Malware Analysis Report

2024-11-30 05:42

Sample ID 240619-ln4a3aseqn
Target ba53e28462f5be2540824ccde6aeb615c2f3d161.eml.tar.gz
SHA256 373038f90abd4f4195e51d793f26e657c876997a0591ff4309f74aeaef701a7a
Tags
agenttesla collection keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

373038f90abd4f4195e51d793f26e657c876997a0591ff4309f74aeaef701a7a

Threat Level: Known bad

The file ba53e28462f5be2540824ccde6aeb615c2f3d161.eml.tar.gz was found to be: Known bad.

Malicious Activity Summary

agenttesla collection keylogger spyware stealer trojan

AgentTesla

Loads dropped DLL

Executes dropped EXE

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Drops file in System32 directory

AutoIT Executable

Drops file in Windows directory

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

outlook_win_path

NTFS ADS

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-19 09:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-19 09:41

Reported

2024-06-19 09:42

Platform

win7-20240221-en

Max time kernel

53s

Max time network

37s

Command Line

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\ba53e28462f5be2540824ccde6aeb615c2f3d161.eml"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key enumerated \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key enumerated \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key enumerated \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key enumerated \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc00A.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\SysWOW64\PerfStringBackup.TMP C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh007.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc009.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh00A.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc00C.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc010.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc011.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh009.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh00C.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh011.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc007.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh010.dat C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\Outlook\outlperf.h C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\inf\Outlook\outlperf.h C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Windows\inf\Outlook\0009\outlperf.ini C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F0-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305C-0000-0000-C000-000000000046}\TypeLib C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067367-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FF-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F9-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305A-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302B-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063075-0000-0000-C000-000000000046}\TypeLib C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}\ = "ItemEvents" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308C-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672ED-0000-0000-C000-000000000046}\ = "_OlkBusinessCardControl" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308D-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304F-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063098-0000-0000-C000-000000000046}\ = "_CardView" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\ = "_Rules" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CB-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063059-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EC-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E3-0000-0000-C000-000000000046}\TypeLib C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F8-0000-0000-C000-000000000046}\TypeLib C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063007-0000-0000-C000-000000000046}\ = "Attachment" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}\TypeLib C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C7-0000-0000-C000-000000000046}\TypeLib C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CE-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DA-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063036-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F025-0000-0000-C000-000000000046}\TypeLib C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067353-0000-0000-C000-000000000046}\TypeLib C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063026-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DA-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E1-0000-0000-C000-000000000046} C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\ = "_MarkAsTaskRuleAction" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E5-0000-0000-C000-000000000046}\TypeLib C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046} C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046} C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\msohtmed.exe" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046} C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063073-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046}\ = "_NotesModule" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063081-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\PROGRA~2\\MICROS~1\\Office14\\msohtmed.exe\" %1" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}\ProxyStubClsid32 C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E9-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}\ = "FormDescription" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063038-0000-0000-C000-000000000046}\ = "_TaskRequestAcceptItem" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F9-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063021-0000-0000-C000-000000000046}\ = "_ContactItem" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FA-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C4-0000-0000-C000-000000000046}\TypeLib\Version = "9.4" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\msohevi.dll" C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\0IQ11QT7\ORDER_01881371631.7z:Zone.Identifier C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\0IQ11QT7\ORDER_01881371631 (2).7z\:Zone.Identifier:$DATA C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
File created C:\Users\Admin\AppData\Local\Temp\7zOC91CDD66\ORDER_01881371631.exe:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\7zOC913CD96\ORDER_01881371631.exe:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A
