0fb9da04c144f23abe39907e76c035029cfbaba7c70a47817728b6f2ee2272e8

Analysis

max time kernel
285s
max time network
149s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/04/2024, 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

faa45074-b0ab-a109-92bb-a64030cf6e6f.eml
Size

23KB
MD5

3e638a9b5f6f129a494e7069a81cbfe7
SHA1

cb8be49abedd7a13970671c87565112afca37f40
SHA256

0fb9da04c144f23abe39907e76c035029cfbaba7c70a47817728b6f2ee2272e8
SHA512

8776bbbabead9c8aa479316a841135676f46a3d9ab379e3980ebb2b1888f992e93dd580032c5a884cb79a56c1d93d1724660235ed1f6676207c15ee055f51d38
SSDEEP

192:+AjwaMaenZDyOKkFtEx4TsiXV7Y4mJe7Fheg3czIOr0TF8zFA6VFHwHFDazP3gKe:MaKogFtq4AiXV7Y7+WFmCWsteUjcfCg

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

description	ioc	Process
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e027d96e6497da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009681e7042bf25c4e95978920d01fa13100000000020000000000106600000001000020000000bfd322b479299c49cd65724c625e23e43a4f136024da0910787e41a2dfa13af3000000000e80000000020000200000009e57042706aa2b17034852f201a10b60b13e2870ce5df80b03a351d567d554ff200000002c84048ed3fc3633c493a564c18da7b9b0ba5eaf5ab65ea00b77f023555b04d5400000001af9539b492deb6bc111585edb650f328404c57499c1d66b322d4a6de59669f12e752dc5a78fbd41c93906b39bd0d04a7327b18868d5530b69a3c7c818bcb44a	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9A9D2251-0357-11EF-9066-F6F8CE09FCD4} = "0"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420247894"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C5-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063044-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CF-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063094-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F026-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DF-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A5-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FE-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630CF-0000-0000-C000-000000000046}\ = "_RuleAction"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063071-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FE-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300A-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630B1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063080-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D1-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E5-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DB-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304D-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E3-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D6-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F8-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067368-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063033-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630A0-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FA-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063078-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063096-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F025-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063101-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063044-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063076-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063079-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672DD-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C8-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F4-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672D9-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063083-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D5-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}\ = "_Stores"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063037-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672ED-0000-0000-C000-000000000046}\ = "_OlkBusinessCardControl"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006300F-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1680	OUTLOOK.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1680	OUTLOOK.EXE
348	iexplore.exe
2952	msdt.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
1680	OUTLOOK.EXE
348	iexplore.exe
348	iexplore.exe
2088	IEXPLORE.EXE
2088	IEXPLORE.EXE
1680	OUTLOOK.EXE
2088	IEXPLORE.EXE
2088	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 348	1680	OUTLOOK.EXE	31
PID 1680 wrote to memory of 348	1680	OUTLOOK.EXE	31
PID 1680 wrote to memory of 348	1680	OUTLOOK.EXE	31
PID 1680 wrote to memory of 348	1680	OUTLOOK.EXE	31
PID 348 wrote to memory of 2088	348	iexplore.exe	32
PID 348 wrote to memory of 2088	348	iexplore.exe	32
PID 348 wrote to memory of 2088	348	iexplore.exe	32
PID 348 wrote to memory of 2088	348	iexplore.exe	32
PID 2088 wrote to memory of 2952	2088	IEXPLORE.EXE	34
PID 2088 wrote to memory of 2952	2088	IEXPLORE.EXE	34
PID 2088 wrote to memory of 2952	2088	IEXPLORE.EXE	34
PID 2088 wrote to memory of 2952	2088	IEXPLORE.EXE	34
PID 2952 wrote to memory of 2688	2952	msdt.exe	42
PID 2952 wrote to memory of 2688	2952	msdt.exe	42
PID 2952 wrote to memory of 2688	2952	msdt.exe	42
PID 2952 wrote to memory of 2688	2952	msdt.exe	42

