fde42062d0eeb5f3d2550d9f0fa8d28a8b30995d19aec36cdf0a99980f775d98a9aca0a21df6e41bbfb8f1f1aa59fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
560B

MD5
2f14162c3b9c9dd43c46140dc1acf1e6

SHA1
f18399eb6c22d9f6e00fc89ba4f937edbed25ccf

SHA256
3d7356a62234ced789be2f3342e09af9ce4ec72719ce503ab8522f3b3f15d73f

SHA512
cdd48f7032109ab3dbd7cc51485a0865434cf81d103a19b5329fed5df7ca569b70f53ac8c897629eb3950af13c63ad66978d455e23d0c590957a8d8f017a9c17

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
595B

MD5
9dd6906b23aaa734e584533f1815bc45

SHA1
a6674b1d7f00cb812d2a4c5387f827a7e5b4cdb1

SHA256
07ab7499000b8b099cef5749acf73c8e0575622297a7724d4a6d93ec73684c4e

SHA512
7d27f62d0b1fc54a2eeb18885862555232c62e990a451a4b8538ffae081601dee6c6b6470ed203c7ebea13aa460ba48f19156e7153df86739fb76eb7b4dc6f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
630B

MD5
fd176009f0dcff66fe97d9041bd477de

SHA1
9175790684e6d77e93ffe86c1df86d882bcef508

SHA256
0a7193a5af84cf7a00e17aed024bf321725f8ed54c9dad4d8c72a0277eb12957

SHA512
53eea1cacc9961cb548888a5b915ce7c3f3f7669b510185f22fd0b4fec3e93e18e06aa903026068281722641a9327be801708509c06eba3e82a34823bd1ca747

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
665B

MD5
9c8ed67baad90b919c005936f9eb5899

SHA1
56adbe5ce35b12eecadc4e3cb7f79d9072d15aeb

SHA256
0b7968678fae9c6a40bb9098b33aec34ac3578df94fce1df19f69517b86fff37

SHA512
36f2475039b99d946271ce8145aed371512da742077631c4e470f7ec913a79822f4a85345d019159f18ef8c932b730a07ebf96f5da6cd7c1b56c5937f05723ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
700B

MD5
4fbe60e4584a95b1a574cb8ce8b8fcad

SHA1
e8795f30016e064f3a8ab3ddc84cff6d0945b16f

SHA256
4885c185fb58501cf6f0effdea494178def71bf595dd044cc11871493c6c26be

SHA512
37fbb8084f468591168d2cc9a7d04f209f93ffa535e7195b88a9b4bc7bf85df0339d1ccbdf75cb3db59f92c941ff006aba7df81b1abf4e28b22d2ad6c10526c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
735B

MD5
b86a774d0afb4049e99c3d704f627f0c

SHA1
f62c5cf20d3125c90a53404145621303598bebec

SHA256
6f7514a1c1325ea9bc9c7fe7d205842f96b9bbbf973d0aabf580d9522950822b

SHA512
e8e64f6f48b0849833f72bbf0e9f8d96ad2bf21fa1bf523ec5ba1a119f5a04197b88c07487c5049d539bc84d9d9de6dfb8a1cf1794a9d18879325b705772bb4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
770B

MD5
85824f275a7e9442b2f582b7c9aba673

SHA1
35765ee50fd92ceaca82a18b112369dbae2ecd4a

SHA256
f831621ece7bba9576a52d7e14b0269ec543d1ccff2d9d171ab59784db69e394

SHA512
cd3ef7e6435943ba1433464cc8e72eda8df1f94b5966d6549e06f51e1169cf62d75ad38780e477f609437799b9d35f84d24fc3fc92e8f741e50c46986eb99bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
805B

MD5
fd6ea292bb857f55c121b96b204aff1c

SHA1
bca2927c122d853bd1b5c09f6f79566af8526751

SHA256
82aa36cad47404721132eb6e29062f80d5d2bba3e3f2e5fb30c97ec7e38edbdd

SHA512
5e937b0e5219b54ded6579143bf91e39f805d27f42079c9915632f61179e59dda5f3c9778ff8677da3932ef111426196d0ced9207f5ff9ff61dc14fb1e220377

