Malware Analysis Report

2024-11-16 15:46

Sample ID 240220-sba73saf29
Target Inicia sesión en tu cuenta de Google.msg
SHA256 ae94a1a0a393546c0dc5cc292827b881a0d1f39149e507400acc89a751645e66
Tags
google phishing
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ae94a1a0a393546c0dc5cc292827b881a0d1f39149e507400acc89a751645e66

Threat Level: Known bad

The file Inicia sesión en tu cuenta de Google.msg was found to be: Known bad.

Malicious Activity Summary

google phishing

Detected google phishing page

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-20 14:56

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-20 14:56

Reported

2024-02-20 14:59

Platform

win10v2004-20231215-en

Max time kernel

143s

Max time network

151s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\Inicia sesión en tu cuenta de Google.msg"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\Inicia sesión en tu cuenta de Google.msg"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-20 14:56

Reported

2024-02-20 14:59

Platform

win7-20231215-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\Inicia sesión en tu cuenta de Google.msg"

Signatures

Detected google phishing page

phishing google

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\perfc009.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh010.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc011.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh011.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc007.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc00C.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh00C.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh007.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh009.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\SysWOW64\PerfStringBackup.TMP C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc00A.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh00A.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc010.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\Outlook\outlperf.h C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\inf\Outlook\outlperf.h C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\inf\Outlook\0009\outlperf.ini C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb8000000000200000000001066000000010000200000002fcb00c18f596bfc26b9fc9baa0cfee65fc25330b450b5866e14d8f89a294985000000000e80000000020000200000000a4471354c3c64337158b164d6cff992f93e7a290da62cf4eb80083e793d937c900000009abe4f71e7f8ed89fc31610190c89af042b4d5d5c0dcaaec4790757f2e11fbd994dddaa7b95a92c02e73a14eafe40e9274ac84298aec0e5f0654f314def69b70bc6d993dc3e8fa42eb24df31af82b325e4a927b123ca4b79aa08407da6bbbbb893d9d8118196e575586ef6cf799805d64e49ed6182b8d938c5573133f1705e7cf717446c84fd807cb9e1e2ad1206e48740000000e7cfc903f8d9eef38ead0703307456db92495e0feb00ddeb45496cc47f0bb71acb0fa87f11aa583ca59835d99dff7579d7ebc2007bb964427f73329917e54163 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6D26F0B1-D000-11EE-BC40-6E3D54FB2439} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "6" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DOMStorage\accounts.google.com\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "6" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f030df480d64da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DOMStorage\accounts.google.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "414602953" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb800000000020000000000106600000001000020000000f05f9a0576678c7b9709d250824382bb56832d090708f780da687cf1f28f5a63000000000e8000000002000020000000dc4824b8e3df1951a04a4e8e83ced77fa1852f6719406810b17a23a6df99d80220000000be1d2e9ea70f68d20f4b5f8f5a93456e4d292235f653a0c8de359b974a9477314000000023a8f865567c83ddab759a4365eba0dd5d0bfb13d89258a14906e30e48f99af0b586aded12adb9bf20f7dcb776b48cae0ba45ef1c7c257a0b61a05f6f5bb9c35 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DOMStorage\accounts.google.com\ = "6" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 1140 N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2432 wrote to memory of 1140 N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2432 wrote to memory of 1140 N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2432 wrote to memory of 1140 N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1140 wrote to memory of 2832 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1140 wrote to memory of 2832 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1140 wrote to memory of 2832 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1140 wrote to memory of 2832 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1140 wrote to memory of 1620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1140 wrote to memory of 1620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1140 wrote to memory of 1620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1140 wrote to memory of 1620 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\Inicia sesión en tu cuenta de Google.msg"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccounts.google.com%2FAccountChooser%3FEmail%3Djuan.andres.abogados%40gmail.com%26continue%3Dhttps%3A%2F%2Fmyaccount.google.com%2F&data=05%7C02%7Ccarolina.darder%40melia.com%7C427008d63ec3409d190208dc317792a6%7C95aa7611d6f64b1ca5aa59e29f383065%7C0%7C0%7C638439636836156344%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=H0BbLsg2sXwl83MD8X77wia5ucmIokAJjEiQNTdXYms%3D&reserved=0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:209948 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 config.messenger.msn.com udp
US 64.4.26.155:80 config.messenger.msn.com tcp
US 8.8.8.8:53 eur01.safelinks.protection.outlook.com udp
AT 104.47.1.28:443 eur01.safelinks.protection.outlook.com tcp
AT 104.47.1.28:443 eur01.safelinks.protection.outlook.com tcp
US 8.8.8.8:53 accounts.google.com udp
NL 108.177.96.84:443 accounts.google.com tcp
NL 108.177.96.84:443 accounts.google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 accounts.youtube.com udp
GB 172.217.16.238:443 accounts.youtube.com tcp
GB 172.217.16.238:443 accounts.youtube.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
US 8.8.8.8:53 eur01.safelinks.protection.outlook.com udp
IE 104.47.2.28:443 eur01.safelinks.protection.outlook.com tcp
IE 104.47.2.28:443 eur01.safelinks.protection.outlook.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 support.google.com udp
GB 142.250.187.206:443 support.google.com tcp
GB 142.250.187.206:443 support.google.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
US 8.8.8.8:53 storage.googleapis.com udp
GB 216.58.212.195:443 ssl.gstatic.com tcp
GB 216.58.212.195:443 ssl.gstatic.com tcp
NL 216.58.208.123:443 storage.googleapis.com tcp
NL 216.58.208.123:443 storage.googleapis.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.34.36:443 region1.google-analytics.com tcp
US 216.239.34.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 apis.google.com udp
GB 172.217.169.14:443 apis.google.com tcp
GB 172.217.169.14:443 apis.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
NL 108.177.96.84:443 accounts.google.com tcp

