17bb9a6a569b22cdd46e3bfba8fcd9252de9ad311491e98a8b550bd488f25d17

Analysis

max time kernel
1791s
max time network
1565s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
21-09-2023 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6F325D43-223C-474A-973B-A701F40C1363.1_originalmail.eml
Size

47KB
MD5

e2ef9f01698b7ff00f6bc9c86dbf63f6
SHA1

be248a73986ebfa74a93cb29d61a627860cd64a0
SHA256

17bb9a6a569b22cdd46e3bfba8fcd9252de9ad311491e98a8b550bd488f25d17
SHA512

384ddcb1ae82a2f3f520d3d3b249937a6c30a45d890e02cf81d9ee35ad25c9ffa3826ad48d7ee183714ad73faff41c0aa93eaf3b84e3f64b1341e93af689c165
SSDEEP

768:4vLkxIse8kB7fxPVb7KvHGCqXJHREJr76K9NSGudFbwW+mJXZyQmzUmI9N5bBUNZ:4kWqkBjxWoEufP+mj/m4Unb

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Explorer Bars	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "401464501"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{28BCCB9A-E66B-463C-82A4-09F320DE94D7}	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Explorer Bars\{28BCCB9A-E66B-463C-82A4-09F320DE94D7}\BarSize = 6801000000000000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b00000000020000000000106600000001000020000000e33190aac7c6bc78e42f311b047bea79ff6155d0b2bae237f855c464c8879434000000000e80000000020000200000002820f5a871880790bec0a1f98ab1bed35ef79c8e79a8f2570e740d9a64f192f290000000f24d086f7e62ed33fa6c53d2e4bec22232bb505fb83f5cd0e39c92341b87431468ada09985bba38bcd1d5ed20a0b8ce7ad74beab67fbcf894e14e5b3e4f54acd872b02dd3f0f23e136488c94376ce41ac4186a679fcbf35deb62d280c6a32a950fdd70844207b2dde68f9484dc8047634d42fa927d320519dc3191fece0538b14a8ebbc9e03b8e4a9de6c3acf7c321eb40000000f05af652801216472889a4b9e06122b5bc4591539072daa1682853b81a1cb7079c9a222c0db0f9fe870534c1c0e70de77c3c0426a1bb59d518e8ca0d16a8a456	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bbd2da6efca7814e97bd67c6ea97aa8b00000000020000000000106600000001000020000000e77205c655779c79dbbd9650d5b2704f6ddff937a9641a8949baef7bc58acf87000000000e800000000200002000000035bfeab94f8a0e13d2f8b548a95c0a2a49dbf2d4d01773573a8f126025921d15200000008b2178f403c15cfa0f9ab606bb8ce031445c5e64c4e04ff72a895218daac14a74000000091b4053616be06697f69078ccb6e6d2a32f6989f7195e10c5157c357aa43220c9bb2aaeef7ac5d9417a350e74578fa58116cf7245e561b10974b74122aeade6f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3849525425-30183055-657688904-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E4-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304D-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300E-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F4-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063039-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046}\ = "_OlkOptionButton"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063049-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A7-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307B-0000-0000-C000-000000000046}\ = "OutlookBarGroupsEvents"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063099-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CC-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D87E7E17-6897-11CE-A6C0-00AA00608FAA}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D8-0000-0000-C000-000000000046}\ = "_RuleConditions"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CB-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063048-0000-0000-C000-000000000046}\ = "AddressLists"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EC-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304B-0000-0000-C000-000000000046}\ = "AddressEntry"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063026-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E6-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672ED-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D8-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C9-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F7-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DD-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EB-0000-0000-C000-000000000046}\ = "_ContactsModule"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DE-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006302D-0000-0000-C000-000000000046}\ = "_PropertyAccessor"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063005-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DB-0000-0000-C000-000000000046}\ = "_AccountRuleCondition"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063076-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063104-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063038-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063070-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DC-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E6-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E0-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063101-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063072-0000-0000-C000-000000000046}\ = "_OutlookBarGroups"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\PROGRA~2\\MICROS~1\\Office14\\msohtmed.exe\" %1"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063103-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F4-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046}\ = "Attachments"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006308A-0000-0000-C000-000000000046}\ = "Links"	OUTLOOK.EXE

