purelogstealer | 45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3

Analysis

max time kernel
126s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-08-2024 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
Size

2.0MB
MD5

d4f9d1afe2b5bf3633642526c01625d2
SHA1

f553184ae1cf84c9d12ae7ea8262e1cec6442577
SHA256

45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3
SHA512

dcb89b0095fd7ab16ecfd3e4d43d1d6358e612fda3fbdc1cc1dd8d49c69fe60759c20b5f28ec758a6a577626b796f4e2ee66aa7e1f01cfc008c0af6cf52b5c82
SSDEEP

49152:Be7O00O0FTsQTv1YcXKpRaV6NL4ZlEhLHSjqKoe:U7j0OWVTdYcfV6NL4ZlEpyjqKoe

Score

10^/10

purelogstealer collection persistence stealer

Malware Config

Signatures

PureLog Stealer
PureLog Stealer is an infostealer written in C#.
stealer purelogstealer

PureLog Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4300-1-0x000002444B7E0000-0x000002444B9E2000-memory.dmp	family_purelog_stealer

Suspicious use of NtCreateUserProcessOtherParentProcess 8 IoCs

Processes:

45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe

description	pid	process	target process
PID 4300 created 3492	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	Explorer.EXE
PID 4300 created 3492	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	Explorer.EXE
PID 4300 created 3492	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	Explorer.EXE
PID 4300 created 3492	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	Explorer.EXE
PID 4300 created 3492	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	Explorer.EXE
PID 4300 created 3492	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	Explorer.EXE
PID 4300 created 3492	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	Explorer.EXE
PID 4300 created 3492	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	Explorer.EXE

Loads dropped DLL 1 IoCs

Processes:

InstallUtil.exe

pid process

4560 InstallUtil.exe

pid	process
4560	InstallUtil.exe

Accesses Microsoft Outlook profiles 1 TTPs 42 IoCs

collection

Email Collection

T1114

Processes:

InstallUtil.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key opened	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe
Key queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Humfa = "C:\\Users\\Admin\\AppData\\Roaming\\Humfa.exe"	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe

description	pid	process	target process
PID 4300 set thread context of 4560	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exeInstallUtil.exe

pid	process
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
4560	InstallUtil.exe
4560	InstallUtil.exe
4560	InstallUtil.exe
4560	InstallUtil.exe
4560	InstallUtil.exe
4560	InstallUtil.exe
4560	InstallUtil.exe
4560	InstallUtil.exe
4560	InstallUtil.exe
4560	InstallUtil.exe
4560	InstallUtil.exe
4560	InstallUtil.exe
4560	InstallUtil.exe
4560	InstallUtil.exe
4560	InstallUtil.exe
4560	InstallUtil.exe
4560	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
Token: SeDebugPrivilege	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
Token: SeDebugPrivilege	4560	InstallUtil.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe

description	pid	process	target process
PID 4300 wrote to memory of 1664	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	InstallUtil.exe
PID 4300 wrote to memory of 1664	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	InstallUtil.exe
PID 4300 wrote to memory of 4944	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	InstallUtil.exe
PID 4300 wrote to memory of 4944	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	InstallUtil.exe
PID 4300 wrote to memory of 1652	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	InstallUtil.exe
PID 4300 wrote to memory of 1652	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	InstallUtil.exe
PID 4300 wrote to memory of 4456	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	InstallUtil.exe
PID 4300 wrote to memory of 4456	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	InstallUtil.exe
PID 4300 wrote to memory of 3196	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	InstallUtil.exe
PID 4300 wrote to memory of 3196	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	InstallUtil.exe
PID 4300 wrote to memory of 1364	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	InstallUtil.exe
PID 4300 wrote to memory of 1364	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	InstallUtil.exe
PID 4300 wrote to memory of 1712	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	InstallUtil.exe
PID 4300 wrote to memory of 1712	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	InstallUtil.exe
PID 4300 wrote to memory of 4560	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	InstallUtil.exe
PID 4300 wrote to memory of 4560	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	InstallUtil.exe
PID 4300 wrote to memory of 4560	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	InstallUtil.exe
PID 4300 wrote to memory of 4560	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	InstallUtil.exe
PID 4300 wrote to memory of 4560	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	InstallUtil.exe
PID 4300 wrote to memory of 4560	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	InstallUtil.exe
PID 4300 wrote to memory of 4560	4300	45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe	InstallUtil.exe

outlook_office_path 1 IoCs

Processes:

InstallUtil.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

outlook_win_path 1 IoCs

Processes:

InstallUtil.exe

description	ioc	process
Key queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	InstallUtil.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe
  "C:\Users\Admin\AppData\Local\Temp\45458cb19216ce36f2c0391b90bd0e35a74583d0bdfd5a2e48e9e1d625cceba3.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:1664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:4944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:1652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:4456
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:3196
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:1364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:1712
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  - Loads dropped DLL
  - Accesses Microsoft Outlook profiles
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4104,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:8
1⤵
PID:4640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Bexnt.tmp

Filesize
232KB

MD5
8f6e0ed27bd144584facc0526972bdbc

SHA1
943b0460c72e165461c81753597070c0203473c7

SHA256
86bb73777731ded6a84cce3c50486dc6548e788c90a5783554f1cc632c3d8418

SHA512
d71813a2afe975d904c71d52bc9682b55211b1dda090f9394b702c63ebc49b5f763d232e5313d3a499ddb090bcfa6b05ccc386c6f4fe5bc1067d86cbab121402