Files

memory/2432-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2432-1-0x000000007345D000-0x0000000073468000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

MD5 006c3b5f52cc521343bb85765d0966b7
SHA1 ac1236764e66f1d3115ff3f48c3e34c25b466f84
SHA256 60fca6941b21d0a045f3a788a53fcbd353ac91a9c18727a018aa0842d25aaf5d
SHA512 450445be45d300330c2a16e3eac13bb0bab21ef4097fd620a7593bb017ee629486b18089518e7ec77f42363e6e2ba08df25a8fe1b1973cecf8b932b2c04a3084

C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

MD5 48dd6cae43ce26b992c35799fcd76898
SHA1 8e600544df0250da7d634599ce6ee50da11c0355
SHA256 7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a
SHA512 c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

memory/2432-162-0x00000000692F1000-0x00000000692F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{30BB83EE-C0A3-483C-A635-16DC592EA0A2}.html

MD5 adf3db405fe75820ba7ddc92dc3c54fb
SHA1 af664360e136fd5af829fd7f297eb493a2928d60
SHA256 4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476
SHA512 69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2432-193-0x000000007345D000-0x0000000073468000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\9GS7HEC4\accounts.google[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\53STNJLW\favicon[2].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0ptx2pp\imagestore.dat

MD5 b8049eb8f8bb7c6df745c43990d46704
SHA1 b8ec6cbd925128f421cc8e55fdec522b768cddd6
SHA256 4d589c37a4f3a1bd118ea5581878e28198b2994dfb3ad4bbd2aafceb73dd8a63
SHA512 2729def3fbf40a1502fcb3fe19282654c56cec72cfa1954e259999ec2036e9381295975e4326059c7af9483437409a8837a68964c842babf087febad828f91a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e001e0e3af0a1cacda934e533cfce08
SHA1 1169b600dfe113fb586fcf0709b17fc08d559d7b
SHA256 99448ff56cbdbb031f8f43de4bae50a05324e6cc35b76b5b41a2f2327bbac1d0
SHA512 f0f0e74c0d7df0b274bc0f8ed897998e539379e95d8e5f1d6e4585fbe96396459285e2753a5f1e7e16e54f215a1a6e467e962a15a0f16d9a5dd38f0bf6c12994

C:\Users\Admin\AppData\Local\Temp\CabF47D.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarF56A.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f86590cfb45c40ebe225c4e01be93265
SHA1 3c3087ba8a63adc3821a6d4db3dda475ea5990ee
SHA256 52786387648007e5ff35298f1b737219415e75d64b970df9594f55d64f9e4f3e
SHA512 d11d712e5064bd730112574fead8a3f7c6634c968cc628ca12467ec05828b3b3776631fb7c8b49fb6a4eec985ffd9be069e7941dcd711ad7380e435d3f71b838

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a377f1ba2a2d014541a2ef38b5898394
SHA1 777ee63dc77c47dfc25703adacb3724e786a868e
SHA256 153ca98fc4cf70e2417f6f4ceacb1cb266a5ae1ea97846e8a919d6e344b52826
SHA512 2845109211199848e976344e25003858ceb252c18c3f71552668da3010c9f2418fea1f5f56bf48811b489725eba6f0da33398237e10d83c0041e2843442554fb

memory/2432-722-0x000000000FC20000-0x000000000FD9C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49

MD5 7b2edb977fc3b123d128869aa9a13ad6
SHA1 9139f2ac1af863a925394c75a98c99d480bcbe67
SHA256 7db2641675426c1cb7a30146c156b204a62ccf5f3442364fb9144103f9dd48fd
SHA512 ec07074af9e8650fdf1f32ae7c79f9a20ba68c7595eb58bdcc32b05d10b2a645f332b17a51ca87ba894ab86e494859708be602f5d7d3ed5395f09ac5ee904cc6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49