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
840B

MD5
b5c47bc51a4e58fdd16f24421bafce9c

SHA1
b9a871606206d615c0553181554b419a1efe3301

SHA256
0483addb30076795733efc015f795334a5f97b8f6ebc4aea97b5f5bca5b1eea7

SHA512
93c16d4939efd1e549b12b99163c5905a7fb93c0ccd59b869595c61e15be637a22d2400a5aa01f30037bc513ed21d0fd5fe579d7929871a1c94f67ea1f7bbebb

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
105B

MD5
29c61387438e0a5f3c7efbd329fb8dbb

SHA1
14c72b03f3fe99752bd487b7fe68d9c444141524

SHA256
7619fb75152277209d13801ca56c781ccffddf729fdb55153d0a0520bc1e43ea

SHA512
b3cc1031c3e078f15ba5392fc6c8b1c10df91f9e4797d283f1588ccb4d5015dd41c93ece7b006734217da1d5f3cc326b72a4b8cfceae56afd13f57143b6d4eb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
875B

MD5
f6513b1c4a2cf54e51dff238e6e7f0e0

SHA1
2503a36163eeb12178e7e041982adede2945c172

SHA256
ac709916669863f16fd1345f8c90081a28c99b39f85ac90ef339f1b0d5769765

SHA512
3962e352afd710ce5c327a97b7d9a95a045a6f72db9b17aac21e743b37d86ec17c12f19c104c3f01cc118413bc7229650d16ba5022e21d6fa12ffda1cafcab61

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
140B

MD5
d18717ed97c161daf8188301c5ee94fa

SHA1
5e2794ba4b68c1d54b8ef6bf212909201b952e69

SHA256
a60d2bb397236371c47c0f51b08834444403e3b47b1e7fc439aec9ea92af795d

SHA512
6d665461be61c758b2aee3f108517840041f1c30e1947b4dc535023c413b9d2aa0bb06e0bbcf17ec3bd39a9d94573d937cb2e462090cd7ee90d148ad2f7a9f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
175B

MD5
96914859f8c6ee1f5512fc022f52fa85

SHA1
88e8cb432be086a2305d363aea86724609f5f986

SHA256
33e9662a09e399f3ecc3958dfe49876050819c8f38f3e659a7b3a67275e6b5f0

SHA512
3927f11207c6dd0f3a92dae595b2cff6e25ade21a6eb2799f58108205e444d06f20ab3ecf483527881a9451fc95827caf12c73c903cad23fc930584ed9499635

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
35B

MD5
5398e91571e1c61b587647dd7ff7c3b1

SHA1
95a5a2175875d85566abae2b4b76fe7f39e8d35b

SHA256
6f8b93c4172f525ceabdb61334ce074465c42ed3d52668908b6612644026c90c

SHA512
e7c1c67b30ff837ca9c94d9b55aa16ce4a80d28d5a6b7547c3bd4eee208bdd927fee2a0351fc40cadc35f5c3099bacd9e6979100e02f83d1dd14affd7fdf2592

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
210B

MD5
460bfe037faab17a4776fc21b85d410a

SHA1
3252fc63ea4520f4332d339275b25b8749229264

SHA256
ba910a12d79f4e8976ae9be2b69343acfd50b30531c94312b696c464a0f3e6b0

SHA512
3230be63fe6fda0d45d8337bf8b1860defd46c2aba79803605faf8eb2b17afe5fcefd24c754cf120127c1b9370bc0ebed0e9d893d665130370e116a36faa5761

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
245B

MD5
8565f8dc638d997e91223adc83f625d7

SHA1
cd8620f22434d7f9cd24d565d544ccd311ac0783

SHA256
f8202e77a2ba921a00fac0f5de2ba7ca0be1c16d83d48dacc2c1b109c4516c71

SHA512
f0de5120c6e5f3f966ef13cd2d92d4adc85ac088b47e3eca8a49a2dc066787f1be77bf02660c54e5af6100cb73c5f82c233f97f5fabf7219a4408cfea405e29c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
280B

MD5
f2322c1bf21dbe9a1ea7374679b583ab

SHA1
9fe0a0fb12f40941b72bbcf47f597083a8ef31fe

SHA256
e7ade907881c6466e32985ec1522e4a0f4c81b9e3cb2eb36c79c26f9df6480b7

SHA512
2ab74bbf665f6a30af12f85115ca760504d841344c8672ce42aaa69cec16188053d33ee470abf01b6e71e0564db54a8ccfc048f44ca7e81ba0722ffeafc7d580

