Files
|
File Path
|
Type
|
Category
|
Malicious
|
|
|---|---|---|---|---|
|
a.manasova@mlsp.kg.msg
|
CDFV2 Microsoft Outlook Message
|
initial sample
|
||
|
C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\AC750082.dat
|
JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=12, height=1404, bps=0, PhotometricIntepretation=RGB,
orientation=upper-left, width=3482], progressive, precision 8, 1500x605, components 3
|
dropped
|
||
|
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C2CF8DBE-A3F9-4A9D-96B0-EC158C0DA5C3}.tmp
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Local\Temp\~DF8280B2FDC6D618DD.TMP
|
data
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\Outlook\Outlook.srs
|
Composite Document File V2 Document, Cannot read section info
|
dropped
|
||
|
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
|
Unicode text, UTF-16, little-endian text, with CRLF line terminators
|
modified
|
||
|
C:\Users\user\Documents\Outlook Files\Outlook.pst
|
Microsoft Outlook email folder (>=2003)
|
dropped
|
||
|
C:\Users\user\Documents\Outlook Files\~Outlook.pst.tmp
|
data
|
dropped
|
||
|
C:\Windows\INF\Outlook\outlperf.h
|
ASCII text, with CRLF line terminators
|
dropped
|
||
|
C:\Windows\INF\Outlook\outlperf.ini
|
Generic INItialization configuration [languages]
|
dropped
|
||
|
C:\Windows\SysWOW64\PerfStringBackup.INI
|
data
|
dropped
|
||
|
C:\Windows\SysWOW64\PerfStringBackup.TMP
|
data
|
dropped
|
||
|
C:\Windows\System32\perfc009.dat
|
data
|
dropped
|
||
|
C:\Windows\System32\perfh009.dat
|
data
|
dropped
|
There are 5 hidden files, click here to show them.
Processes
|
Path
|
Cmdline
|
Malicious
|
|
|---|---|---|---|
|
C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE
|
C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\a.manasova@mlsp.kg.msg
|
Registry
|
Path
|
Value
|
Malicious
|
|
|---|---|---|---|
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
|
>g5
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
|
?g5
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Outlook\Performance
|
PerfIniFile
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
|
Updating
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Outlook\Performance
|
Last Counter
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Outlook\Performance
|
Last Help
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Outlook\Performance
|
First Counter
|
||
|
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Outlook\Performance
|
First Help
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
WORDSharedFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Options\WordMail
|
FirstRunOnRTM
|
||
|
HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\f0\52C64B7E
|
@%SystemRoot%\system32\mlang.dll,-4612
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
|
000b046b
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
|
cs5
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
|
rs5
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
|
rs5
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
|
rs5
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Display Types\Balloons
|
HWND64ForOrphanedNotIcon
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
|
rs5
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
|
!t5
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
|
!t5
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
|
!t5
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
|
!t5
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\3517490d76624c419a828607e2a54604
|
001f6000
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\UserInfo
|
SharingMachineID
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
|
000b049c
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
|
001f0433
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
|
000b0465
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage
|
SpellingAndGrammarFiles_1036
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage
|
SpellingAndGrammarFiles_3082
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Proofing Tools\1.0\Custom Dictionaries
|
1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Shared Tools\Proofing Tools\1.0\Custom Dictionaries
|
UpdateComplete
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9207f3e0a3b11019908b08002b2a56c2
|
11023d05
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
|
en-US
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
|
en-US
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
OUTLOOKFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
EXCELFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\SQM
|
SQMSessionNumber
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\SQM
|
SQMSessionDate
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
|
Last Counter
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
|
Last Help
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
|
00030429
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
|
{ED475418-B0D6-11D2-8C3B-00104B2A6676}
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
|
LastChangeVer
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109A10090400000000000F01FEC\Usage
|
OutlookMAPI2Intl_1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
OutlookMAPI2
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
OUTLOOKFiles
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
WORDFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Exchange\Forms Registry
|
CacheSyncCount
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
ProductFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
|
RoamingConfigurableSettings
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
|
RoamingLastSyncTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Roaming
|
RoamingLastWriteTime
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AddInLoadTimes
|
ColleagueImport.ColleagueImportAddin
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Addins\ColleagueImport.ColleagueImportAddin
|
1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Addins\Microsoft.VbaAddinForOutlook.1
|
1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AddInLoadTimes
|
OneNote.OutlookAddin
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin
|
1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AddInLoadTimes
|
OscAddin.Connect
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Addins\OscAddin.Connect
|
1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AddInLoadTimes
|
UCAddin.LyncAddin.1
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Addins\UCAddin.LyncAddin.1
|
1
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109A10090400000000000F01FEC\Usage
|
OUTLOOKFilesIntl_1033
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AddInLoadTimes
|
UmOutlookAddin.FormRegionAddin
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Addins\UmOutlookAddin.FormRegionAddin
|
1
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109110000000000000000F01FEC\Usage
|
WORDFiles
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
|
{ED475418-B0D6-11D2-8C3B-00104B2A6676}
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
|
LastChangeVer
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
|
LastChangeVer
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage
|
SpellingAndGrammarFiles_1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage
|
SpellingAndGrammarFiles_1036
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100C0400000000000F01FEC\Usage
|
SpellingAndGrammarFiles_1036
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage
|
SpellingAndGrammarFiles_1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F10090400000000000F01FEC\Usage
|
SpellingAndGrammarFiles_1033
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage
|
SpellingAndGrammarFiles_3082
|
||
|
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F100A0C00000000000F01FEC\Usage
|
SpellingAndGrammarFiles_3082
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Search\Catalog
|
C:\Users\user\Documents\Outlook Files\Outlook.pst
|
||
|
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Security\Trusted Documents
|
LastPurgeTime
|
There are 68 hidden registries, click here to show them.