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\1TECJVV9\Truteam.html:Zone.Identifier	OUTLOOK.EXE
File created	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\1TECJVV9\Truteam (2).html\:Zone.Identifier:$DATA	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2108	OUTLOOK.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2108	OUTLOOK.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2108	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2108	OUTLOOK.EXE
2112	iexplore.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
2108	OUTLOOK.EXE
2108	OUTLOOK.EXE
2108	OUTLOOK.EXE
2108	OUTLOOK.EXE
2108	OUTLOOK.EXE
2108	OUTLOOK.EXE
2108	OUTLOOK.EXE
2108	OUTLOOK.EXE
2108	OUTLOOK.EXE
2108	OUTLOOK.EXE
2108	OUTLOOK.EXE
2108	OUTLOOK.EXE
2108	OUTLOOK.EXE
2108	OUTLOOK.EXE
2108	OUTLOOK.EXE
2108	OUTLOOK.EXE
2108	OUTLOOK.EXE
2108	OUTLOOK.EXE
2108	OUTLOOK.EXE
2108	OUTLOOK.EXE
2108	OUTLOOK.EXE
2108	OUTLOOK.EXE
2112	iexplore.exe
2112	iexplore.exe
2320	IEXPLORE.EXE
2320	IEXPLORE.EXE
2108	OUTLOOK.EXE
2576	iexplore.exe
2576	iexplore.exe
2320	IEXPLORE.EXE
2320	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2112	2108	OUTLOOK.EXE	31
PID 2108 wrote to memory of 2112	2108	OUTLOOK.EXE	31
PID 2108 wrote to memory of 2112	2108	OUTLOOK.EXE	31
PID 2108 wrote to memory of 2112	2108	OUTLOOK.EXE	31
PID 2112 wrote to memory of 2320	2112	iexplore.exe	32
PID 2112 wrote to memory of 2320	2112	iexplore.exe	32
PID 2112 wrote to memory of 2320	2112	iexplore.exe	32
PID 2112 wrote to memory of 2320	2112	iexplore.exe	32
PID 2112 wrote to memory of 2576	2112	iexplore.exe	33
PID 2112 wrote to memory of 2576	2112	iexplore.exe	33
PID 2112 wrote to memory of 2576	2112	iexplore.exe	33

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\6F325D43-223C-474A-973B-A701F40C1363.1_originalmail.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\1TECJVV9\Truteam.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2112 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2320
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2112 CREDAT:275467 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fe24e173a7854055fcf6844fa926e514

SHA1
055d058d4e4d0a327c9436acf2f60f578ce42752

SHA256
72b918230221aa158ce659d7e1c3979449b5888d015509777c5db9613a41214c

SHA512
ecb101c67058c090554f29b60c83f21963f9086602fb62d4a3c38ee8a97845a3f9dcaa6e3d5bd457b5a3b1454cc92371b35f0c9f344b6a640f33d4a451944a01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4c94505e2775f3975c23e7b64486b2f9

SHA1
18b73466b5add5483c9f2cb707e7679fd01fba48

SHA256
4a9540287eb7a2a7e537d4548dd8ff40c37aa30bada71e0fb057189194bd1687

SHA512
101883b8a29c0a8a389f93fe8fb812a98772746998872b138605620eaf1c91a4eca4ee6dabdbddd8213b77ea6d26b3107070d4bbfd8e4edb918de11434fccf49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bf608ee9baf4b1fa4d35155a063ea2c4

SHA1
d4a9e9cf522c29affeb4ce6de77a24f2281ee3fa

SHA256
09657dc6f026a527c14ee0efa775f862c588057e76caad7e417db24e8cededda

SHA512
4c58a2eb2fe6eb85ebad8882a7aa8f80aacc2e5d8c7ec056a1ebe5fdf97b6c2c0819b3efb81a8e35d6a66b77730ed33fd5a82607690c8594dd4267a649dddb53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eb85b87a72ff03d023fa45cc989cd1c4

SHA1
efe1998324cde2dbe0a5345d66060f7cb0119566

SHA256
e2b4c924cffa15a7eaedfdd465f6cd28ab63e283ef9f28dcd006f66612e9388a

SHA512
689475a68e0d1109d25732eb94bf51481c81ee770f2d398c10c59a43e3eba8e956ac0d5c7442a257bbadf737af8073b19792389c92f5d846736034e2ab854f8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
21edc1d872a5f9b83687eed04dcd19f4

SHA1
8c446a3c26d548975616768a5974be8490f1ff5d

SHA256
76717c33c7eb5d9153cf09207055a5c2cbd322074ffa3feb1a3b0c766c6aa4f7

SHA512
d383912b53752f7586225a00546701021fe317e04b07f44c3dd756c25a4715bb79c43846496c96a763e2e0aee896f788dcf7d6ee25e8193bb4a4bf925612a89c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c3a1944134fddaa72a39d3070bd3f60e

SHA1
701dc77f0964d18e408dd2a0599af1e3322e6a16

SHA256
0909e2df7d3f4893f25add99e2b6558bfb19f26ea0216c9537c0116f5d858ae2

SHA512
73af821052565c991b49a843268295055544607102627a4aca6de662624eb5beded6dfacfab7e44422e5b371ce87033cbbcbe56e035f1de8ec52edc4675eb8da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aa9a7580fe88425595566c314163d9d3

SHA1
bfae033e34863696286370bc0acf0732e88c46ef

SHA256
f6352f6de02d45d5d356b5583b3160186f87a420f9abcdfe85b2888655ec53bd

SHA512
c206f715fc3aebff337548edd2771b4a548f5e55a42303913197accc5e4672e924f5ac74a94a0030464a49a89c3c95422845277e5ce92a9b048c1cecc53d4cca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c9f3a697c4984fc4f2fab6d17723eaf1

SHA1
3ee1bf53d1a6448f2729d70c80bfbc0230d0756d

SHA256
e166ada3fad5590538426fe5788efbfa96bb65adfc0ba5d19e910ece4fc0f363

SHA512
bf301067331cf3d4941c5ef22beb767e820edf458abfe1d4d489b0ba8d10d04f0a0e182ce727123fb333dd98a8918a94a956a1c21cbba615b636827cf1a4b67b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7d37eb9acf74a3e0c4ecaef1d008ff8f

SHA1
5ac89c5e163b814e5d31708fa2f0a098a74b71eb

SHA256
ff2bb4f5f9b20f472b2ee1fcfe07ac2817d658fd9f69f37e783a186d89bd9ecd

SHA512
74dbab08bbfd628a4dfeefe77c8205ad712fef6ec7a713159c5c5d1a487719e8acb5bac3e808b0f9cbf3246e7ae3994178965cce9181d2aad6fb862a31903270

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f90c8a175fab3df9eb90492383dd437

SHA1
2426123f7bc261189819ec1ce9c87b782bf2ffef

SHA256
c4433c3bb278c5b4ec4bac418539c43ea0b4bda528808e61728c0eab4da99e6c

SHA512
70aa0b9bdf26113041db61e64d0aef84a3d19f0de79b11707da89cd6dfc3c936978fd298b9a16449df51d41505889231e1df477d8235a164e165cf5b766ac0f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3a19d87b0edc9905959b665b85745b19

SHA1
36707588ade5824b7e1bbfc53d540511b4794a3d

SHA256
4249f0852326fd5878db14eb12ee92dd078d0b76309f06cd082c1a90324f6c89

SHA512
ce4f1b85ea9d9f8e9ad3cf1f5a0829ed176c9039e52f65015f34b327440b66d17931a0c2b6529e41e372deb53530499908fb745147a9e093d8f05ec1f5c3e4b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
886a0c3df753e6f151e8ddd5e8dce9f0

SHA1
87df12e0121234748dd899336f2f65d63c306eda

SHA256
8f7edd1601f7078aa5e3f58c66f36694f57c9a2592c9df536cc0760dd289c929

SHA512
c7a5f230f6f1fb976f95be6c9d7a583d868f89a6f00a6b220cd4ed728989027e03ad0ecae1516f1d5db692ca60e701b2a09a96d7845e19d1bba801745b5f1df2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
52a2e3c38a4e3c3e62e1377862aa8aae

SHA1
6ebe353071558783c5157f186d7395cb40c58b1f

SHA256
508ec27d2d86ff0655b829d8a817b66baa729250bf75a924d6db533f353abf46

SHA512
adc095089da6fe973e51bb64a12e580af8a9fc8aa299cfcaebe9a426a925e0ff242f3626f7cb09dc92e5ab51a338121bb7b8b4c578f5760eb2f10f0d2b74952a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
65ba4f2295628312d59a0ac9c112966d

SHA1
408d2e7d6ca83c9a793ce0f8517cad477b3240ba

SHA256
4feb7574f8c7c8fdcbe434e2da47871856f1e2b9e87934404e1a9e480c98c34c

SHA512
1b8c1837023b52941065a79c4c1343b0caa43c715a7ba263905bbf7e7ef7d56b5975aeb7cd84ee066a0fe327ec1364fc64d2ef4d1efce73a191dd2b70c612a62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a4eaf8c796b15ba184f2cc482e9d9e8e

SHA1
8204e2ecfc92c5532955587926cb98115a47d8c9

SHA256
7b381a8a6ff710a0f895f4d9dc7372b61b3bbc873da0afd34dd8ee52810e4ac7

SHA512
b2b5af8d20f44507473ec6a69ccb9e487434fd82b446c7141a83b19d6f19ac87fc5e7295c9855763b27fb5200790ae38a7247d95f0989e11e14386a149755aaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0e438c2534e94c053902d311de41a04c

SHA1
494ce800883c7febf812339570fb49b98218fb09

SHA256
340b43f8a79c20ad147318d3cbeff506afb768cefffc630a0988f0dc3efc83ce

SHA512
79254fb3ee995c330d9b3ca27fb0c42f25fa3eec9da795ce083ef992f47ffff600b711b3362161d6529115d5dcaf1560a1456487ca02ff1b3e8705efbebf3fc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b25a4533cfb1ca3ad26f0636ddba79d4

SHA1
323909262dcc0069a5fb45dd4841095f7b932190

SHA256
98e1179e28229d8f6eaf4898fc7a67517fc83632f356778ea43d96eee8efca38

SHA512
3e50f3ad567ea92e47e54371bf448853103803c2190101f59c5761bd28e085d30ecc7b1a3ea46fa8d355d9907157660b48803449904d29339bb930100b6cb566

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6d54fa337cea9dc86708c5b66f80afd3

SHA1
bad4ce38531b0282eed87ab8f7116ad72bb63868

SHA256
c1fd9d1773959ee5458ca78ce053ae310e7ad53263331b9b7c8cd5151ef9c21f

SHA512
641d1b3bcef80ca9eaa7809f0645e79ba42bed976a37ac6f47e6877d79513373cdb3d86318ba8e3c48a4a84c6377edbf2a0a7563862bda8b872dbdc6cf6124f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
438ef2ab5570ad28706b6f59184362f4

SHA1
afcd29add04b950368cbfe878c13742d9ab49607

SHA256
3f128126e04b350da4bb28964b4a701c3280a1f739a7d7fd0e8cadf13ab7773f

SHA512
8c35d359c7fca871790ff50bbacb802d6ffb9d52c17215608e6275d51e74ba875cb5410604da3a9de0b67ea9262c74ecddd29b5b05d068d3ab3c5b4f82354314

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2aec9e999a071b9675e9aafeb6e1c8ed

SHA1
3b6feeff336fa4a7a65aca9df58cc8680689b4ed

SHA256
2512a35c7db6e7c0637c97818b901120e07daebef4dbf7f40e3291d772078ef9

SHA512
7481af0c4943832a89fbea5f1a5784fd444e22b3f4a2668d285b52d3f3bd80105ecd4fdc408df9d0b6967533cfaf14071740b5fa966f015654e9ee950fa52413

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5e2cf5d736c6ca9fafc7f187504abf31