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
315B

MD5
158ac6070a3da118f1a18b9714af8ca6

SHA1
96eb25359e5565de18627cbdb041ddb9ecd53171

SHA256
c54c6be9b9dce717978a4d5e247f86a3dee7299aabd4b945d70b4dd34b4ea77c

SHA512
895c0c7b174f35569a7015a5fd853d64c08b144d6cfef3084d2f4b5aba304bba2bd81b893c0302d26cef5a46213cada011ef1c2b61b940d284429d713304510e

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
350B

MD5
74dadb3f943a0091c2407a4d3db083b7

SHA1
6c780b5912e95df365b39bcfbb29939679f64a73

SHA256
1f0b43a414b87ac41c431c780b41d181c9bcb168ef8bccfb7e38cf5f0e540639

SHA512
11fd2aec8fbdb81b07423bc1fdbc03a06c5903ddacf8927bb385dc948c3f510a81ac3b32fb39d8d0f269f430a624f06456a90ad0d32979f19552cd5e40072f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
385B

MD5
0de92bae608ec8eb24a68403357bc9c4

SHA1
a4f82db8b048593f1de4060f8cfd09a888c29dcb

SHA256
6ad3cb814b6d43d43709127629e3a5c66d397ae8c8a50a6a6d2905d344cf951c

SHA512
af414f22262461bc9395b0934e7dc0301f93f3eda7768bff02797c68ed594935bcce2f559f519e147a92c893ffe7d3b03d864073c4597cfd20b9fa404f466945

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg.vbs

Filesize
420B

MD5
86ef392f9333e749df05972f0a323c1f

SHA1
e24e9ea6a14e01f90a63e2563cc73ffb6ae10c0a

SHA256
b9a3485f722a49101c05433d56596453ed1df8b8a8ba6c9c946e06040c797609

SHA512
38d0e063bdbda3f2d3c22c6123eb9c595dffcf9a8112ab2392fd3544cd789c8c85873cd7ce2e018614a44acc6feb2199d407d404bac4f78d74981cf0a3df21c5

Download Submit
C:\mail.vbs

Filesize
6KB

MD5
970f66337d5859947c7c51118f5e4a17

SHA1
1cb69b088fc04f5ed322f54c5b1fd01c24d70989

SHA256
a08660a2e74d7c64f608912dd8d99afcd93b14924faaf0c3aadaef8b4fface52

SHA512
6c47d439334526dabd231e47c2ff72e834f6b9b8b8831af88473555f1e1e529ee6ad9e09b0c7e87557630ba4ae80cbaf34feeaacd79ddacd7f4d909d49943a87

Download Submit
C:\mail.vbs

Filesize
7KB

MD5
260cbb37400c37c0bee7fe51e6b77644

SHA1
e2743439d3b209516bdb084146ddf3bb881c88e1

SHA256
2a3a061f4af12cd1ab3fb8bb8ed50469a91f72dfb73604028b89f95053aca0af

SHA512
7a9a99dee105bc93d774124a6dc768ed3e186a962bae9823cb102aa90642dde52c17750a567a892547a01c7a6cfc4383fd7ab7bf00b1d6cdda313c31b4bbd11d

Download Submit
C:\mail.vbs

Filesize
582B

MD5
6c7e1469283c11b8bbb2cf271f230089

SHA1
48043b008db89382afc692fa7a59ef7addc01e58

SHA256
2dff8b3e9de8b60eed66a526f65046fa19c408a37f710d81cacbf1f0007a526f

SHA512
f9e43e2ae6c63ae98529f22e9c8dc1e7474b306819044c43fed06f703200bdc53a3726669105b7437fae5ce03059a371efa95601c18afb5e2ffdb54c89a3888e

Download Submit
C:\mail.vbs

Filesize
7KB

MD5
a9c93ec65cae89c385ecd8ee86410c6d

SHA1
d76c25f5e6383a3f4fc88aabeb597fb626d47fd3

SHA256
c386bf9a68f1813e91eccde8737835ff3474c3b5eb2b6ddcd6c7a94d2abb51ff

SHA512
e6b4df5af42246c6d56c069e68ddc491848286e875f3ee6214455f29c2da0933819871950c20ff2da6609f802ae3def24c12c08de8d8992dcfac9580e1b5258c

