e572751b2793c544ab7f6742a53e5779b35689e61edd8b2434fbcc30e2d65d51

Resubmissions

23-08-2024 15:04

240823-sfqtbstdnr 6

23-08-2024 12:46

240823-pz1absxcjr 10

23-08-2024 12:35

240823-psg56stfqf 6

Analysis

max time kernel
111s
max time network
96s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23-08-2024 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORFEO _20246307407492 - URGENTE requiere POR SEGUNDA VEZ Respuesta al oficio No.111 RD Rad. 2013-656.eml
Size

15KB
MD5

b2e25716e5e73243001ddba02b023077
SHA1

d8ebde9deb98895999d08a482f100da3b18e9c0c
SHA256

e572751b2793c544ab7f6742a53e5779b35689e61edd8b2434fbcc30e2d65d51
SHA512

6415678e4fef5ceb29e159560b80c81926e5f509a378660f01ed2fe0eebda0bd8fc89ae60e6e99c9ba4dda89b7a4eee16304d25e832ad0bb686cfd4dbb0f1821
SSDEEP

192:aUdKM3CU9jeGADEAVKRzRqIQNAyRXS5wUGTw2usvGXwYSJ2hFj3k9OZ3XT9BQXKd:FKM3CUVeGAbVKRzRyAci5wUCu40zfd

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
17	drive.google.com
15	drive.google.com
16	drive.google.com

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OUTLOOK.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 60ffc40a59f5da01	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f0000000002000000000010660000000100002000000080cbe23b9552d8aa49c2d2c00571feff427d0f8e7a1fbdc99097f7ca6651a446000000000e800000000200002000000092c8e9118f3c2145acec9537ca26d57c31267a7e1c137683fd5c254a2fed0971200000001e1495a2d95509fe37b6b97370c60e4e990a3acd2fa8e7ed079828524eebff03400000006edc4922c0862dfd034f59c1dbfc03fb94056b54fd155c5c3c98a71383cec634ecdc6a89b0719ad8ada2ba2a6a4686c662e2b79e71b9e3ec8572066930bab044	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3E5150E1-614C-11EF-9A68-F6314D1D8E10} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d04b0c1659f5da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000082ebb0b9d6f3f0458e93e15bd38f268f00000000020000000000106600000001000020000000d164cac4e4b1efd5a8b645e5ecd2be0de196d8ac3794d811644449234b20ceb1000000000e800000000200002000000025ce7398f6488e18d7f35ee6c764a7c4d15c38b2e6d21d6c2c0bb85ca32fab46900000006259e1e6adaf4db7dec6fec2de3260bfd866e3ee676bfb72c5c1d95a61044684c17a9d4f5fede9f34f5020a41f21a8e08aab27edfbf5d6f2aaa6023ce037d3a19852a841c1e6dd8c8d8846241519faa972e2c971f1943b66923d6f2eb4aa6c585799252ca0ef957460a5d432d3cee293c3e46dd7086a8ab166dcf53b254edfe8e999b01b99c1227615d1e1ebd97e44fa4000000099d5f0d9809e43b01e5860dd6414c40e75fe1d94ea07f74ccc246cbece881798033319162dc311bbeed2490733be1024b5d5150a2501f12b852982a027d4baaa	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430578426"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C3-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067367-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307F-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F7-0000-0000-C000-000000000046}\ = "OlkInfoBarEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F9-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EB-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EE-0000-0000-C000-000000000046}\ = "_NotesModule"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305A-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\ = "_ViewField"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063094-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FE-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067353-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063044-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063044-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DC-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FB-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063073-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CB-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C2-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}\ = "InspectorsEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303E-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063009-0000-0000-C000-000000000046}\ = "Panes"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E1-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EF-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067353-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063021-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063006-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B0-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063043-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063043-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063087-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630ED-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\ = "_BusinessCardView"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063005-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303D-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308C-0000-0000-C000-000000000046}\ = "NameSpaceEvents"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E9-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305C-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063097-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EF-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E0-0000-0000-C000-000000000046}\ = "OlkCommandButtonEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CD-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063074-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063105-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063080-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309C-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FE-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EC-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1968	OUTLOOK.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	1628	7zG.exe
Token: 35	1628	7zG.exe
Token: SeSecurityPrivilege	1628	7zG.exe
Token: SeSecurityPrivilege	1628	7zG.exe
Token: 33	2780	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2780	AUDIODG.EXE
Token: 33	2780	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2780	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1968	OUTLOOK.EXE
1608	iexplore.exe
1608	iexplore.exe
1628	7zG.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
1968	OUTLOOK.EXE
1968	OUTLOOK.EXE
1968	OUTLOOK.EXE
1968	OUTLOOK.EXE
1968	OUTLOOK.EXE
1968	OUTLOOK.EXE
1968	OUTLOOK.EXE
1968	OUTLOOK.EXE
1968	OUTLOOK.EXE
1968	OUTLOOK.EXE
1968	OUTLOOK.EXE
1968	OUTLOOK.EXE
1968	OUTLOOK.EXE
1968	OUTLOOK.EXE
1968	OUTLOOK.EXE
1968	OUTLOOK.EXE
1968	OUTLOOK.EXE
1968	OUTLOOK.EXE
1968	OUTLOOK.EXE
1968	OUTLOOK.EXE
1968	OUTLOOK.EXE
1608	iexplore.exe
1608	iexplore.exe
692	IEXPLORE.EXE
692	IEXPLORE.EXE
1968	OUTLOOK.EXE
692	IEXPLORE.EXE
692	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1608	1968	OUTLOOK.EXE	32
PID 1968 wrote to memory of 1608	1968	OUTLOOK.EXE	32
PID 1968 wrote to memory of 1608	1968	OUTLOOK.EXE	32
PID 1968 wrote to memory of 1608	1968	OUTLOOK.EXE	32
PID 1608 wrote to memory of 692	1608	iexplore.exe	33
PID 1608 wrote to memory of 692	1608	iexplore.exe	33
PID 1608 wrote to memory of 692	1608	iexplore.exe	33
PID 1608 wrote to memory of 692	1608	iexplore.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\ORFEO _20246307407492 - URGENTE requiere POR SEGUNDA VEZ Respuesta al oficio No.111 RD Rad. 2013-656.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://nam10.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdrive.google.com%2Fuc%3Fid%3D1DMMujrAVJiEDlzeZDtnSs3SX8mp_3JBh%26export%3Ddownload%26authuser%3D0&data=05%7C02%7Cradicacion.entrada%40adres.gov.co%7Caf084811c2714df2917208dcbc6bfc1d%7C806240d03ba34102984c4f5d6f1b3bc4%7C0%7C0%7C638592419199975042%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=nTqmaxO6l42BhGK%2Fb184TjEh%2FuTAMZzDdGxd6YfMXO8%3D&reserved=0
  2⤵
  - Modifies Internet Explorer Phishing Filter
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1608
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1608 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:692