SHA1
19e5db02b29e66736a3aeb3aa2a0fd256af54cd7

SHA256
0ef8e3b4da258c80c45870306c5cfed3f025586e6067dadebc41908f81c6e923

SHA512
26433220f4ac61a497a4ca2fd42d44f9369f1f3d37c7498b166f03189090a951a2a942b30ab61bed7930312199cc7f7fcf0d26fad0ecdf95ba5d3144c6a54a9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
77e000131e7882ef4ddc8eb4010f221c

SHA1
014fb187bad68429cce651e4684053eccd878394

SHA256
cdbbf4a74ce15b0d2809ed63aac0971fbc310a754e1fd81bfb32eb1e8d063a77

SHA512
785736b7176fcce2f87b472fca501dbc2e0b02641f04f03bcc2ee705a942024e0d4d1eccd1417224c53a5280f4affac618a4f2011c6de0b6dcae44674787f965

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
490c953c74c4c3bd46f173c8cbcb87c0

SHA1
71a0e85a7cdb4747ca1c3fba0f696fc5a94062dd

SHA256
e6dc32f38e26adf099e5b3e83eddf10c5889fff4f87f32537c3dadde491cfe70

SHA512
c5d3f1e8f28271355baaf1ed9ddd44cb331c7a3bc123e09ebe53a1b0dcbf319d908290d557c5cb794d049d0d6d4d615298d9ed1af292cc6c5fc8b23addb4238a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
238KB

MD5
7671baea2223d9058197d48e945240d3

SHA1
d82f523fdb99e2e6e8fb41be1b8f012de478ba1f

SHA256
19c08ea9b533b1b2c1c52aa0184b6d86604f79ee98d8ac481ef21a63278c75d6

SHA512
c76e5719436dec0995c8e2ce13dad3b375388fee282f69270c07b8402a968f70f3f23f546c66bd8267f6727bc02157c23c96b215d47d4ef8a94afc45595670d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
0740726936a9773a6aeb5abe2f2502db

SHA1
6845b0ded65ebb8aed33732b72e941934af74c10

SHA256
e9c06d7d3e68efc12ae055877d5b679b2e9b7a24ca73dbf49f3126a356c5fa80

SHA512
2d70452b511b19f5c58335ebf8bde6a412e4968d1cefc8327f82adc905b9e644444ac8d8cea0a3798754345d65487858ac51d7b43ca3af3931b8ae1247198811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
0740726936a9773a6aeb5abe2f2502db

SHA1
6845b0ded65ebb8aed33732b72e941934af74c10

SHA256
e9c06d7d3e68efc12ae055877d5b679b2e9b7a24ca73dbf49f3126a356c5fa80

SHA512
2d70452b511b19f5c58335ebf8bde6a412e4968d1cefc8327f82adc905b9e644444ac8d8cea0a3798754345d65487858ac51d7b43ca3af3931b8ae1247198811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\1TECJVV9\Truteam.html

Filesize
381B

MD5
ed53257ac51d90f7eb0aa6d6b5c6510c

SHA1
7b21262319546731f64792d6ccc3ab710048e16c

SHA256
e302a6178f354a5ab212174f8820735e2aae301c833aff4993d19b544356d77a

SHA512
e8cb5e6475d19d20858dbe8dd4bd3e9976ca5589232de4ffb8520a814d07f7b4b4bca4b99128fcf22c19bc2ce47f16ca665a1ff3ea93136a3e62525843125b2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\1TECJVV9\Truteam.html:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab870D.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar87FA.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\{7AADD8DB-DF44-4172-A893-1898C54C4112}.html

Filesize
6KB

MD5
adf3db405fe75820ba7ddc92dc3c54fb

SHA1
af664360e136fd5af829fd7f297eb493a2928d60

SHA256
4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476

SHA512
69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2108-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2108-790-0x000000000BB40000-0x000000000BB7D000-memory.dmp

Filesize
244KB

Download
memory/2108-161-0x000000007351D000-0x0000000073528000-memory.dmp

Filesize
44KB

Download
memory/2108-1-0x000000007351D000-0x0000000073528000-memory.dmp

Filesize
44KB

Download