File created C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe:Zone.Identifier C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeShutdownPrivilege N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 412 N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE C:\Program Files\7-Zip\7zFM.exe
PID 2408 wrote to memory of 412 N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE C:\Program Files\7-Zip\7zFM.exe
PID 2408 wrote to memory of 412 N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE C:\Program Files\7-Zip\7zFM.exe
PID 2408 wrote to memory of 412 N/A C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE C:\Program Files\7-Zip\7zFM.exe
PID 412 wrote to memory of 1548 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOC91CDD66\ORDER_01881371631.exe
PID 412 wrote to memory of 1548 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOC91CDD66\ORDER_01881371631.exe
PID 412 wrote to memory of 1548 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOC91CDD66\ORDER_01881371631.exe
PID 412 wrote to memory of 1548 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOC91CDD66\ORDER_01881371631.exe
PID 1548 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91CDD66\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1548 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91CDD66\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1548 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91CDD66\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1548 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91CDD66\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1548 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91CDD66\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1548 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91CDD66\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1548 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91CDD66\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1548 wrote to memory of 2152 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91CDD66\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 412 wrote to memory of 5936 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOC913CD96\ORDER_01881371631.exe
PID 412 wrote to memory of 5936 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOC913CD96\ORDER_01881371631.exe
PID 412 wrote to memory of 5936 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOC913CD96\ORDER_01881371631.exe
PID 412 wrote to memory of 5936 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOC913CD96\ORDER_01881371631.exe
PID 5936 wrote to memory of 6036 N/A C:\Users\Admin\AppData\Local\Temp\7zOC913CD96\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5936 wrote to memory of 6036 N/A C:\Users\Admin\AppData\Local\Temp\7zOC913CD96\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5936 wrote to memory of 6036 N/A C:\Users\Admin\AppData\Local\Temp\7zOC913CD96\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5936 wrote to memory of 6036 N/A C:\Users\Admin\AppData\Local\Temp\7zOC913CD96\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5936 wrote to memory of 6036 N/A C:\Users\Admin\AppData\Local\Temp\7zOC913CD96\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5936 wrote to memory of 6036 N/A C:\Users\Admin\AppData\Local\Temp\7zOC913CD96\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5936 wrote to memory of 6036 N/A C:\Users\Admin\AppData\Local\Temp\7zOC913CD96\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5936 wrote to memory of 6036 N/A C:\Users\Admin\AppData\Local\Temp\7zOC913CD96\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 412 wrote to memory of 5904 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe
PID 412 wrote to memory of 5904 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe
PID 412 wrote to memory of 5904 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe
PID 412 wrote to memory of 5904 N/A C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe
PID 5904 wrote to memory of 6108 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5904 wrote to memory of 6108 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5904 wrote to memory of 6108 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5904 wrote to memory of 6108 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5904 wrote to memory of 6108 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5904 wrote to memory of 6108 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5904 wrote to memory of 6108 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 5904 wrote to memory of 6116 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe
PID 5904 wrote to memory of 6116 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe
PID 5904 wrote to memory of 6116 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe
PID 5904 wrote to memory of 6116 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe
PID 6116 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 6116 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 6116 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 6116 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 6116 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 6116 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 6116 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 6116 wrote to memory of 2852 N/A C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2204 wrote to memory of 3456 N/A C:\Users\Admin\Desktop\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2204 wrote to memory of 3456 N/A C:\Users\Admin\Desktop\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2204 wrote to memory of 3456 N/A C:\Users\Admin\Desktop\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2204 wrote to memory of 3456 N/A C:\Users\Admin\Desktop\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2204 wrote to memory of 3456 N/A C:\Users\Admin\Desktop\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2204 wrote to memory of 3456 N/A C:\Users\Admin\Desktop\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2204 wrote to memory of 3456 N/A C:\Users\Admin\Desktop\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2204 wrote to memory of 3456 N/A C:\Users\Admin\Desktop\ORDER_01881371631.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\ba53e28462f5be2540824ccde6aeb615c2f3d161.eml"

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\0IQ11QT7\ORDER_01881371631.7z"

C:\Users\Admin\AppData\Local\Temp\7zOC91CDD66\ORDER_01881371631.exe

"C:\Users\Admin\AppData\Local\Temp\7zOC91CDD66\ORDER_01881371631.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\7zOC91CDD66\ORDER_01881371631.exe"