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\URGENTE requiere POR SEGUNDA VEZ Respuesta al oficio No.111 RD Rad. 2013-656\" -spe -an -ai#7zMap23277:214:7zEvent3452
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1628

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
a3903ce2a0ab94567901b8a2ec80ada0

SHA1
54fb764eab120200444ec557cba97d55bf746b5e

SHA256
9631a9af09c825651abf913c440ba0d1c0b2b6c66e57ec221d39948b83674340

SHA512
2b65f95ffd8bb5ca31eaa7d8ad6a6f3c6d9db2fcb995eac743c172b0fc09cb261ca477ea6d9ba92f14cf710dc3cb729fd15993f63fac893841e38b2083449991

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af136f99ea78daff42ce088f35c14288

SHA1
5d8749e0f5de0115b2233d66081d3b6ed1ab392d

SHA256
5d944d178b86c488a436dbf468e66f51cca8255bfdcf986ddb89b9e644427988

SHA512
102b6cb4f54242e2a457dc6bdd19fecd08134223bbfe7133a99be6b6d64b42aae591cd31abddc72926df9800739f1c479ab691b013c56a8f6ab83c69dd65899f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3735ba4736d4eb44168bc91a8d00edb

SHA1
af670527302f0325337ce353c438a2f8d5ce9c90

SHA256
ba57ac5779c826516418e19148d97b0042cdcdd37833bdb075457eec408872ea

SHA512
9116bd522803bdace389160c0150dfc0315bf8ce6f8b67a3168bc47938c9f29aa3628dfebfc8b7bca38ebfcb275e9ac9a50b764a0a50afbcf6bd2caeba4a7138

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60d321e36abac544cf6844c69c01f43f

SHA1
9145085719760bfef562b8061e35b031a65fe6a8

SHA256
3371e2602788efdd374bb5f94c646058bb56ce5c798cf0b4a62cfa359806ef9a

SHA512
d865a5b1579bc388325e4f407adf41d65375d0f0549cdec8cac58328059560a4eb958ef9a68b6851e78f6af2575333a38256c36a5ace69f13c8b18a88e342a5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cdf1ec62a15e4b60eaa9e259abcd1ba1