MD5 8fad0a8eaf59dc0ce1d451ce8a4ddb3c
SHA1 a8194b7623d1c23c84c952061eb50a4178b1804b
SHA256 0caa0f7719f2bc8419eef7c5355fcc02ac01aae1b988d3526d4f0b19ff2fcf51
SHA512 bf52ee3b128c2db40e7153fece8773875e51868c83c6465ea1881f741f7bfef5cc29187569f3e59f28badd2b348453e891470108ab0e51bb616ae6c5da109011

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb002162dd701c322ba6aebc11e5861e
SHA1 9de7056ccf3d40757f9ed688091679a1bf81d33c
SHA256 65f82ca4035d1c19c6eee122ef1186951ce5566a132067cae8194a70f815ae57
SHA512 b6ff50bbd8bbbbfccc4b98d1193cf036d7aab34c8d89a77fe17f238aaabc8dae3cc60cc763d3b07282ca0b0b3de9fed16ef3d2dcf230c62fd448249e88f8a441

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_77B1CCFAF3D0516ED1D1368847DAC1ED

MD5 aeaeec59350a548971f8d1636b471685
SHA1 4254a97ed9d7c7a25b4bc6fa7f49aee505f0ffc2
SHA256 73681f1e257b87074b7b08e6073dea1b0204ee7eab4db48a8555a1852758afd2
SHA512 352f59c14630b64c2e170f6b7b84d3d47bdf774addf5008e47458d942ff5208dcd73adcada33b938ccc9fedfd61f1f0f07355c178cc9a1aba13fac215cfca9a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_77B1CCFAF3D0516ED1D1368847DAC1ED

MD5 a43823c8092b064da598d5042db3867d
SHA1 35271104d5bb880f7d2926e55fef95713a782e2c
SHA256 b832d8ecd531aaae4244e5aaf3640873853b3f0a1eabc911024f2ba5edbe48ae
SHA512 48b13fc9611f39b3755133f0be0eff7233c52c054f9cc4f9a4b62c85c4cf16362e7f0eef6fdbade5bb2db71e2a88a81d23218c8e455f7ab7c680937cda50af3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 fea97bb6a59817268c2c42f5787cb398
SHA1 6fd89d993cbe5b0429ba0d42c23aefbe454717f1
SHA256 162039f62ad9c922004b5055c800ee71c8f310d6d9ef6b06d14f83d54bcccaf5
SHA512 68572e08ff1dc040241dc6744c6986053fdf36cec37415761694844a101261ab3dbae57fc2b7e40c82a158d45bcf31033fbc04b3e2b3bdca99d619e4f66b312c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 a044ece54fe8f9b5fd71dbe1be02ed70
SHA1 60a726a2bbb13296d6258c7949fff5e861ab5ecb
SHA256 e9246604f91ddd4a6a221c8f0b8355ccb1b67e4b8ade2d59034bba005be55967
SHA512 38a760a0dc33873d06164f01a72bc7479d25ca01a43eb89a3fa528427651508709ed323a22443f5959fefc026208cb5f3d4e113943ae071173e64d32aa2065b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d6133725ce13485e3cb1f9f5e15948c5
SHA1 b492137620ee26d638c13169dc11070b65518774
SHA256 4d27a31d7343dc2cca0d2a7599ea1c9b34acdb43d0bb89d79aa7dc5118b693a8
SHA512 72abdfa6f09899c2e2b9e26daa9e8c299e5c7e68c9139457f7f22e954902207f87e73035f50cb8526c76711c1778d6641906f20243361ed24393057dd6fe4610

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_520FA7AD0A5B7A5300910F5BBDCB6D0C

MD5 f4cf041f3c6357384617470c5121eb05
SHA1 0537499bb96530ba91c79aa8fe8c757b99bbe409
SHA256 90389045071c53c6311ea8f6c6aaf3809660e5a2d689c32c68595edf14f61139
SHA512 16e8fb7d673a963db9d9efe6db8a4f5694fd74ae98cbdb175e85ac3f9133b4c4fdb64cd02e0b74fbe2371bc7866cd43f1dd22cc754e4f0e1b9021bfc98beb6ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_520FA7AD0A5B7A5300910F5BBDCB6D0C

MD5 f7e71fea04637dcfb12ecd6079d61729
SHA1 5825d0c34b686f4d49bc93ca9aebebeebfd9ce0c
SHA256 79117d492f35cce6e2c4f0c54d1deb1351338c6dbc0f3f843cbfec81ce7b3e3e
SHA512 7df005d5e85ecc1c373711a74956d5848ad9ba4476651f8d9fd2c5b17283ece2610356e38b8f619fb25edb01e3f6e6771af0da19c7062099ec5dec1c40a3b5ed