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\faa45074-b0ab-a109-92bb-a64030cf6e6f.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" https://j942938lr5.execute-api.us-east-1.amazonaws.com/Stage/click?m=f03574d0afa185b8e45682e59a7646c7b10b9096651b6df218b40809032519d409327705b1fb40f0df7cf3488d19e391dae55719722aa69e560c99b0f0c4493bf328dbee603347ac72d32f8cf9c05908&l=cf437afe3f000b92b343c5fb38eec68df62a0e6116ed762ab60a11731dc3426c&u=b840142f3682f8ef960aafba75bc6daade9385b24101b812bc90d0f7341035274a90992e978cc1fc3dcb363d8cd9a082a14b99c3816c924377fb01c67ea527eaf62a0e6116ed762ab60a11731dc3426c
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:348
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:348 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2088
  - - C:\Windows\SysWOW64\msdt.exe
      -modal 131688 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\Admin\AppData\Local\Temp\NDFAA7B.tmp -ep NetworkDiagnosticsWeb
      4⤵
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\SysWOW64\control.exe
        
        "C:\Windows\System32\control.exe" /name Microsoft.Troubleshooting /page "resultPage?keywords=+;NetworkDiagnostics"
        5⤵
        
        PID:2688

C:\Windows\SysWOW64\sdiagnhost.exe
C:\Windows\SysWOW64\sdiagnhost.exe -Embedding
1⤵
PID:1580

C:\Windows\SysWOW64\sdiagnhost.exe
C:\Windows\SysWOW64\sdiagnhost.exe -Embedding
1⤵
PID:2452

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1596

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" werconcpl.dll, LaunchErcApp -queuereporting
1⤵
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
4afd87e27a5d4bc3eea754ae68d8ff57

SHA1
4a7111c68c1fa8b72eb56464a205807f9c4652fd

SHA256
fe9c1dc0f84167dec3139bed110215e176d271f90525a0b5cbaa0f1da571162d

SHA512
d15ca691b6619c82e9d621c32b0e1a3b5cdd0bcb9c303810d09769293e44022fc4b3581a274d9d68e453324ce4d4e0b7a4b616a7d4a99076b1f96da9bb85c463

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7f6e30d575b997db2234708bfccc075e

SHA1
bdabcf8eb3104cb56386606ee02a3c0f16895a57

SHA256
449c414304d1daf9456b34c6323ea2d2e7a535d98c6f73e9f4882afe40546e92

SHA512
45a28cad5bf62cf035f24a7b3364fa6b841434ebe84003278a93754df597c19cb22e91c7cb94fd3a762c147b54d3768dc639a06e6b6a016a180240c56dc34cba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b35e34a187edfad2354a8589f860b4c7

SHA1
a0f14bdfc71210848145c33bd82db5160cebe1dc

SHA256
90c68cf23a796fb7f7426c651fea59e3b37732755c3d0e8787c37c8749b954df

SHA512
2448566e5ad2e2afd1515248e627ef17a2b966fb63c7fbbbfb916c30478c419001efb4329935376b5c1cdd5b9ee50e2ddcb2cd5e5461b88bd39a43129eb4b84c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
504b4b51d004c8e1873a5bf356be8493

SHA1
615e410b0edaaef5a2e6b3885e4b927d661cf6b5

SHA256
0694dd3d6e25e0daaf8deb0006559fb42f6a0b7406770ecbd00746576cb9f74b

SHA512
a7d2d0b29f947a81cd2e2014bd9cffcba9fde400d998d17284820ede5415ec56e4fdabc8ce87eeb825367d30b4acea39c75312fc2674e24bcfd300edca90714e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0ddb4acd93209d7558d7393360f0d424

SHA1
6770af7d56fd8790fdfde5ee815e52e1eda44268

SHA256
fc376fd157ad52cee71e07365e4af65192d40c04bedef3d48aaaafe81189652f

SHA512
644e0774fad55b8758b10d682918cfbbd66b91606937b45f141c559c3015871fe26c61d20546d4a092a3730d6a8a4ea7b7e3c6938c453f30cb4d089c75b5ff88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
064acba76b314d4da911fc5acb79479b

SHA1
54d9eccf6bd5793d755ab8e8ec3dc098865e1c0b

SHA256
4cb00b8b917f4bf36fe9c850726a08dd97eb52c9cf0bd8709595371a8a4bb7b9

SHA512
7f12b8e34efa48d980f2f90b213e658eee844e0b586a44c6aab315d051c45658f0fb4ff2bd769ea02193a958c2274ea2bca5e0db0ec9d6f7c84703c378ae35d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6dbc90047f8545efe328f406ce3efcbd

SHA1
f9b1d913af76c338e301ff5c39dafb5cf20f54f2

SHA256
e05507fef2fb3ceb45e9a80a7367950978cb86c12eb389f0d9fae2ac01bf70c1

SHA512
ff45be7ce2264eceff63a046871f6e051d6f24e99a0cae7172d3e8403faabf56e04a178d443874ea5810c1cc15a4448c3157d49b64ac011593ad07e26e679b64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67971e5088b9dc0adc25785e12a6888d

SHA1
a90a725defbee982cad8d1fad9bc41525d534f88

SHA256
4cb98ca1e2baa3f8e4427811a64bd8302393b3175841609c5bb79a5efcc4612a

SHA512
63fa66cb210ebad2977de9a1c52bd0eaeddf709726b8b58739b32fb1ef34ee4797474d4de21f5d212397784935fb9f1ae1c38bec4325bea478a5052ace97f59b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
128d9ba6275b3e6136116f896e4fc250

SHA1
10c25aeeeaf076f0c144e9fecd236ed982aeacd0

SHA256
4c69efe1a20bff873eb0342c7a24dc450845b1ec4d13a2b5b034ce431c7d017d

SHA512
8ebe2312e8527e79bffb7e56697685868d1dd2c864e1f5f577836470c17aa3a49b97a5404f291c769fd81ddc61ac10670b105bb8242b48466d82abe7a1c91824

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0c7fb9e36ef2f5bb2c78a63d3fa23deb

SHA1
3366eaba000bd252ff7fa3a303ad4a5d76f8777b

SHA256
0991c0c402220075bdbbc4b770fa7ddb1c9cf53264254e0ffa5ba7708c5ddb22

SHA512
a9a11f2e788ed19f1a178c772451b0c4149e1df5e75235c68dd7ecfa6391088430998fdb1e5131135cbef638c79a75275fb8aa46c31de83b1c3b4182fd9872fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ff4e3f24acc503a337a0cd5a97d77c87

SHA1
073becfd6524fdd39887b1c77f75656f9c8fe18f

SHA256
693c958b936e0103bf5ae966749acb8fd46fefd108c2585162ce0546c4b69543

SHA512
2655d497d7c3e94e81b1d8450a5e444190bbdcae5a4bfac144ce973428568e7fe15326eb6f99b4ce2f08daf2dce8b30e7a9c0f1eba176252014b03340f058f99

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6672c272109344d8b69f81d4450d4a2f

SHA1
9a7096d63b3e35ef03c46bd2a31be90d31f645af

SHA256
6b526f944cebbe5376fe84db28e9c559707ce657ed7f2f69a234f95b407747d0

SHA512
469afb2909614808429c6f71a66b608cbcb951f7f3169c4091e397263f11c7e26b34ea9c741af00e7c730854706ce9a40d3284266cf950ee83aac4f0fbc49da9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a148542328fd137bec8760e296b50c84

SHA1
d636a72271ccdaa3ebb396e1fb3f86b26206de55

SHA256
8c3347c9d60cc69626df5b8688f0327f3daf33ea90c7e95417a9783f5a7a8fe1

SHA512
8dd4d38596aeb2e6d6786b997a68a7bc867594fcb1a350e16c105da7d4216f36814bcdd3ec61d02589faa6cf3d747e18845f1f47ca4eb965b114f6b3059886bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f6adef0a2a591b6cd5a0051473c7345a

SHA1
4510eec8bd22fb0a89c53e1f461f1a0e6c074cfb

SHA256
e6706fae57328564eed103963bf92c611282dc894c5bce1765fe80209a0c13f3

SHA512
fbd625d185f7756b2e63392281592fe874da8f97caaf5823043852cef25fac9f3ba82dd99311226735ff1213959a3f3013b3620810e4a549268e036646490ed0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
554edf031b9977a6550279c3402bd086

SHA1
403e32d31cc11f2fa3a5083b54125393b764bf8b

SHA256
3cd93eddfeae63184b50d82286bfb75c177bca886d26048d9cace3302770242a

SHA512
b6ae384094b66b1dab6926b274b1c29fccbfd8f529f265a755a076e51de2869dedcc3a77fbb6b0b54edeedecd06e36403409c6a0eeeb6e6333cd2af8883ddbd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7e9627fae8c58c1b5bc8f5f3f3b4b842

SHA1
3ae2f9d2e9450090828290908012326f544b09f1

SHA256
2b00f8ddf418d1e973ff1522d7f51632d4024c4bd8cf26c097c248267711946d

SHA512
772e409b7d9ba0e2912e91e0c3b9d2ceb6a25f343f037b336f6e587de93cb4cf9dd2cc328ab3599b3d47c25e714166275c03d6cc9a391a466b54cf1251c25ec3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0e963df7cb541facab7b4cdb5dca0af5

SHA1
ce5e1b43f47a8361c846678fb982b58d8d3e7b99

SHA256
74413834e3d139d63173a83a1dffa3366cb5b98ec13b78dc8440ea2d6ac1e88b

SHA512
1578f23a5f3dc127d827ada2ef89fc3e907945c1978fe4040a772b8c28594d14197fb5059ff3e5a82e4367ae3b29c777b73f25425eef0da45ab2c2342225de88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
897eb8759607e4d279a6824aee34e25a

SHA1
46587c4f3514a3810bcb5b7edd96b893479354d6

SHA256
24d3eb623bed7181f1c2a7bbd2c6a6898d30526de6aac1d6e242781ec70238ce

SHA512
48cf2244418389e43cdd5a995282c06281fb78fde6f7672b74f2ef83b65fe28af5f4a85ec3999092a74914d916d1fc789c28b13df178e0dbae45f9408e85b222

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7793c84a0fe85f80f0e3bd18178eed9b

SHA1
27a770b951fcbffa9b7e362583a4d5106eafcb81

SHA256
9f7a83ae7fbef70ea496269e104a99cf7f6eaf8d9e0f68fe1c5ae6f0c30ec52a

SHA512
63ac8e13c45e00753b120aa15ffb32ce76389fdaf6cd316765ed3718c87eef1c6da43a37f3f7f0e468bffc76afbe2715f43a21a20d5dc4d726490ae7a6a959e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa16925ac38877d371cf536f812210e5

SHA1
33259469f42968c56e7fb281a7104a4be7458d8b

SHA256
a1129a025ff01be683ad7e1fadac408e1c528bbdfedc9e7c3dcd3b5de3dc178e

SHA512
ff324ad63cbdb6c6f687d5478aa462af32c89b8653ca03ebb7fcc3737b02ca1b63fb24c0597e47023d1a8ce4bd8f49b3f9d96ed125220b1c70672e6f57969862

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dd0bda80562f8397514a70a3ed0cc71a

SHA1
7fcd13d17a1cd093dbcd7a0ae83fe11d6b57c643

SHA256
8b00f8232b85fa3d5327111205bd35ace5c895736ae5488f8fbf1251bb50d5c8

SHA512
8cf0cc4a5ae7e00eaf4f48559de8538d6b8466ec64c4261dd2b76e8c817cb6ed482cfaeb6d00b29de33014a9da97ff455ded7e11174f58c9b2eac03e9116b3b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c61236bc482eb2dce8d44c14c997b5e8

SHA1
22a6989d3abe68e322b8ffbfe62d0eadcb84ddbe

SHA256
8630bdb38d89648eab19161de80f8169d381ca5a2518f5b7a4876287d8f8758b

SHA512
f1de839267ef1b66b4aa52980de0d66a96dae95e15f0cb99394b24c4b65f4aaaef3253ca427e8fd8c985bb18d71d0a53de9ba39f1a11397dcfac51edc4bb183b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
467c8360611e468e86326f9c799a9973

SHA1
1afe9129995c8f3d4e6139ed3e23cece89b8e111

SHA256
987ddf3ab9dae9fc69f7d894994ed642900e92696979dfdd8792346de9ce1633

SHA512
82dfc1a9d801b4fa899440c2a561d325e24508db69e69af33d120446083d2e319799e7045abe991b1979a60d80a98c46306bdda4fba0a998897c0064098ce5f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fa73d7f925adf24fb5756dc95db7d5df

SHA1
4e9c7096dde30582e6cf1984a4b9287d797c39bd

SHA256
570cf986e987a148ca0747f2ac2b5289eae9d77f0b17b826ed3de6071d120c13

SHA512
b787a86c149830bf8df25b34378fccac6b786bc0365c05b06e01661e738e262e2804c72fd8c9041dd15df00236cbd884ad068e489d9683fb30e978bd35ba724c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cafc61dc2da8cb674b412f45238e737b

SHA1
8943e63cbb2dab0ad633224ee1b2113ce8ad207e

SHA256
32a10dfe9c51bab74c5561ffa5685f7a0b0bef124597513229ca7b36dd0a8cb0

SHA512
6bf41ca92f3a2ea6085d2386bece75c320e4ff3350c783931f499a711e618595fb7b49a40839f2a4dcb84995df381517245da721e7ffb13586b8fd5da6531686

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a75ab6b1d08c87fc30864096ba5ed64d

SHA1
27d80eb088d7e5fffaa8ac0a4e6fc811fe988ac9

SHA256
2f4bc7af8a300c98e39b846aaffcf2947506cad1edb3a4de7f17f1fe19c5512d

SHA512
4011cccde04c37f03a52fd6e8c95257ddd54493bc80e06fa3199472c400d3a65197a6d715fd6e1b7c111ba3c1fb46e0ddda5cded0cc62d39acdd91cee0fde042

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
1eb080b4cec7d974fb0ed812fb4f87b2

SHA1
13b2683e1742ee25228de30a11692c1526a288ea

SHA256
9f4eaae23e2e495fe819e839682288a350e7604058ec395a7f9cc7f062ed4237

SHA512
92fe392131613893d10243b10808d27690bd4f002dbdaec6a1a6ecab3afe62845dad86388b192f58efa905e688e6b46b4c62929863ee5df243a41d9830e21bfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024042523.000\NetworkDiagnostics.0.debugreport.xml

Filesize
69KB

MD5
c82ceb9636b4f595a81ed3d0a8011ab9

SHA1
fc2e402e5303aa94e5544c4ca49cff68b604b136

SHA256
757048567bef1f7dbfcf2ba8a29d7ed2aba613e083ba5ebfede94fe8b5a73b32

SHA512
16dfd6be13461ceaf1a08afbb3dead6f0b61da413d3459d97f57f71920c074e7d388d6ee87c6d27abfa0820ec989c2006e011151a8a38525cd29d84b2349bd54

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024042523.000\NetworkDiagnostics.1.debugreport.xml

Filesize
10KB

MD5
58265eaa77eaadc31199519632add62c

SHA1
b94cf1b1d3f9cdb761e3f896649bcee1e8028ee0

SHA256
b28e83e7e4575635d45bc26d35dc7ae8df16270fce33377b16813b5650c4b9af

SHA512
392d9f789c37f78f629e8d9f1aaf99f74371de781dbcc4ca3de71958276de6a11092920682fd62b1245feac7af38208fa56fdc440c98ad55bb9bcbc4cd61a22a

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024042523.000\ResultReport.xml

Filesize
35KB

MD5
32c591442474a5908afed4c6d8ccc814

SHA1
d2b9ea7e5576328511cc4d9868595ce4b7218e6a

SHA256
e710f2e710d362dfad9279cfc6b7d5ab8085cfe812cf81768284dec6ab3335ac

SHA512
c1bacea26280ca184ab6e28b620d78ab0f5c550ea63027b70d3c84236977020ab5e370b453e52384bf05c52894e6fd92c87234e9e91db298ae51aac075ad544f

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\460911090\2024042523.000\results.xml

Filesize
253B

MD5
840b413cbf5e57a93deecff7e76cf260

SHA1
cdcb54b73ea2acbfaa16e9355b347c2548411026

SHA256
de5825ee63dd98ca86f86652ff81ac75380b3ac4d880ab44d8984b8bf531ffae

SHA512
2130c9f55a3b28492c698def50cf92d805ccee1334c95ca8f9f776f6ceeee91884e751fac42510088a262dd82de01dcd6aaac5186db4a97a221bd8289a72c3a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6357.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDFAA7B.tmp

Filesize
6KB

MD5
311ddb9f3f49c462f23c7118b9507b50

SHA1
faafb1b635df69f4f96a235c3c2cfc3df5316f91

SHA256
9349431ecf0a9de42f6c4f028474e3b7f40897812c101a94a0da88f6ae6689ed

SHA512
22f30f309b6bd78bfefcfb05157bdfb14d26515d50311e96e2c098c6d0b5edf12535810a3eb1f5320c14bc7a33e2e1d855fa6e52101a15c3e0fa5569a0cf188b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PLA7085.tmp

Filesize
195B

MD5
53a66bc60f26ee5512ee1de8de07ca2e

SHA1
8b73f4907dbf546e9b968988bc2467fb6cd763d8

SHA256
cecc5418a0d83c3e14d031ebcaaf98c0c500443740d6efb935b0e35b1d9cb629

SHA512
186cca6be1376e27529ba3e37c3c52cbe7201cc3173180f401ff04bcbd9ec6bfddf65be12008ab56154cb52b9ae27f37665b84287fd0cafe7c461a01606964f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar64E0.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{74C67337-C356-4B3C-B1C0-000D2C99F3FC}.html

Filesize
6KB

MD5
5b5206600e560d2be6d1f050626d0fd5

SHA1
e0e8502e560ee54e68a2c5e993b519af96497626

SHA256
9198aa01be860b8ed33cf4439f9167557e26dc95fbb9d7f9a171a49698e1d2e1

SHA512
7d1e18e827b978e824546d5bb0202247eb42c9766b71fbeb51ac54186e0109ae451c5ca95290ce056ae2e82766b2c5e71794d86190a51738aad343340ee22b23

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Windows\TEMP\SDIAG_6600ab0e-0497-4ae7-b7a5-192be06ee38e\NetworkDiagnosticsTroubleshoot.ps1

Filesize
23KB

MD5
1d192ce36953dbb7dc7ee0d04c57ad8d

SHA1
7008e759cb47bf74a4ea4cd911de158ef00ace84

SHA256
935a231924ae5d4a017b0c99d4a5f3904ef280cea4b3f727d365283e26e8a756

SHA512
e864ac74e9425a6c7f1be2bbc87df9423408e16429cb61fa1de8875356226293aa07558b2fafdd5d0597254474204f5ba181f4e96c2bc754f1f414748f80a129

Download Submit
C:\Windows\TEMP\SDIAG_6600ab0e-0497-4ae7-b7a5-192be06ee38e\StartDPSService.ps1

Filesize
567B

MD5
a660422059d953c6d681b53a6977100e

SHA1
0c95dd05514d062354c0eecc9ae8d437123305bb

SHA256
d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

SHA512
26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

Download Submit
C:\Windows\TEMP\SDIAG_6600ab0e-0497-4ae7-b7a5-192be06ee38e\UtilityFunctions.ps1

Filesize
52KB

MD5
2f7c3db0c268cf1cf506fe6e8aecb8a0

SHA1
fb35af6b329d60b0ec92e24230eafc8e12b0a9f9

SHA256
886a625f71e0c35e5722423ed3aa0f5bff8d120356578ab81a64de2ab73d47f3

SHA512
322f2b1404a59ee86c492b58d56b8a6ed6ebc9b844a8c38b7bb0b0675234a3d5cfc9f1d08c38c218070e60ce949aa5322de7a2f87f952e8e653d0ca34ff0de45

Download Submit
C:\Windows\TEMP\SDIAG_6600ab0e-0497-4ae7-b7a5-192be06ee38e\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_6600ab0e-0497-4ae7-b7a5-192be06ee38e\en-US\LocalizationData.psd1

Filesize
5KB

MD5
dc9be0fdf9a4e01693cfb7d8a0d49054

SHA1
74730fd9c9bd4537fd9a353fe4eafce9fcc105e6

SHA256
944186cd57d6adc23a9c28fc271ed92dd56efd6f3bb7c9826f7208ea1a1db440

SHA512
92ad96fa6b221882a481b36ff2b7114539eb65be46ee9e3139e45b72da80aac49174155483cba6254b10fff31f0119f07cbc529b1b69c45234c7bb61766aad66

Download Submit
C:\Windows\Temp\SDIAG_6600ab0e-0497-4ae7-b7a5-192be06ee38e\DiagPackage.dll

Filesize
478KB

MD5
4dae3266ab0bdb38766836008bf2c408

SHA1
1748737e777752491b2a147b7e5360eda4276364

SHA256
d2ff079b3f9a577f22856d1be0217376f140fcf156e3adf27ebe6149c9fd225a

SHA512
91fb8abd1832d785cd5a20da42c5143cd87a8ef49196c06cfb57a7a8de607f39543e8a36be9207842a992769b1c3c55d557519e59063f1f263b499f01887b01b

Download Submit
C:\Windows\Temp\SDIAG_6600ab0e-0497-4ae7-b7a5-192be06ee38e\en-US\DiagPackage.dll.mui

Filesize
13KB

MD5
1ccc67c44ae56a3b45cc256374e75ee1

SHA1
bbfc04c4b0220ae38fa3f3e2ea52b7370436ed1f

SHA256
030191d10ffb98cecd3f09ebdc606c768aaf566872f718303592fff06ba51367

SHA512
b67241f4ad582e50a32f0ecf53c11796aef9e5b125c4be02511e310b85bdfa3796579bbf3f0c8fe5f106a5591ec85e66d89e062b792ea38ca29cb3b03802f6c6

Download Submit
C:\Windows\Temp\SDIAG_d8f2cd4d-3518-432e-892c-2d3acc3e7da5\DiagPackage.diagpkg

Filesize
152KB

MD5
c9fb87fa3460fae6d5d599236cfd77e2

SHA1
a5bf8241156e8a9d6f34d70d467a9b5055e087e7

SHA256
cde728c08a4e50a02fcff35c90ee2b3b33ab24c8b858f180b6a67bfa94def35f

SHA512
f4f0cb1b1c823dcd91f6cfe8d473c41343ebf7ed0e43690eecc290e37cee10c20a03612440f1169eef08cc8059aaa23580aa76dd86c1704c4569e8139f9781b3

Download Submit
C:\Windows\Temp\SDIAG_d8f2cd4d-3518-432e-892c-2d3acc3e7da5\result\ResultReport.xml

Filesize
34KB

MD5
1a37dc7bedfbf641469bd960283ff596

SHA1
efe481ac6194f1976e71b47d31497fabc9222f8a

SHA256
7662f436938ea975330c2bfa5afcb1f3f73da226574857609f69786a41b81a89

SHA512
56349fd0539ff8b3f446e1bd1a399137be742a3c12c93d27534e6bda22d79d341a9b94224b0a22cc9ed41cfc866d61f886dbf2ec4f73e5267c891c60de18ff7d

Download Submit
C:\Windows\Temp\SDIAG_d8f2cd4d-3518-432e-892c-2d3acc3e7da5\result\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
memory/1580-1718-0x0000000063ED0000-0x000000006447B000-memory.dmp

Filesize
5.7MB

Download
memory/1580-1311-0x0000000063ED0000-0x000000006447B000-memory.dmp

Filesize
5.7MB

Download
memory/1580-1312-0x0000000002980000-0x00000000029C0000-memory.dmp

Filesize
256KB

Download
memory/1580-1313-0x0000000063ED0000-0x000000006447B000-memory.dmp

Filesize
5.7MB

Download
memory/1680-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1680-465-0x0000000073BED000-0x0000000073BF8000-memory.dmp

Filesize
44KB

Download
memory/1680-162-0x0000000069AA1000-0x0000000069AA2000-memory.dmp

Filesize
4KB

Download
memory/1680-1-0x0000000073BED000-0x0000000073BF8000-memory.dmp

Filesize
44KB

Download
memory/2452-1808-0x0000000063ED0000-0x000000006447B000-memory.dmp

Filesize
5.7MB

Download
memory/2452-1700-0x0000000063ED0000-0x000000006447B000-memory.dmp

Filesize
5.7MB

Download
memory/2452-1701-0x0000000002270000-0x00000000022B0000-memory.dmp

Filesize
256KB

Download
memory/2452-1704-0x0000000063ED0000-0x000000006447B000-memory.dmp

Filesize
5.7MB

Download
memory/2952-1310-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download