SHA1
e77d5f3d4b8b3beac9f4537f848dc0cd1631e8b7

SHA256
30e9052d898315ec914c0c9ab21706d4f5121677a860cba2cf044e9b80a364ca

SHA512
4827d965382be9a143748410e861df0215b34df13b81ba323b7f93d254adcb98c7992533a148fb3d9474901ceb961d514bfc16423a8ef9c4bd6824ac0b964ba7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7419957f629a377c1a67ec91a5363258

SHA1
8d09b8d3ff0c7f555ad94ca9c5691cc5d7ad5f85

SHA256
d790c08d411e8a852ef62ce4b6af38541139cbf142da29b54d1d92b256b16a86

SHA512
7450e2f28453af21d71f21c0f27c6b5fad1643a1f5d17f8537f96becd4c77196f7c863dceac06376d74b6ecf29ef0a516b2310e35e5db5e9bf205ff497a4ed0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f4f6d63053e1a01ad8d2da6054978c3

SHA1
87c76a2dfc8aa1d5bc0513b677eba2de1a13d78b

SHA256
2068b1a2a435fc409acb735940ac0a9610d1439e4b6d460dd1d68346f5e0a62d

SHA512
0b59749315e173fdf6ce918ac4e3729b0fffd1dd7de748ca706a04d1947a579b34d525842f6864995081e6a5b0303b34be3c4652d6bcfdab5aa0779759f33644

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2c7ef663a58d5c4c54ff62d066b019c

SHA1
a3061a10088ff2a4e2a640effb0ae78b5cc5b6ea

SHA256
7532f8959b1b0714aa0249bbea79b891648d8044d570b01e63efb37f731cd44f

SHA512
aebf9e7903fb48805651995d0b65aac94e23fa088d567fd186471b751d7d53eb68c2678cf6a255c34b50ba50e5e624adc614a34a4da2254cf863e3015ca0c1ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a60c8023d4ab9afbe932c308922109a2

SHA1
970a8f9457d54ea9b247a22ae42bfc556fe02cbd

SHA256
5c67b0f30fdc16795c9b460161f196effcb9d41651e89151fdd86d81bd8a8b05

SHA512
0eb8c69daf6497e52e9649299dd2999eb4fb3028d9741bf16f3177bc74cf9ba1e3e26ec6d084e3f06d6cc72349c611b2fa56fe175edad9d1fa159fd2e64a32da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2ea6211e177fe4e3452f3f7412cf4c8

SHA1
1bd080ee32be96b3efb58dfa249b9c4ec513a6da

SHA256
71b00e759b2776f3bd659a78c5275ae596ca5eb0c2a39dc92db97474493fb4f2

SHA512
20ce6964554be27c826140a30b274ec039fbc8ad8f8614b9ca36c57225896303172b4ed12bead02a2452fa58211fd53fb6087e2f5501c8f75c171d963161efb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f04959238b5e08db12a202778ad9319

SHA1
2f97fda7fc780efc44277e57cfb422377bf14449

SHA256
b4bfccc1b911e07ca4d461be81f7ad464e4af50d6937d5ca7702eedf98ab3b5c

SHA512
0156e7ac9a1733beecc81f8786e6c9194f41bac8763034a544fd8fa58c202d97efa17bacaf2b3f57076ff447e9354e9cba496fb87eae3f32f0ed551182ca989e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e6359a989592de0e55fa089b640405d

SHA1
73b4b0ba8ad9bba86fbd90349ac0849487cecfac

SHA256
a283f12990026572cbd0f709567e2a48371c1752c2089e092f98ba6a1c424702

SHA512
775c74baed81ebbba29cae217643ef89d2d7c4bb44e19387bd4e34e3f267eb9620257b3b833126f16219454dda3f1a5b478599074375a35794511b10cf8cd4dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1496b452116513a42927a183de06567

SHA1
b7620751fcc18cdfa0cc1e7f175d1e697e861a2b

SHA256
a5081d6c5dd76f74d47db66874d4eaa2bbbd6a841ec7a16b5ff1c0061df45091

SHA512
d1c1d3c95d32054a3ab1d2e2ba18d75e0058f0a9f9a2bc70ab9b5238f9ddd60ef82ff5e611c571445c7597048b22f1c40a19aeccd3f940604540e6445ba935f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e071bf19607f6bdc8f11b4475b314a59