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\53STNJLW\KFOmCnqEu92Fr1Mu4mxM[1].woff

MD5 bafb105baeb22d965c70fe52ba6b49d9
SHA1 934014cc9bbe5883542be756b3146c05844b254f
SHA256 1570f866bf6eae82041e407280894a86ad2b8b275e01908ae156914dc693a4ed
SHA512 85a91773b0283e3b2400c773527542228478cc1b9e8ad8ea62435d705e98702a40bedf26cb5b0900dd8fecc79f802b8c1839184e787d9416886dbc73dff22a64

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W79VKSP8\KFOlCnqEu92Fr1MmEU9fBBc-[1].woff

MD5 de8b7431b74642e830af4d4f4b513ec9
SHA1 f549f1fe8a0b86ef3fbdcb8d508440aff84c385c
SHA256 3bfe46bb1ca35b205306c5ec664e99e4a816f48a417b6b42e77a1f43f0bc4e7a
SHA512 57d3d4de3816307ed954b796c13bfa34af22a46a2fea310df90e966301350ae8adac62bcd2abf7d7768e6bdcbb3dfc5069378a728436173d07abfa483c1025ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W79VKSP8\KFOlCnqEu92Fr1MmWUlfBBc-[1].woff

MD5 cf6613d1adf490972c557a8e318e0868
SHA1 b2198c3fc1c72646d372f63e135e70ba2c9fed8e
SHA256 468e579fe1210fa55525b1c470ed2d1958404512a2dd4fb972cac5ce0ff00b1f
SHA512 1866d890987b1e56e1337ec1e975906ee8202fcc517620c30e9d3be0a9e8eaf3105147b178deb81fa0604745dfe3fb79b3b20d5f2ff2912b66856c38a28c07ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_FC81B3040A3979C87E07C970CA7A4407

MD5 2be6791f01099f04b24aa813595e70f0
SHA1 d343d35600eac1c422742d80e8137209717eba91
SHA256 b0fc03e7b727572ffa22cbb495a41663e85fa35100cfb31ad4ac22d0ce10d2a1
SHA512 0d38cd1c3385dbce0f6f18bc9265c83c2f9ff83ebe163425f10a190319fc04f4abb972de04b3aed3f40bf9c7b36058660f3e4cef31bfce7b32fd269796c72780

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BR4DVLOK.txt

MD5 8943623dcc6e2c1c046248256e3fb940
SHA1 78aea151d846e52bdd0cb31192f6241e316d53cd
SHA256 ad6b53f5b047fc22993f61dcae9dc260ad4b3a1a11a1f6b2c1315002de4d1ce1
SHA512 760d70aa7a95f010de1c6d21396513068f5eb8bddc0d907ce3661cdd849dc769ad0ab48433511448df1fa298938224586c3b54e218a7ff89437d5ad116918611

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 e1bde0b21d6626907e022e6e6f210088
SHA1 dcfb5a5d2f889fbb838b2c443e494aa8ecf04779
SHA256 1a2a86134fc655e53034d335370db7b00b42ef44696a098991f8141f84d3b411
SHA512 85e98c2972f1effac67db7a9dd8f91fa6ae020367dd516da5553f92264492f757570ce2bd82eede6e723541f9484673582366677359877abc25283f940a18410

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3c6477bd86e1fbdd044bac448e39b18e
SHA1 7a7342ba79ed82a22a7c2c93a1ace641058b33d1
SHA256 5634e5133a3cfb9d05481cfbc62363637fe400bb20e3b5e681afcb6bad75db60
SHA512 826625e74d21278c06e6ecd845cb3bd40252afe36defd47073e41743a2ea689a53f9a94118f7356765d360557d64971f4e2d24fa1f6593b4456007a41e0fc568

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\0ptx2pp\imagestore.dat

MD5 23a3e0f94aac17dc9f7e098b78891172
SHA1 477e224831e5ebda2abea1adae84a4b778b15ec1
SHA256 c6c288977fc58e052e9df89e62af98b36f469f856874bcac1829b8e1ff3bbe7d
SHA512 d41ac6bbd21d42f0ee554f962915037c70a7298a44f003b4334b504dba59651eb6ec20b20313b01d787496ffcb925d3720a1a07986ea737df427e7b817be559b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 b30dc885520d1354b6854c70613ecc16
SHA1 507aecd6a8f598c89bcf24823cf16fea18fcee93
SHA256 2608cfb9395cf60dde150e8f46ea45b3e35700c7a8e801eb6f4cc88ec22903ff
SHA512 2843df18ce50acd950a809743b1b75f8e86f1ee9d86d022f90b5c846112fe3c782018c523c7e38d225efbe4e0e0609e47f065b43f4689c9bba13ae0512d0abe9