Download Submit
C:\mail.vbs

Filesize
8KB

MD5
ed523e5a45c57d0dc6a64b2d9856dbc9

SHA1
412453a2f3348a1f0816a8e7249b81fd60d8b525

SHA256
b3a58157de9955023bc5c9080655d710288bc23e6755d01734d3877645e010d2

SHA512
f520d5dbac39f9ad7bdb23b39a33df934d98fc56055348dcb7a0a858182015cfe32ddbb97b9d92868d66df91a4c00afc72ff80e4cdd7b27e3fe9b96f96485520

Download Submit
C:\mail.vbs

Filesize
9KB

MD5
4a9c941d45cf95beffea52e93265cc3e

SHA1
564c916faf16924cc1d67030f132f33ba481349c

SHA256
6a488b40098c4c9e6f8364c7735ba3b8efe13f5991327082e96ac277aae66de9

SHA512
7598098c1166d0a3751fb97a8bfc55ed8ec4465f43a7ddde79f4a6a05eb3395f00849a54a208ee8096a276242683b8348c2357b5c6c46a349089f38746d71315

Download Submit
C:\mail.vbs

Filesize
9KB

MD5
76a5ad36fa9535265ba76d7196cd859c

SHA1
7471d78d3780612d6ee6155c10276ebc40f67f21

SHA256
1c106ff3c2a93053d1bc9645eadd4f0de01929f42e1127c6d7f8a7c4f13a7181

SHA512
63cb0887da6b3945dfb5db593cbb33c72ef1a57d14d165321cf16eadd5a87dd674658523d84fc9ab1cfdc4ed7cdf70f394cc9c17b2e2430a53650b27a43bd7da

Download Submit
C:\mail.vbs

Filesize
10KB

MD5
9e4c9e92d0278de0c3ece483b73a8d0e

SHA1
39f1fabae98201cb6fbb120d75f9bc9c10e5b115

SHA256
07f0a20e403d46ee04a89cc03120b4f82db80298dc8df2f903e8500195eeab14

SHA512
523956371e01690819175303ea75390a54f079c7f7f91ef22b77716a4e4d800dc3451febe5eb294aec86893b15332ea3a5a4b09157dd0c4bb8373cf1ea02662e

Download Submit
C:\mail.vbs

Filesize
10KB

MD5
cae1c359a5c81e8a324c5a57209280ca

SHA1
191f0e77a65bc5006c69a2cd44b65be94d29dd76

SHA256
f4da871f34011b7c14ddb447c4bdb52b4e7782c4edcf53b24ec14b83ad0b92c7

SHA512
9da28f69fb5cf62c415b89af6eb086b4604b2238c7fa74dd328dacbed84f183917872daec8c20f65a06df314ce4ccb756759fd0545370af390205d2c012bdbb2

Download Submit
C:\mail.vbs

Filesize
11KB

MD5
3398a947fefe1b4dd913918a0c059206

SHA1
a4bfc0ae522c6a8eddf2e93d2b1600cb853a19d7

SHA256
46a601a5faad33c0239a71590a8685ac007c5761074cf7c4e0be467f849c81aa

SHA512
9b490dfd72076b1a2e804344757084f30f5f3c9130d7a5b7ebd8ec335e6eba47e51879cc3dd8ce86dcb4c3db2d84c5e9affa61fa4853864d8fec374a879fe7f1

Download Submit
C:\mail.vbs

Filesize
11KB

MD5
a0d080b87effc9d4999bf85b566bb048

SHA1
c757e79163b6a287ac1ef9b0eaf940981d43a457

SHA256
7326c573856c4d333dd4926f63c2eab7f777cd9f499db24f2992535905029382

SHA512
16768e4c91f9edc951bdb45924e0a69f8c6193b6566ca55cc27a48e7fac1ebb944368462ec83e652ba1feff5ce95b8b3625db59ab56d53602e8367567ea69974

