IOC Report
FW_ Orderbevestiging - 85500000571-1.msg

loading gif

Files

File Path
Type
Category
Malicious
FW_ Orderbevestiging - 85500000571-1.msg
CDFV2 Microsoft Outlook Message
initial sample
C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst
Microsoft Outlook email folder (>=2003)
dropped
 malicious
C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
data
dropped
 malicious
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OUTLOOK.EXE_b64c333b1caaf1150975129aa9c55951cdf086_00000000_917002f5-c1bd-4f4b-b950-9964101302c4\Report.wer
Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER68B0.tmp.WERInternalMetadata.xml
XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
dropped
C:\ProgramData\Microsoft\Windows\WER\Temp\WER68F0.tmp.xml
XML 1.0 document, ASCII text, with CRLF line terminators
dropped
C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT
data
dropped
C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db
SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
dropped
C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal
SQLite Rollback Journal
dropped
C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm
data
dropped
C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal
SQLite Write-Ahead Log, version 3007000
dropped
C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
data
dropped
C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres
data
dropped
C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres
data
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\37D085A5.dat
JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 23x23, components 3
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\48E73734.dat
JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 23x23, components 3
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7B87023F.dat
PNG image data, 260 x 143, 8-bit/color RGBA, non-interlaced
dropped
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F7F38762.dat
JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 21x23, components 3
modified
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{E802F7F6-D7DE-4690-B58C-8C6BEC1107DB}.tmp
data
dropped
C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730294793394492800_D416B852-9DDC-4C2E-84EB-B842733E72B9.log
data
dropped
C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730294793395735100_D416B852-9DDC-4C2E-84EB-B842733E72B9.log
data
dropped
C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241030T0926300138-7920.etl
data
dropped
C:\Users\user\AppData\Local\Temp\~DFED457B9D1FC0D166.TMP
data
dropped
C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl
data
dropped
C:\Windows\appcompat\Programs\Amcache.hve
MS Windows registry file, NT/2000 or above
dropped
There are 15 hidden files, click here to show them.

Processes

Path
Cmdline
Malicious
C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\FW_ Orderbevestiging - 85500000571-1.msg"
C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "DD02958B-7185-4644-81E8-81708E0B3128" "3F917F8C-9997-4D7C-89FB-9D3959AF9CA5" "7920" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
C:\Windows\SysWOW64\DWWIN.EXE
C:\Windows\SysWOW64\DWWIN.EXE -x -s 3528

URLs

Name
IP
Malicious
https://login.windows.local
unknown
https://nl.linkedin.com/company/thermo-clean/
unknown
https://www.you__substg1.0_8023001F
unknown
http://upx.sf.net
unknown
https://login.windows.localnullche
unknown
http://www.thermoclean.com/en/about-us/privacy-declaration
unknown
https://www.youtube.com/
unknown
https://login.windows.localnullD
unknown
http://www.thermoclean.com
unknown
https://login.windows.localR
unknown

Registry

Path
Value
Malicious
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\0a0d020000000000c000000000000046
000b046b
 malicious
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\0a0d020000000000c000000000000046
00030429
 malicious
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676
{ED475418-B0D6-11D2-8C3B-00104B2A6676}
 malicious
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676
LastChangeVer
 malicious
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676
{ED475418-B0D6-11D2-8C3B-00104B2A6676}
 malicious
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\NoEmail\9375CFF0413111d3B88A00104B2A6676
LastChangeVer
 malicious
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\7920
0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
CantBootResolution
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
ProfileBeingOpened
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
SessionId
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsDataPreviousSession
BootDiagnosticsLogFile
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
OutlookBootFlag
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Resiliency\StartupItems
f~!
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData
SessionId
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData
ProfileBeingOpened
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData
ClockTimeSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\IdentityCRL\ClockData
TickCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Wizards
PageSize
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\MailSettings
Template
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Options
WMACUpdated
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Options
DefaultKerningLigatures
HKEY_CURRENT_USER_Classes\Local Settings\MuiCache\24\417C44EB
@%SystemRoot%\system32\mlang.dll,-4612
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData
CantBootResolution
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData
BootDiagnosticsLogFile
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
6
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Logging
NULL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109F00000000000000000F01FEC\Usage
OutlookMAPI2
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-CH
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-GB
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-CH
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
en-GB
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common
SessionId
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\7920
0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\7920
0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00006109A10090400000000000F01FEC\Usage
OutlookMAPI2Intl_1033
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Exchange\Forms Registry
CacheSyncCount
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\7920
0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\7920
0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=8192&uilcid=1033&build=16.0.16827&crev=3\0
StartDate
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs
LicenseCategoryInfo
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs
LicenseSKUInfo
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\7920
0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\7920
0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\CrashPersistence\OUTLOOK\7920
3
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
ClockTimeSeconds
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData
TickCount
There are 37 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
31E8000
heap
page read and write
3572000
heap
page read and write
51F0000
heap
page read and write
3595000
heap
page read and write
5218000
heap
page read and write
5227000
heap
page read and write
30B0000
heap
page read and write
521E000
heap
page read and write
35A6000
heap
page read and write
521C000
heap
page read and write
3572000
heap
page read and write
34F0000
remote allocation
page read and write
35CA000
heap
page read and write
54FE000
stack
page read and write
31DF000
stack
page read and write
356D000
heap
page read and write
35C6000
heap
page read and write
35A3000
heap
page read and write
357F000
heap
page read and write
357B000
heap
page read and write
54BF000
stack
page read and write
547E000
stack
page read and write
535E000
stack
page read and write
5219000
heap
page read and write
34F0000
remote allocation
page read and write
35BC000
heap
page read and write
35C6000
heap
page read and write
3540000
heap
page read and write
35A3000
heap
page read and write
5210000
heap
page read and write
3700000
heap
page read and write
543D000
stack
page read and write
34CF000
stack
page read and write
5221000
heap
page read and write
3583000
heap
page read and write
3595000
heap
page read and write
3595000
heap
page read and write
359F000
heap
page read and write
370B000
heap
page read and write
3571000
heap
page read and write
35AE000
heap
page read and write
553D000
stack
page read and write
539F000
stack
page read and write
36D0000
heap
page read and write
31E0000
heap
page read and write
357E000
heap
page read and write
35B2000
heap
page read and write
30AE000
stack
page read and write
3583000
heap
page read and write
356D000
heap
page read and write
3547000
heap
page read and write
31EC000
heap
page read and write
FBD000
stack
page read and write
5222000
heap
page read and write
35AE000
heap
page read and write
3707000
heap
page read and write
36F0000
heap
page read and write
356D000
heap
page read and write
30C0000
heap
page read and write
F7C000
stack
page read and write
521B000
heap
page read and write
3584000
heap
page read and write
36C0000
trusted library allocation
page read and write
34F0000
remote allocation
page read and write
30C5000
heap
page read and write
3572000
heap
page read and write
35B0000
heap
page read and write
53FD000
stack
page read and write
3060000
heap
page read and write
35BC000
heap
page read and write
348E000
stack
page read and write
There are 61 hidden memdumps, click here to show them.