C:\Users\Admin\AppData\Local\Temp\7zOC913CD96\ORDER_01881371631.exe

"C:\Users\Admin\AppData\Local\Temp\7zOC913CD96\ORDER_01881371631.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\7zOC913CD96\ORDER_01881371631.exe"

C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe

"C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe"

C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe

"C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\7zOC91F6AD6\ORDER_01881371631.exe"

C:\Users\Admin\Desktop\ORDER_01881371631.exe

"C:\Users\Admin\Desktop\ORDER_01881371631.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\Desktop\ORDER_01881371631.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 config.messenger.msn.com udp
US 64.4.26.155:80 config.messenger.msn.com tcp

Files

memory/2408-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2408-1-0x000000007325D000-0x0000000073268000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

MD5 1f440f32491d2d6e6af2e801ea0b2bac
SHA1 9a15cdd718168e077a3ea6fc47a013d573369227
SHA256 06356b39d0a9400990bb0c6d91bff1c4bd8a732b54f768396289bee23507c7b5
SHA512 e04a78adc7e7ca97becc6e5386e0474120b55ec7b08955e9490bf496b78f52bb8154baf01af60baa5fefb87e1c25df8beeed551799aeb62ef7840501ee076ea1

C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

MD5 48dd6cae43ce26b992c35799fcd76898
SHA1 8e600544df0250da7d634599ce6ee50da11c0355
SHA256 7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a
SHA512 c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

C:\Users\Admin\AppData\Local\Temp\{E9EF04D7-126C-4610-8834-90069D556B7B}.html

MD5 adf3db405fe75820ba7ddc92dc3c54fb
SHA1 af664360e136fd5af829fd7f297eb493a2928d60
SHA256 4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476
SHA512 69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2408-201-0x000000000F7C0000-0x000000000FA38000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Outlook\Outlook.sharing.xml.obi

MD5 bf6f4ad1ac89788b31ea7965cb3dee2b
SHA1 6e2818f498b61bb133cd3749c03c07936bbc50d3
SHA256 6687838f6aa6da40451191faabb289d73f5390acbcdc29ead5f43bfdadfa72f8
SHA512 64f8ebbae25898915c82c6eeff446651517fe59d25373d03cf0f7b5a5ee8b9e487440046a6db7df6a7ffa2b1229dfe0636e98ae3d74b0e7882e6825e06eaef01

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\0IQ11QT7\ORDER_01881371631.7z

MD5 97452a814679502c8939ef4c47f28bb6
SHA1 46b5cf285fd44c185dc69b0721ded4ba4f3fb880
SHA256 999d75f37b6119face47f303d5bd4cf83d5c62346f355a1388038e32359ecbcd
SHA512 4a8d5d940e7bc6eb8143390f9b5b3956dd7079601c026556f028f9703bf04b65b19ad0bee4abeada2640945bb185a199253e4bd7d46fe5ab3207ac2ede18a12e

C:\Users\Admin\AppData\Local\Temp\7zOC91CDD66\ORDER_01881371631.exe:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

C:\Users\Admin\AppData\Local\Temp\7zOC91CDD66\ORDER_01881371631.exe

MD5 1a4664b8ff72e5e2cf7c5a5aa045bcf2
SHA1 74ec5407a7fab5056f17db186a0b2e79c86594d2
SHA256 9ea02d38fe4feff7c9818062f8fd0f9ac385e73f2ca702887eaa72f50696869e
SHA512 0441847cb72e671b3c085f2883356fd1550f3d024c2ea49d5b0d6677884067c6065b93b9205eac20e3e19e0d2b58546ba180896064000e4730b09816647ab3e8

memory/2408-232-0x000000007325D000-0x0000000073268000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\exhilaratingly