SHA1
852c583e776457745d1a63295d2eec3d0ef83823

SHA256
ed8af73b88e6f6b39b284b9b9ddff92810c8402f35910f92fd794a9dcc562b78

SHA512
2b1e23466db41df5f55e9f9a2ebe231f5c5de39844856e3eaa87c02de2d5364bf7824381bd19bda3e90a0cd8540951e926ed5058f33f92daf65bb3259522e19c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ee6dad5d62569c5a139782f9ae227158

SHA1
c180ddab1eb321f4454e1de157d3416b5a81b58b

SHA256
a4d1592e3506106df0fe267fdce9938930435685a273a5852909cca2f7fa43ec

SHA512
c236abe15fd242190ba10918bbfb3016232ad6cbe52a638c60fe8cc5100f8702cf698bd92d27a650c9fc9b5bd9e05a62a8632ed2d7f03e88fe5f5540e4e7bf94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
1804975a003a2e0f0e234073716cdbf1

SHA1
b14712def59474b575b24950abf114c79fd3789e

SHA256
422aeaf173d3ff0ff212d59831aa0bd6d01a1860f4d6a558a4a3e9fe03cedcd6

SHA512
3ec0c7a5b496fad0f9dc42ae36b8445146eb6dbc57eace918edfc2a20cbeeeaae63724c605516d7c8d7f23f5bbceb9ac726da793df74822bd39164cd3ff348f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
c3cb35dff99c260241c104f551b9dd63

SHA1
1d2ae7500f269249cfb26e0f7c50975523fbaeaa

SHA256
1c8733027745c2a3a65c2b8e6e9bee184e8017e09ee97a9a3f8659a92a0dc19f

SHA512
601bf18a54811e0bdc8b9e63e669fb0a4562c5cc49c0375ab9c91db94b902ed78b5da2447e342138ea5f9ea9aac278a51d73417cac50f7ecd97874d444db8bd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\hqw8ypt\imagestore.dat

Filesize
1KB

MD5
833e15a5d8ad7be8ebd0b0824e35af7a

SHA1
d8c3f4096d20e0f83c98d9ce76203918b544115c

SHA256
46e3a568250262c987a061ea438b3dab28ee6b73fc380e854ef54727b2bd56a2

SHA512
a0d6f9dc3365c54e101350220779758273934c2e9dcaea082102b80f17885fa5dae03d9039b169c07044f9f55e20411b5a8182c5f3813d7aca4d82a6bd7d24ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7GT0RRO\URGENTE%20requiere%20POR%20SEGUNDA%20VEZ%20Respuesta%20al%20oficio%20No.111%20RD%20Rad.%202013-656[1].REV

Filesize
1.2MB

MD5
e8a7e910aec12a584bcfe6925be20efe

SHA1
59f5c8dace1da214bc8e6086b21a6bbfeb114449

SHA256
0e559172d232f5fd5fe97331941cc210ed8de9d7ca09636514f536fd1797c69d

SHA512
1a4d7802ca16b191fc1571fafd79f2f96a5dc7e8987c554046a544c99c45f4703dabf78efbad3257ae5be0d07ff538fceb3251c0b0306f5631534dfe3d4d5e40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7GT0RRO\drive_2022q3_32dp[1].png

Filesize
1KB

MD5
c66f20f2e39eb2f6a0a4cdbe0d955e5f

SHA1
575ef086ce461e0ef83662e3acb3c1a789ebb0a8

SHA256
2ab9cd0ffdddf7bf060620ae328fe626bfa2c004739adedb74ec894faf9bee31

SHA512
b9c44a2113fb078d83e968dc0af2e78995bb6dd4ca25abff31e9ab180849c5de3036b69931cca295ac64155d5b168b634e35b7699f3fe65d4a30e9058a2639bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab17E5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar18A3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{B8435631-7DF8-4053-A9E1-EC7759AD72B5}.html

Filesize
6KB

MD5
adf3db405fe75820ba7ddc92dc3c54fb

SHA1
af664360e136fd5af829fd7f297eb493a2928d60

SHA256
4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476

SHA512
69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/1968-1-0x000000007341D000-0x0000000073428000-memory.dmp

Filesize
44KB

Download
memory/1968-124-0x000000007341D000-0x0000000073428000-memory.dmp

Filesize
44KB

Download
memory/1968-163-0x0000000069451000-0x0000000069452000-memory.dmp

Filesize
4KB

Download
memory/1968-681-0x000000000B0C0000-0x000000000B0F1000-memory.dmp

Filesize
196KB

Download
memory/1968-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads