23254b6db6c5d17ac8baf15c9813eeb0394d5d80859148648b5d561b982e0413

Analysis

max time kernel
283s
max time network
174s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 20:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RE_ BSA The Software Alliance -Confidential- Software License Assessment Notice - AUTODESK-FINANCIER.eml
Size

130KB
MD5

463b919ceab53f8bbd0c7d6953abab72
SHA1

b5daa82d97ba92181031d95b9b5b1206898eb90b
SHA256

23254b6db6c5d17ac8baf15c9813eeb0394d5d80859148648b5d561b982e0413
SHA512

415d86e06b6ac1899735ab052496a4333d191c1f8c00c4b129e856df391ae0896b5af213f08c5a177e571298fec3c431b5adb3384453f39ff6f3fb4464a83db8
SSDEEP

3072:shdSEuSP8B7JiQNr1JnozSXaVaTehm3QcnBATzd:shdSMEYUr1JhXaVaTUc3nBATx

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 14 IoCs

Processes:

OUTLOOK.EXE

description	ioc	process
File created	C:\Windows\system32\perfc00C.dat	OUTLOOK.EXE
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	OUTLOOK.EXE
File created	C:\Windows\system32\perfc009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00A.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh010.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc011.dat	OUTLOOK.EXE
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	OUTLOOK.EXE
File created	C:\Windows\system32\perfh009.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh00C.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfh011.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc007.dat	OUTLOOK.EXE
File created	C:\Windows\system32\perfc00A.dat	OUTLOOK.EXE

Drops file in Windows directory 3 IoCs

Processes:

OUTLOOK.EXE

description	ioc	process
File created	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File opened for modification	C:\Windows\inf\Outlook\outlperf.h	OUTLOOK.EXE
File created	C:\Windows\inf\Outlook\0009\outlperf.ini	OUTLOOK.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

Processes:

OUTLOOK.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000f91ba93567820fe9f6d148ba62a8eb70c7c2b0c82fc6dadf28f5708fac49575a000000000e800000000200002000000067199fafa913291c641fe0cd7a5bab9b4f403f019e63ffcaf77c434924c393bc200000002bcf224c6c968d7d6b7a7a313326155e81ae765d7655760e7018389a39beed294000000013d85325187ab64c6dcfb2bd3dd3d8468ab46ee61ce7316351f14159654f9dbc9a331801d6d8b84680b380edee089ac2c3bf120648ce299c0aad3a84fb7c9b72	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000485abbb8f9f25b55eeaa52ae9b2e3ac8e7bf7d8bd2998ee12a4e4007f3a13ba1000000000e80000000020000200000007ea6f319d57167b7196bc6487e33145fdff2341763f7b7efe3b7125f41989dcf90000000d101475e5b1640d30bd7d5d3f43ccd1f2f7b98f76ceee685ce5b39097355d4656c1dedf48268edbcd4f1a8b2c27218b81ed9aa24ffbf6472596b50cba960b519e82bdf86a1ae29a6efbcd67d02e4fccc15de7c11b4c92152a5a5fbfabc7f8b305246dd3db1f38bcb60562ef8459c15ae6d80c208dfba719a504dc01c19f4eb554b9399a55d9f46a3297898123d11fd174000000014fb1fcff775fd8474567eeef78e8bbdcdd25d8c92059cb5446273633d2c667f80313d673f51c873275fd0a8b0017ff5ce56fd47c232b807b0557ffdd7e58cf7	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422571503"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	OUTLOOK.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6063968286acda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	OUTLOOK.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	OUTLOOK.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	OUTLOOK.EXE
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	OUTLOOK.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	OUTLOOK.EXE

Modifies registry class 64 IoCs

Processes:

OUTLOOK.EXE

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E4-0000-0000-C000-000000000046}\ = "_Categories"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F1-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063003-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C5-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063085-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E8-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063034-0000-0000-C000-000000000046}\ = "_MailItem"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063094-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063059-0000-0000-C000-000000000046}\ = "_FormRegionStartup"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\PROGRA~2\\MICROS~1\\Office14\\msohtmed.exe\" %1"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063046-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E4-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307B-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006307C-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F5-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067367-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063081-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{50BB9B50-811D-11CE-B565-00AA00608FAA}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FA-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DB-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063025-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F4-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063062-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309E-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672E2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067355-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063042-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063095-0000-0000-C000-000000000046}\ = "View"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630C6-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FC-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067353-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006303A-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\PROGRA~2\\MICROS~1\\Office14\\msohtmed.exe\" /p %1"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063021-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304A-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006F026-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D8-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630D0-0000-0000-C000-000000000046}\ = "_MoveOrCopyRuleAction"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305C-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006304E-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630EF-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630F2-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F0-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672F4-0000-0000-C000-000000000046}	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063047-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006309D-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FB-0000-0000-C000-000000000046}	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0006305C-0000-0000-C000-000000000046}\ = "_UserDefinedProperty"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063080-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672EE-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630DD-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063097-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063023-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00067352-0000-0000-C000-000000000046}\ = "_OlkFrameHeader"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E7-0000-0000-C000-000000000046}\ = "_NavigationModules"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630FB-0000-0000-C000-000000000046}\TypeLib\ = "{00062FFF-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000672FB-0000-0000-C000-000000000046}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063080-0000-0000-C000-000000000046}\ProxyStubClsid32	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{000630E2-0000-0000-C000-000000000046}\TypeLib\Version = "9.4"	OUTLOOK.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\msohtmed.exe"	OUTLOOK.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00063048-0000-0000-C000-000000000046}\TypeLib	OUTLOOK.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

OUTLOOK.EXE

pid process

1340 OUTLOOK.EXE
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

iexplore.exe

pid process

408 iexplore.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

OUTLOOK.EXEiexplore.exe

pid process

1340 OUTLOOK.EXE
408 iexplore.exe

pid	process
408	iexplore.exe

Suspicious use of SetWindowsHookEx 33 IoCs

Processes:

OUTLOOK.EXEiexplore.exeIEXPLORE.EXEIEXPLORE.EXE

pid	process
1340	OUTLOOK.EXE
1340	OUTLOOK.EXE
1340	OUTLOOK.EXE
1340	OUTLOOK.EXE
1340	OUTLOOK.EXE
1340	OUTLOOK.EXE
1340	OUTLOOK.EXE
1340	OUTLOOK.EXE
1340	OUTLOOK.EXE
1340	OUTLOOK.EXE
1340	OUTLOOK.EXE
1340	OUTLOOK.EXE
1340	OUTLOOK.EXE
1340	OUTLOOK.EXE
1340	OUTLOOK.EXE
1340	OUTLOOK.EXE
1340	OUTLOOK.EXE
1340	OUTLOOK.EXE
1340	OUTLOOK.EXE
1340	OUTLOOK.EXE
1340	OUTLOOK.EXE
408	iexplore.exe
408	iexplore.exe
2084	IEXPLORE.EXE
2084	IEXPLORE.EXE
2084	IEXPLORE.EXE
2084	IEXPLORE.EXE
1340	OUTLOOK.EXE
1736	IEXPLORE.EXE
1736	IEXPLORE.EXE
408	iexplore.exe
1736	IEXPLORE.EXE
1736	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

OUTLOOK.EXEiexplore.exe

description	pid	process	target process
PID 1340 wrote to memory of 408	1340	OUTLOOK.EXE	iexplore.exe
PID 1340 wrote to memory of 408	1340	OUTLOOK.EXE	iexplore.exe
PID 1340 wrote to memory of 408	1340	OUTLOOK.EXE	iexplore.exe
PID 1340 wrote to memory of 408	1340	OUTLOOK.EXE	iexplore.exe
PID 408 wrote to memory of 2084	408	iexplore.exe	IEXPLORE.EXE
PID 408 wrote to memory of 2084	408	iexplore.exe	IEXPLORE.EXE
PID 408 wrote to memory of 2084	408	iexplore.exe	IEXPLORE.EXE
PID 408 wrote to memory of 2084	408	iexplore.exe	IEXPLORE.EXE
PID 408 wrote to memory of 1736	408	iexplore.exe	IEXPLORE.EXE
PID 408 wrote to memory of 1736	408	iexplore.exe	IEXPLORE.EXE
PID 408 wrote to memory of 1736	408	iexplore.exe	IEXPLORE.EXE
PID 408 wrote to memory of 1736	408	iexplore.exe	IEXPLORE.EXE

C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE
C:\PROGRA~2\MICROS~1\Office14\OUTLOOK.EXE /eml "C:\Users\Admin\AppData\Local\Temp\RE_ BSA The Software Alliance -Confidential- Software License Assessment Notice - AUTODESK-FINANCIER.eml"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1340

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://d2hmxl04.na1.hs-sales-engage.com/Ctc/W4+23284/d2HmxL04/Jl22-6qcW7lCdLW6lZ3nMN3hnR8T-5MmbW2XQZ774g8RpWW6j_JlL8xKgwmW8H9F118PTrkyW7m9_Dz3b5F3qW4dHJP99hZ1mQW1SQBkJ4N3S81W2q6qVG4HGSDSW2cWRB188pkNbW4pn_y888_JGgW5ly24g8mpBd6N9jJZgm531l8VqCQYK3JyjMgW6j3YwJ6jK-k3W3N7sCZ4QyfrMW6gB2Ph7TD99hW5Qrk0T47wHd4W76dfK06YrhLCW2m-WJF159Vt4W1tF5dF2-QQRNVVBWCh5Z6ndqW1Wrrq414WY3tW8TqJ9G1vdC2WW5nKQW69jyVxcf183ZJz04
2⤵
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:408

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:408 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2084

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:408 CREDAT:275471 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
299B

MD5
5ae8478af8dd6eec7ad4edf162dd3df1

SHA1
55670b9fd39da59a9d7d0bb0aecb52324cbacc5a

SHA256
fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca

SHA512
a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
5cc0d383ec1885d18e36022c25b79116

SHA1
299fa64db46d9c02044646533a1be9afe1fe2306

SHA256
fad63f2afc2d989cee74fbe24bb7daf3bc1aed87cf4130223ee691e985dc4f7b

SHA512
e9bb2509dd67299a861f3b9bb0229d7a0f046598049e4d3d7735cdcf0549a7a337b8e33d96a0b962b013645b711513b3287624dc0727302b64f3570d2024ed52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
192B

MD5
88251fae45b1d847c34680538af1293e

SHA1
bd33e9e478a2fe5714357889fb93f5a7bac2598d

SHA256
e57c2f38057e88e9f153149ceb95a4d8eded5ad57bdf6594daa09257934b0812

SHA512
d07e6357a6f1a184b9be72092e7a7244d66b13932aa2b995e60df36050d170563374a8062dbe043cdfac40e2c73f17f1cf9b51fe7d4e05eaab7bac1cffbea9bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
524b92beb9b6b63524b56b8894a3dc95

SHA1
d2dd6042d4ca081cc6fa777380c00192da2e8acb

SHA256
46e43d11bcf339db9841240ce125d03c4306f3146a3973c23aa231749503edfe

SHA512
14bfc789c7b6d71f465fccff9b9f2041634008368b0ab95f0cca39aeff5fc1ecbbca7ff8da2316620e0956ddff79c9d9331cdf9e5a3e36dc02299ec4ca9866eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
097cc0567ccc5e8e2ddd07a89f7c92dc

SHA1
db0e456c0aee6071f8f8c7e24773107c599de0cc

SHA256
d5c863306b821ac4c3e6ac64ef2821011c6eb555df74d29add0e6ac65417e126

SHA512
e28f3a36e1b25f067d2588240d0cf9ee61736a6ca81834050f17d32314d80c692dc18e144c3c46cda2f3b8466c78cb40beafe5821c7b6e69570528aba0a1e7c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c5338b5fab725173b35951f9d08d06c

SHA1
9f950f4d09cb8e5e572237d938408d46450f32ee

SHA256
e80ba9c6c84a87c8b5362414c940ebcb8ed5528920ba8052f5ac374e147e48e9

SHA512
3a5be495c81b80706cc4dad2716c5eb802a70eafd638c2fa4aeca8be5b28b9c1d402dad70aa07b1605a2859493899091e8dab6669bd15a8f8df876f8343334a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d2281c69c93a2242635450be3bc59c18

SHA1
6566532e7c0f17e3b37df16e0640a83c6002ea7f

SHA256
14819150605f4c400ea7799d53f79be81ec5c46d7cc0d047299d8bc84dc3e04e

SHA512
16bcbfe0af1d250a10e8dad5fd08c326db33aa04cfaedf369acb19b9c8e03ab15fc4d7745d1ffc30275763d5694c5031117afc0999a7eb63d54fbae66ad8d9fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c3c7ad96873338c99cb87006de774c49

SHA1
c77e1cabfec72116617863b0f21184c7a345d804

SHA256
4cc7a976d61b8967e121a4c4682d841a8d2c07a05537eb32209b08d09d66d111

SHA512
b8bafbd561fc12e16473010ac58a38134526c49fce121921a794062d10836740331007e1840fa1d1a2d0aca7d1d718277fb04a7f3a5d4caeba307ecbf8a4921f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
50a66ca16d0bc9d9b24e60cfa0b3576c

SHA1
9b2835b10343926e145b9d128317b5cba354993e

SHA256
416fd9b5b8a8f04186c69d7673c260f13b287a8bab1b95899316bf99570d91fb

SHA512
4bc9eda800665a0e17fea76e6f722ea1cad24c4774b026257e241eaea4273737339cfebe4259233ea86134a57169c0a89a033c772c060128e34eebf11e5828cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38b78559af3cccd648a7d02f6019578b

SHA1
4d1212ee192d06887d2d7341f9de5bcf4f52c5cf

SHA256
89a51e55c889996a44d4b4a4759b7267553de6226a93ac5bedb81ee538e3fb63

SHA512
e72ea4fa43419a519a5e9cf787ec562f87ba7e08520b3531b11a17c72241876918ddbd4edc9eb8090e267fef404e727c8dfe2bfe33f6ff3cd7567e85e2272195

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6482e8a197bc7ba330d6ce3624a7b824

SHA1
eadef858ef9b99706a1edc0bc6879538c816ba0d

SHA256
93c3711eb111c748091ca4b207f251ef2f90f33ec05d86bf425f9918e51636a9

SHA512
54c021997617635f59974f897f22d9af1cd074f600b33310db6f0abc00d1453f6382500d47a6dd9b2d2949ca32752c227ffdc661709ea74c40f1f741678e9476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
51daaa401470dbec11fff2c6af9492ff

SHA1
c01167c8e9b9e20e097c03ba61b35bfa54ce5a9d

SHA256
71466d72f7a007ab69d21ca10167b5cadf829b064a023a8e6e9b786c5810b4db

SHA512
8a498d6c84f6c51f102cc0361e6072f55d27841cc1738838bdbac989e975bbf0361c0c13c2221440ef97039f9a053f153c9b3bfac687b56e753084e943aa7891

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
68e262f36e31f2ae017bc0e32f49bb68

SHA1
6f4ccf7f73b98d9acd419e7ed848587046e908b1

SHA256
4be1087acbcae027cb549a527664344b1ace0575271b633b7056e19470cc1952

SHA512
4d78c8ee6d343504b65881c139f5712d4d404f047e15f0302451df39ad101dbf11e7c9b0ec7ae3bd0bf27119c3aba2c9dd3e57324cc229b6313e5c3421508d6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d948ad33c1e0d992f023f1837c611300

SHA1
ed684ea7a23311ec5d0821cf2843aed2a1f41f54

SHA256
b225eb5b7239099d6c81662edd9522761b14fa9331ec144b0d2e7b18f493fd79

SHA512
f1d611c0a89a3734cbb249639c6eb3faa4a0288ff7062d82c2794d5a579fbfdd54e32fedbd5bad20231f2fad7ea35202acd0b067766493063c772fc649bf9e78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e302ded272f3494ee2e694cef5ab4008

SHA1
37b0c13872ab500cb15d3c4662909d6abf02e1b4

SHA256
8a86ce9a64fac7732a084402011d60ff0acd678408161d10552942b5e6a4c977

SHA512
9b2d01610e6da7d56e27e1bcfa415c0a3c93dde70913ce83235d01fb4756c85da59856c171dffe7d7d06c7aaffe2027229bb1501d56867292ecc8be91c929365

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bc306bef75a352378c7fb1ee9a8cd1f8

SHA1
ebaa3813dffcbb82ad76a576e245b000cdeab6c1

SHA256
c99047fd35f730df000241f7b8caa967b8b31680de3bdfe9561a4a73e6105379

SHA512
e5ea3825dd8ae7415752389c09818b94643636e0bbc802e4138ccc6d399ad6febe723ef21d993a14257d6684b99fd3d64b817feed58df6cf90380dfa7ca31a06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6ef290708d2a666f0334b3fc21eabac5

SHA1
242b2ae889afabae65bc340b00ce3a9cf4736e25

SHA256
0ce4f1e9fd58aec6cf3ea8820cb98f1dd51ec1df8b1c9dcc678f975ac02f2f1a

SHA512
92b1993809c63c7fe52dc19117523abcc38c57059a52b2681437b398678ec393d62b9ed86e2233bdd8d16938f2aac51abda59e7867b6a65be9db8a5cfc11a1b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
32636a92b75b5ec640c3854992e66298

SHA1
69a97c5316295efd230b3a47599f7548b7e42c4e

SHA256
f1ab17d432a6f9eaa9b6b3eb62812ccd6e7913c88443f89dde026ed31b0fe2a8

SHA512
52e74fd99f2328e92a1d0ba8a4d984607a878a171a346cbe25295debd1148e424e41a9a706a0495a0bc9310d922fd4a75b4839932d5070cf0af9ce658bb02dc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f337c2ad069c25c890cfcb4ac7c50f9d

SHA1
3ba7f974d0938df50be400da42a76a406b51f9a1

SHA256
b02fa5903c94e5b83311e2eaae63e009064f95e9d93daa78d1e317cf5da0b3ec

SHA512
897f88c0bbdbb42a7a2d70bc383656c7730e8eb99c89c159f8f2d63e27d1f6e4c6192b1c5f13f22fc113d3fa4d44f0f0f9aa4fe00af7b6d36c5a0c12b76a60fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c8ac17a49d63f7a037f0c10b7b5c80a

SHA1
f2d9add87b69f6d8559d2f81de7a9e3ea51cb147

SHA256
8acbb8c0a8e191ea85c34cb1de7f4f7df200b16651eb9fad8a5474222c07da01

SHA512
a49321c5af15f7ac70319ea85d222564f840b20dd12812b8ed9c2824879e6adc5d952e6a0244db8d8c0d930a62628a75af3d3629baae5d20dfceeda90c426549

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
baade5425574b0c9c9b844ac9dcb5485

SHA1
12880689ede777fdf7755098342d5d07d894cf5f

SHA256
91efcf9c1aa8dd69d8d23505a7c0f2b3f9b1cb109d4d130b0b162fd2ca120697

SHA512
ac382ccdaba0b605508ffaf2a49d1e2e8980550d3c19c1c5f697c59bbfecf5586376b0073121dd119a0e83801344dd3de7d841b62ad721b6f80129120780228c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5c2568541bf6e3bcb6f73e16dd9b2ccd

SHA1
2a547510a5f8fb85c4f2f3e3c089ce15d9261bc2

SHA256
d6345c381a59e0d617f9846203ea01308a522fcaf6dfcf7a8e6f5a6a35795ead

SHA512
4ae62c3ee5ddc6064050a5cb018b19852d6d47d65e5d2f584732e1a78d675a8dfd429bbdbd4e93f90185a8a90d002357f684eae56073bd72f4ac836f5e8afeb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f7e0e312aaf6800b4dd5beb225a475fc

SHA1
9981d3e726463da55c16b1653c9c58f09830cc68

SHA256
c29b336df1f69490dbfc9d58d1963890c84cd240c595b27897ddd3721f4f44ac

SHA512
473743375fe5be4468a6e51029329e06443ab92bb7b5c7838bd09f4e1bade2536e109ca6a2801a6436aeb780f5dd94a8d24ee794c1efb042cc124c3421a47a86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
899e5b270643fe1fa41924203b410c1d

SHA1
4b2322ec32ce323c12d7114548dc12dd55995799

SHA256
0464b64422d5b1a42c921fe7a52e4dc18e3cf119f2944cf2914eb9952e942ec6

SHA512
04cfe83c40116cb64f54375c3feb4f211859b1193050666c12497bb502137f09a40bbf883e6b18f6d29215a3304e42ffd6f3b295891751c45bfdd3965a5f6604

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
78eadc60c9631e756481c803826eda9d

SHA1
fe11e5ed476a8dd8c83c3b86bc60c3f6da09601f

SHA256
ea8c8c9b820eded583f755d1e2811f45175022ee8596755f6405612be0648c58

SHA512
95812c89974c2329bfdc872b241abaf1aede34f41e35063de2e52814be2566ff17a7b4165758c0b53d6450e23ea981db4abd53143f435aa717e235313aa7c59a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ada4608f11a26028f1f7a0e0a3b788ca

SHA1
2ce02a1e01ccc43e167d0b10f3a3d07669f3de5b

SHA256
7149318433d50dcfdb29162d5abd0da90a539359c45468991d41bc78ac5a1a34

SHA512
a225fd9011c2d751ad4e2addbd1e7dedf8f6f3ff302a9502a16575fc7eda07ab5baae22ca05dd04e0adb8d666d7bcd0ab045e024fd8a8a32723481ac1f892bbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c79cdedddb76415d110bb5d9d675033f

SHA1
1583c4dfc7152e8cbe9722441d59dc67472672f3

SHA256
bdfabb3300bf003671cc0982494fa54414e7a11b59376c8dd2cb25dc564522f9

SHA512
556bc7a775c0a94a9a2b268a28704580ce81c714f06be302209ef1a4c79f31f324f570dc6937660b99377a807dd861813e25b8cf916109abc0b28c7b85d6c19d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
2d33cc356773b848792cb052b38726e8

SHA1
a0ccf19c84e3072afb5d7e47442ed66b6e855b72

SHA256
81401db46855c5a8173c7442dba8801a35b1f68ec29dc6816a14f0493b00c69a

SHA512
7e2448878d32acd6bd194778fdc957ea9ffa1d17cb96b060b0edc9402e4857d479a2c31ad60c2b26e2f565675e860bb5c788f1e05175e9a91d2daaf148d5d3bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Filesize
240KB

MD5
49f709059121b4f20d88e4e044ecf978

SHA1
60592d1b7f9481c3e8ea45bfdbdfa83726f46df8

SHA256
cc753809a008a25834e89c84d5137345a165474b7670f7fbd120959322d1fa1e

SHA512
05662ac95841be8c273724d9888f5013f6b21dd43a3a182e81e51bdd54bfdf9bc29494f646b8038d00ff23068a73b93fdc3a5547324853e1dd8eaa5e03daee46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wi962z5\imagestore.dat

Filesize
2KB

MD5
522a9ad2e019437697b453de30af897c

SHA1
b7066c2327aae91dd4f423f72786a079a17cac3a

SHA256
caf60732cd472edc577300a2933587efb9b3f1a34380c3f3bde341f9a53bfb90

SHA512
3221c0c5c4b7071f2a838ccdc295b9f7d0069710aa4ed80af929ca1ccbf274f2a5aacb0d9c4c6099c24b94c9aab71a5fd3e5f0a967d80a9b808ac757167e3006

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\wi962z5\imagestore.dat

Filesize
1KB

MD5
32495dda84f909830bb19fc330785031

SHA1
f6a2fa45214fcf48753dad5863d1e460d20a2567

SHA256
6e852f5a3eaa9da670b5af63c3950dd71727638ce75ff34bd00441bb37a3b8b1

SHA512
40acbc0bd2a64474a054626f3e169eb859471013afdf32c04e7d1778111c26bfbf8c857d7c2c7bc4b9771b206848bc250c6381df0b19ecac7ce3e8b70ec2349c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
884B

MD5
3b9456132c9ccbf8d0670d5d9bf6b38d

SHA1
4f47f1b2e938f3fc5906418f2df69e589a78cb90

SHA256
d0677a3139c57325b3559841fe27933786923c1b66a05b19022c4ce9283f205d

SHA512
9325360ca0ee6f8de88ac217984be5c7bad38748e32f25d58ac70e9dfc088034ff862c272e464a32ec27b54340dbe15207f46fe194a46ba84b0012de3b7ab7e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

Filesize
1KB

MD5
48dd6cae43ce26b992c35799fcd76898

SHA1
8e600544df0250da7d634599ce6ee50da11c0355

SHA256
7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a

SHA512
c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KRMHFE1W\favicon[1].ico

Filesize
1KB

MD5
08e39ce1d114c522769b593c41a24e26

SHA1
46c7134e5c588b9723986216fcb862e4f64d25e8

SHA256
3eb8b279662b88ce416080184800862d55944e6461b1d09d0523d09173f300da

SHA512
c47a87ea8a9d1dcb087a1972af8bde1c3d9ff38f5ca1e85582a88eb48a31a88cd658a3a32dc1468956f337607f27e7499e04a33c63e5cbb3ee80af1ae1f2fba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5727.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5BDB.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5D61407B-0251-474C-BA94-46A74D959144}.html

Filesize
6KB

MD5
adf3db405fe75820ba7ddc92dc3c54fb

SHA1
af664360e136fd5af829fd7f297eb493a2928d60

SHA256
4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476

SHA512
69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\J5XAZJHR.txt

Filesize
218B

MD5
73ecaef154d006d343623a752401dae1

SHA1
bb19bb9ac27e59a0fff8d2880af259cf0538b516

SHA256
44fc43f6cf3809a2d5e81cdec55ec2d145e1b0294af28a3c8727fab15febdeed

SHA512
66b2dc9798ea6e522e329fdfd4b17958a7eda934aae9a26337e7fc1a86a8f2543e477b665bfc32164bb8f31e4ed10486f072bc20a8a9fd6a97238bb4af45e8c9

Download Submit
memory/1340-1-0x0000000073F3D000-0x0000000073F48000-memory.dmp

Filesize
44KB

Download
memory/1340-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1340-305-0x0000000073F3D000-0x0000000073F48000-memory.dmp

Filesize
44KB

Download