Download Submit
C:\mail.vbs

Filesize
12KB

MD5
7458b2cc51865d115b5aea81eda303b1

SHA1
73bdde5ee8f9ad95b4ce35dd229072a337d6d34c

SHA256
01845b10f25450b931dfffb5d74bb90dfa935e3f65d746e8d139d6dd6a7303a2

SHA512
4f5db9c7a30ce7d7ccd9bd9211caf018ee36fc00c3c33e0e9457ea1eadd7934f478903b8d738d37bc6d1234a56f9039cb7255689191a4062aa9bf5cf27d28886

Download Submit
C:\mail.vbs

Filesize
1KB

MD5
dbf08fa28aca94e230cf3f79c4b202af

SHA1
2285149e48c11ac4c18648192b39e7f4dae0b7e5

SHA256
443b953fa45a1b1ab156d9d965d8439cb516231fa5fa972fb66453672329d2b1

SHA512
ee9bd2a55992c4cb1ae77ddf93228bf03578aee8f28888af59fa8ff2e58e72b48ad37f472c7678a22edd1268c42a15d8a0a53fc028fc3b193e937de085ca9507

Download Submit
C:\mail.vbs

Filesize
13KB

MD5
36bf8d9dd5d14322d30e2840231d26ad

SHA1
a60e933962d3c2b77e3e51a641401739237c7f36

SHA256
85735829b97968ad3fc3e2d4d835b3760e21ed3615420013ea4c54396f2c19b2

SHA512
2666fb388b88a65fa6641b1a06927cfbd256eb6f8e2d55c665c89c905d54783b707f94e3d6daefeb7f7b80c0513e0b221b39e04041bf60036ef831ef9bbf105c

Download Submit
C:\mail.vbs

Filesize
13KB

MD5
74b409f3d1b6a8aeb2db7574e786f458

SHA1
984d427264a7bd9886c95c90a2b40d7c0605c409

SHA256
d2850dd5e6f978f9e510bf2c1e8c1b65d71f89eb2f94fb8d04e4fd37cafd22e5

SHA512
13a4a714f933da27e1ebc0a90f85e8d66c12ba9eecbc802ec4bc9646d55d1c7a35bbf4f0befc90207945699023f0b7b290dd0a39eb2d554674493eabce58d2dc

Download Submit
C:\mail.vbs

Filesize
1KB

MD5
346d8fa387d02ade835657bee07eb79e

SHA1
5289c0698cc0d22274d3d20be1b564b5396019e5

SHA256
7e5d7ff36882796f1ad2fa50e5db30aef5c68224322675f8ad66c42d3908899e

SHA512
5581d1292e3d994934909bbb42112286d4cf5de857fd29e813986d5c520252e1ddbca64f674280070706a4004e830c5ca964ae485037875866dba3a9b6e421b6

Download Submit
C:\mail.vbs

Filesize
2KB

MD5
172716c6583c6d028da46e49ac3a1514

SHA1
2073f0450b13677c6e2b074ad21cf5c8151bb5e0

SHA256
94c52eaf8212669addd6d7dc00eef9e8d0f80d79bf206181f388603d4851633f

SHA512
0585819be8bd223c01e9ecad39646e42ad5e18fb1aab2355be95dce87f6cef1aea1e29ca8925bbef2a526fb634c05d6a8032fd7d871b165a203a3585d55d6f6b

Download Submit
C:\mail.vbs

Filesize
2KB

MD5
616fb281e6107379e04ca2b98bf9945e

SHA1
18781190d36565945ca2cdc8845d34a4d97ef156

SHA256
2a1d8c18357da79da0cf2427271c6542d520db5f0fa1c59686a70cc0f6c3259a

SHA512
0bada1519aeaaebd1f3f28b94745c85acd6e1d22071322f64d983c9cd83b38e33b8792b01e52b6fd17af0dc210a2f6a6146517168cef38aac41cd21c75eaf155

Download Submit
C:\mail.vbs

Filesize
2KB

MD5
d5d5c82ee4335415a90cd1f8c68fbdfa

SHA1
b692fc637de7cf572c865827cf828d0ca398282a

SHA256
d4eaba00467a27bc4d968b284f7946427da80813f16bad3e78aeb004cb3bbdc6

SHA512
88c2d35d9222b388e91058eb81f206815cb9583fde4ade45896daf3921230a0e9dbabfdc537230cfdd1e640d9c22e8d0710f80613b9c23dd8fc5bce0904c5898