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\AF7011DB9BA75DE3E4434379E8037F31\64\sqlite.interop.dll

Filesize
1.7MB

MD5
d3f0fe99d31783cff15c1bae1f89734b

SHA1
1b706eb0e4bda293dfbb0d08c7a2b652d6ad425b

SHA256
7b591146c1f26d84b92d6c2113f9bfcf6c9d11728da3baf7973b94db523256e7

SHA512
737977344ecb252cf86768d14ae4602ab1a24adaa8f61f52beeee25b70d0ad46c834078b46e98aad4e1f9cac54b0754720c5170c4f533b12e96f0b1421727d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fbvublaizsc.tmp

Filesize
114KB

MD5
6e389da3969c19b6dbfb95013149bbb5

SHA1
f02ff8f1f1b353e36e4f609d39815c17eba8cee3

SHA256
4928d3109995b2faee203bc67184c892e9633fc7df6ad619f5852cf680c36ed4

SHA512
af965dc6aa1c26442f883e2d916509bc7766b425768e6a482223fdd1d3a5133c3b1955ad91bd578c387cc260efee4f738095d8ed7bafb7ed953edcc948313636

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rydtklimchl.tmp

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zdrwrfbhc.tmp

Filesize
192KB

MD5
afa36fe96980a30aafbf14d59841152f

SHA1
3c97dd026fdbaf27c693294c1c3cd45bcd204551

SHA256
5de6eff96c5db617ba9daa9822ec91e87d3b562771557b539376a6ce1c71936c

SHA512
e592edbb241779b15cf1463077419818fd62f34411fa18d776ee5aff001f461b3a00ec90299774ce8eccd340549141b6c3d31ff461e365a38e906584398233dc

Download Submit
memory/4300-20-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-16-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-64-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-18-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-62-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-15-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-12-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-10-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-8-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-5-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-60-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-52-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-50-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-48-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-46-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-44-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-42-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-40-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-36-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-34-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-32-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-30-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-26-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-24-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-58-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-0-0x00007FFEA0393000-0x00007FFEA0395000-memory.dmp

Filesize
8KB

Download
memory/4300-68-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-66-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-28-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-38-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-22-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-56-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-54-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4300-1077-0x00007FFEA0390000-0x00007FFEA0E51000-memory.dmp

Filesize
10.8MB

Download
memory/4300-1078-0x00000244662D0000-0x00000244663FA000-memory.dmp

Filesize
1.2MB

Download
memory/4300-1079-0x0000024466400000-0x000002446644C000-memory.dmp

Filesize
304KB

Download
memory/4300-1083-0x00007FFEA0390000-0x00007FFEA0E51000-memory.dmp

Filesize
10.8MB

Download
memory/4300-1084-0x00007FFEA0390000-0x00007FFEA0E51000-memory.dmp

Filesize
10.8MB

Download
memory/4300-1085-0x00007FFEA0393000-0x00007FFEA0395000-memory.dmp

Filesize
8KB

Download
memory/4300-1087-0x0000024466650000-0x00000244666A4000-memory.dmp

Filesize
336KB

Download
memory/4300-1-0x000002444B7E0000-0x000002444B9E2000-memory.dmp

Filesize
2.0MB

Download
memory/4300-1092-0x00007FFEA0390000-0x00007FFEA0E51000-memory.dmp

Filesize
10.8MB

Download
memory/4300-2-0x0000024465F70000-0x000002446611E000-memory.dmp

Filesize
1.7MB

Download
memory/4300-4-0x0000024466120000-0x00000244662D0000-memory.dmp

Filesize
1.7MB

Download
memory/4300-3-0x00007FFEA0390000-0x00007FFEA0E51000-memory.dmp

Filesize
10.8MB

Download
memory/4300-6-0x0000024466120000-0x00000244662CA000-memory.dmp

Filesize
1.7MB

Download
memory/4560-3944-0x00000138C6600000-0x00000138C6818000-memory.dmp

Filesize
2.1MB

Download
memory/4560-3945-0x00000138C6820000-0x00000138C6B4C000-memory.dmp

Filesize
3.2MB

Download
memory/4560-3943-0x00007FFEA0390000-0x00007FFEA0E51000-memory.dmp

Filesize
10.8MB

Download
memory/4560-3950-0x00000138C6C50000-0x00000138C6CCA000-memory.dmp

Filesize
488KB

Download
memory/4560-3951-0x00000138C6D20000-0x00000138C6D84000-memory.dmp

Filesize
400KB

Download
memory/4560-3953-0x00000138C6DD0000-0x00000138C6E0A000-memory.dmp

Filesize
232KB

Download
memory/4560-3954-0x00000138C6D90000-0x00000138C6DB6000-memory.dmp

Filesize
152KB

Download
memory/4560-3942-0x00000138ADAB0000-0x00000138ADB4E000-memory.dmp

Filesize
632KB

Download
memory/4560-1094-0x00007FFEA0390000-0x00007FFEA0E51000-memory.dmp

Filesize
10.8MB

Download
memory/4560-1142-0x00007FFEA0390000-0x00007FFEA0E51000-memory.dmp

Filesize
10.8MB

Download
memory/4560-1093-0x00000138C6360000-0x00000138C646E000-memory.dmp

Filesize
1.1MB

Download
memory/4560-4004-0x00007FFEA0390000-0x00007FFEA0E51000-memory.dmp

Filesize
10.8MB

Download