MD5 57526393506d5a53e6a40ade71ee8af6
SHA1 62ea25d35a4e8dab1acd3cf7c991e26079b767a8
SHA256 29232b112c00397078c4e59864cd323c60227b6f2dad38c944f695926ebfb575
SHA512 8581543251d75918724e3c90f446678f957dd5175ccd686364217a4264d9e2bc830a773d39f9320750fb1e0999b1ced6ed79d4044a40a088688feb73559597dc

memory/2152-245-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2152-246-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2152-247-0x0000000000870000-0x00000000008C4000-memory.dmp

memory/2152-249-0x0000000000AF0000-0x0000000000B42000-memory.dmp

memory/2152-269-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-251-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-267-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-265-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-250-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-263-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-261-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-253-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-255-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-257-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-259-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-275-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-299-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-309-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-307-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-306-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-303-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-302-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-297-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-295-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-293-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-291-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-289-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-288-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-285-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-283-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-281-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-279-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-277-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-273-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

memory/2152-271-0x0000000000AF0000-0x0000000000B3D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\proximobuccal

MD5 3f5f6ba0a32ddc79cf7aea081629f1ab
SHA1 60b1e4944e7d6af94bf2c3e22742c0b02c560887
SHA256 70a8f39848f78d86bc80e3b5ba4bd1386391ac0e6af025d8415659fb10701304
SHA512 c00c8f1666834308adbd1a1d2a0a25c3d498018dd19ba8d2c3b10e9ee32819f944f7fb4e04092a60c84594c31a994cd7379cda5feb5137b888de5f9e0bfe474f

C:\Users\Admin\AppData\Local\Temp\exhilaratingly

MD5 85e20c3d5e31f09f3e2dc4059192b440
SHA1 2affd8b00a9bd2228dd08622777fdef528d36012
SHA256 3c5443fc2d4c438bfb483ea71b6685d594166b79ea1e47c41c61e232e6f374fa
SHA512 daf39b40ab5dc150d9a67f73936ec97b4fa9c5fbc52bfb9e5caf7ce265ed8ce905624820dbf83c56fa250758d7300b7c8d6832c1dd45f2cb5babe878d2b4e027

C:\Users\Admin\AppData\Local\Temp\autCB8A.tmp

MD5 f6fa7da59645eaebe34ddbdc13429228
SHA1 181b74e0f149f30db12e1d05515a428f60c14ea7
SHA256 076ee17ec4a8a811dac49244e41306e9ca2a3dd2a234f0d06d46b6a64b414157
SHA512 4ef3ce4ad356b6ea91d36840e3baa6b9f92564f358fefbb4cdd0be1f8ff1410862fc55c2f68a5dafdf3220885192266a6d0031f99bada6c2e8c9983c0c369892

memory/2852-2385-0x00000000004B0000-0x0000000000504000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Templates\NormalEmail.dotm

MD5 30fbd58d7e89e1e047fd5412c1fc33f6
SHA1 a8f90669d291b68acaa85a3ab50e7b21e0be4d26
SHA256 88bd6a71f2e5dfc32ea1a9098a89583e63cb0d4980b6a18002d27f48bd90b939
SHA512 fc0d4bf9444bed808cbe82755f16844bed16a0bd57a3397ba9b2af2d5356c9886a747bcfe125a16f3b01b928e3e2f929f8624e1b1285febc78baeb35e288e3c4

memory/2408-3443-0x000000007325D000-0x0000000073268000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-19 09:41

Reported

2024-06-19 09:42

Platform

win10v2004-20240226-en

Max time kernel

34s

Max time network

39s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\ba53e28462f5be2540824ccde6aeb615c2f3d161.eml

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Local\Temp\ba53e28462f5be2540824ccde6aeb615c2f3d161.eml:OECustomProperty C:\Windows\system32\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\ba53e28462f5be2540824ccde6aeb615c2f3d161.eml

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
GB 142.250.187.234:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 udp

Files

N/A