Download Submit
C:\mail.vbs

Filesize
3KB

MD5
76348b0773334dc30ffdc0844a6d0c4e

SHA1
f86db0b9c1167aee9f744ece52d02a8dcacf291c

SHA256
d3325350d7e8652118427b21deb4856d80e4f82fed44646b6c155e60d2893d07

SHA512
6f93a5b13b1fb924ef158daae66c59993c7eac59c1f19cea38731e0010bf5c342b42987dd5bd5f999e6afa7c3c09f3d8274cf592cdaa0beabe97b9e24741f668

Download Submit
C:\mail.vbs

Filesize
3KB

MD5
2b17c4697e6967301ce16a45c4a54a4b

SHA1
fd886ad7b8d04cb7b68d044d8f4bdf17991bdbbb

SHA256
669581699dfdcc3994918f5104fc82b80b6dfbb19415f98af05c80aaceb2ca76

SHA512
f53419c2cbee259cbcdf42ccd67c1230c0b4f5bbcaf88afcb2c109aa595d1bfc395a7d0bc36b35debcbb488f38884b3c51d0ad4650fd3613dcc29228ce38866b

Download Submit
C:\mail.vbs

Filesize
4KB

MD5
31d64765349409fa0507fdb079ac6b65

SHA1
117c3ee203ff391ec49521861eb712cc504c1f47

SHA256
0b339098ae1b05adb3eb4c82413fb3440017c48fa225ba9183844b2a35ac0070

SHA512
d6022ad5f1299228e93bbb1348bef37035f855253e86ade18b180d8ab678e0d2db784d04cc7a70afb63de27f19db58d11bce7d59ab4a307653f11b77d21f80ac

Download Submit
C:\mail.vbs

Filesize
4KB

MD5
f9acbba869acbd9204001d67587acf71

SHA1
db0964ba0f6fcbfd348052f961e773c735513588

SHA256
80b7043316073ac3af487fbcb32aa466eeba8be798d218189b1fb53c4b671cfe

SHA512
0ba12c59b57b262243d480a53eb45ec97b0e0bf2c33a83a0921dc33d9af9f90bb49d8cb960687d48a3c71b6cf96d058adacb61cde0ebf294d2b5084828ffe572

Download Submit
C:\mail.vbs

Filesize
5KB

MD5
a8b6df7b2e9189c22b1e2f9352146623

SHA1
bf578d0e8970c5da26172807d84b89aa4bb35eec

SHA256
40ea1e861b2b95d718bf24366d9c2bd67fcf468c8576778fdf7633debf34005d

SHA512
6bc641fb42e4f2c094ed1a23e88ef7a76daeaf4c2c1deef4268cedc00a13766dd9e45af0bfd803e7df88374cc7c5b035dbe9b1eabab67ab68150e4dcc972a139

Download Submit
C:\mail.vbs

Filesize
5KB

MD5
c2c53a6dc4cfa6ac94161359377dd4d2

SHA1
32725cd876f2c1c6b25c3a730333b9a0f074aacc

SHA256
e4258fd7fd10af3bc4404689aea4cd3001537ea134a8203145e5689efbb966e9

SHA512
3ab785934530272cf20bb68c6518fb98116ec6e0daebf1b89c285e0db196357296ae541e662d983a83f542baef9904eeffede1340bece9290a3d3bff03046376

Download Submit
C:\mail.vbs

Filesize
6KB

MD5
a8f53a87b76c19ca6263fd0f09a92013

SHA1
5804efe61c145074e55e0788316c2a7e1986770d

SHA256
ab611402a4a543f44a31357b346b08a10c962c9923afbe3f23c5e87f54cf6ee1

SHA512
7ec1eec80e6152d9df52c7fdfac508a23815e819bd90823635a323b503e883d590a7802c7266b1913462bbc6c93de797dd299117f547dc42ac9c7e89bb9dd0e2

Download Submit
memory/1152-261-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2552-0-0x000007FEF6083000-0x000007FEF6084000-memory.dmp

Filesize
4KB

Download
memory/2552-1-0x0000000000DB0000-0x0000000000DBC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads