Analysis Overview
SHA256
d7146b7c63fb5dce714b91fc4690a1e885ee011d406a2e02d6ff80b3f53ae214
Threat Level: Shows suspicious behavior
The file d7146b7c63fb5dce714b91fc4690a1e885ee011d406a2e02d6ff80b3f53ae214 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Browser Information Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-17 09:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-17 09:41
Reported
2024-11-17 09:43
Platform
win7-20241010-en
Max time kernel
122s
Max time network
127s
Command Line
Signatures
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2484 set thread context of 2224 | N/A | C:\Users\Admin\AppData\Local\Temp\d7146b7c63fb5dce714b91fc4690a1e885ee011d406a2e02d6ff80b3f53ae214.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d7146b7c63fb5dce714b91fc4690a1e885ee011d406a2e02d6ff80b3f53ae214.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d7146b7c63fb5dce714b91fc4690a1e885ee011d406a2e02d6ff80b3f53ae214.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d7146b7c63fb5dce714b91fc4690a1e885ee011d406a2e02d6ff80b3f53ae214.exe
"C:\Users\Admin\AppData\Local\Temp\d7146b7c63fb5dce714b91fc4690a1e885ee011d406a2e02d6ff80b3f53ae214.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | web.koto.games | udp |
| US | 193.26.115.178:7702 | web.koto.games | tcp |
| US | 193.26.115.178:7702 | web.koto.games | tcp |
Files
memory/2484-0-0x000000007456E000-0x000000007456F000-memory.dmp
memory/2484-1-0x0000000001100000-0x0000000001218000-memory.dmp
memory/2484-2-0x0000000074560000-0x0000000074C4E000-memory.dmp
memory/2484-3-0x0000000000900000-0x0000000000944000-memory.dmp
memory/2484-4-0x000000007456E000-0x000000007456F000-memory.dmp
memory/2484-5-0x0000000074560000-0x0000000074C4E000-memory.dmp
memory/2484-6-0x0000000000650000-0x000000000066A000-memory.dmp
memory/2484-7-0x0000000000950000-0x0000000000956000-memory.dmp
memory/2696-8-0x0000000000090000-0x0000000000100000-memory.dmp
memory/2696-9-0x0000000000090000-0x0000000000100000-memory.dmp
memory/2696-10-0x0000000000090000-0x0000000000100000-memory.dmp
memory/2696-11-0x0000000000090000-0x0000000000100000-memory.dmp
memory/2696-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2224-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2224-20-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2224-22-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2224-21-0x0000000000400000-0x0000000000470000-memory.dmp
memory/2484-24-0x0000000074560000-0x0000000074C4E000-memory.dmp
memory/2224-23-0x0000000074560000-0x0000000074C4E000-memory.dmp
memory/2224-26-0x0000000074560000-0x0000000074C4E000-memory.dmp
memory/2224-25-0x00000000005B0000-0x000000000064C000-memory.dmp
memory/2224-54-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-44-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-68-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-74-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-72-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-70-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-66-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-64-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-62-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-60-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-58-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-56-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-52-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-50-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-48-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-46-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-42-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-40-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-38-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-36-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-34-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-32-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-30-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-28-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-27-0x00000000005B0000-0x0000000000647000-memory.dmp
memory/2224-2934-0x00000000020E0000-0x000000000212C000-memory.dmp
memory/2224-2933-0x0000000000A30000-0x0000000000A5C000-memory.dmp
memory/2224-2935-0x00000000051A0000-0x0000000005292000-memory.dmp
memory/2224-7956-0x0000000074560000-0x0000000074C4E000-memory.dmp
memory/2224-7957-0x0000000074560000-0x0000000074C4E000-memory.dmp
memory/2224-7958-0x0000000074560000-0x0000000074C4E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-17 09:41
Reported
2024-11-17 09:43
Platform
win10v2004-20241007-en
Max time kernel
98s
Max time network
141s
Command Line
Signatures
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4032 set thread context of 228 | N/A | C:\Users\Admin\AppData\Local\Temp\d7146b7c63fb5dce714b91fc4690a1e885ee011d406a2e02d6ff80b3f53ae214.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\d7146b7c63fb5dce714b91fc4690a1e885ee011d406a2e02d6ff80b3f53ae214.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\d7146b7c63fb5dce714b91fc4690a1e885ee011d406a2e02d6ff80b3f53ae214.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\d7146b7c63fb5dce714b91fc4690a1e885ee011d406a2e02d6ff80b3f53ae214.exe
"C:\Users\Admin\AppData\Local\Temp\d7146b7c63fb5dce714b91fc4690a1e885ee011d406a2e02d6ff80b3f53ae214.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | web.koto.games | udp |
| US | 193.26.115.178:7702 | web.koto.games | tcp |
| US | 8.8.8.8:53 | 178.115.26.193.in-addr.arpa | udp |
| US | 193.26.115.178:7702 | web.koto.games | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
memory/4032-0-0x0000000074D2E000-0x0000000074D2F000-memory.dmp
memory/4032-1-0x0000000000890000-0x00000000009A8000-memory.dmp
memory/4032-2-0x0000000004E40000-0x0000000004EDC000-memory.dmp
memory/4032-3-0x0000000002A00000-0x0000000002A44000-memory.dmp
memory/4032-4-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/4032-5-0x0000000005700000-0x0000000005CA4000-memory.dmp
memory/4032-6-0x0000000005370000-0x0000000005402000-memory.dmp
memory/4032-7-0x0000000005330000-0x000000000533A000-memory.dmp
memory/4032-8-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/4032-9-0x0000000074D2E000-0x0000000074D2F000-memory.dmp
memory/4032-10-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/4032-11-0x0000000006820000-0x000000000683A000-memory.dmp
memory/4032-12-0x0000000009560000-0x0000000009566000-memory.dmp
memory/228-13-0x0000000000400000-0x0000000000470000-memory.dmp
memory/4032-15-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/228-16-0x0000000004EC0000-0x0000000004F5C000-memory.dmp
memory/228-73-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-79-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-77-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-75-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-71-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-69-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-67-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-63-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-183-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/228-61-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-59-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-57-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-55-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-51-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-49-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-47-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-45-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-41-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-39-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-37-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-35-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-31-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-29-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-27-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-25-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-23-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-21-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-19-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-18-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-17-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/228-65-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-53-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-43-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-33-0x0000000004EC0000-0x0000000004F57000-memory.dmp
memory/228-2926-0x0000000005070000-0x00000000050BC000-memory.dmp
memory/228-2925-0x0000000004F90000-0x0000000004FBC000-memory.dmp
memory/228-2927-0x0000000005400000-0x00000000054F2000-memory.dmp
memory/228-4529-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/228-7949-0x0000000005560000-0x00000000055C6000-memory.dmp
memory/228-7950-0x0000000005F50000-0x0000000005F62000-memory.dmp
memory/228-7951-0x0000000006760000-0x00000000067B0000-memory.dmp
memory/228-7952-0x0000000074D20000-0x00000000754D0000-memory.dmp
memory/228-7954-0x0000000074D20000-0x00000000754D0000-memory.dmp