Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
I_ Importante adeguamento del personale.msg

Overview

General Information

Sample name:I_ Importante adeguamento del personale.msg
Analysis ID:1413126
MD5:6857abf158dfd628fad4862b10140601
SHA1:ce0dc8041443225df22f912a6c5bd440d3739e5b
SHA256:d737e35f2834e821ce4e919ef5da6a450da86e32b9611fd4b7718141663da275
Infos:

Detection

HTMLPhisher
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Phishing site detected (based on favicon image match)
Yara detected HtmlPhish10
Phishing site detected (based on shot match)
HTML body contains low number of good links
HTML body contains password input but no form action
HTML body with high number of embedded images detected
HTML title does not match URL
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Outlook Security Settings Updated - Registry
Stores files to the Windows start menu directory
Tries to load missing DLLs

Classification

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 6992 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\I_ Importante adeguamento del personale.msg" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 408 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "624A9165-168F-4E33-9DFA-2D5F939B113F" "03893FA7-170B-4D2A-9ABF-083103FDC7E9" "6992" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
    • notepad.exe (PID: 5740 cmdline: C:\Windows\SysWOW64\notepad.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\DUHMNRUK\ATT00001.txt MD5: E92D3A824A0578A50D2DD81B5060145F)
    • chrome.exe (PID: 6480 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://jsgroup-inc.com/lls/x-file-bxgxdlxnfdj-nraub6fghdvh43vh1-ztnraub6fgdotgdnqchdxsddf-qjxukmjdqpk6jzhrmjllqtl/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 6716 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1892,i,10504144835218021315,1120151145429709834,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 7876 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://jsgroup-inc.com/lls/x-file-bxgxdlxnfdj-nraub6fghdvh43vh1-ztnraub6fgdotgdnqchdxsddf-qjxukmjdqpk6jzhrmjllqtl/ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 8060 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1856,i,12848406741023009643,9123952882044040590,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup

Yara Signatures

HTML

SourceRuleDescriptionAuthorStrings
1.1.pages.csvJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security

    Sigma Signatures

    Sigma detected: Office Autorun Keys Modification
    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6992, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
    Sigma detected: Outlook Security Settings Updated - Registry
    Source: Registry Key setAuthor: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\DUHMNRUK\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6992, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder

    Snort Signatures

    No Snort rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    Phishing

    barindex
    Phishing site detected (based on favicon image match)
    Source: https://nqnservices.com/0l-ll0/lanqchxnfdbxgjzhrm27yf-nraub6fghdvh43vh1-4lxnfdbxgjzhrm27yf-ztnraub6fghdvh4aqtqjxuk-zt8muvztnraub6fghdvh43vp-sjeuodcaqtqjxukm-egipphskbfty-llvkbftyrhjlsugipph-hxnfdbxgjzhrm27yf-rhjlsugipphgk/Matcher: Template: outlook matched with high similarity
    Yara detected HtmlPhish10
    Source: Yara matchFile source: 1.1.pages.csv, type: HTML
    Phishing site detected (based on shot match)
    Source: https://nqnservices.com/0l-ll0/lanqchxnfdbxgjzhrm27yf-nraub6fghdvh43vh1-4lxnfdbxgjzhrm27yf-ztnraub6fghdvh4aqtqjxuk-zt8muvztnraub6fghdvh43vp-sjeuodcaqtqjxukm-egipphskbfty-llvkbftyrhjlsugipph-hxnfdbxgjzhrm27yf-rhjlsugipphgk/Matcher: Template: outlook matched
    Source: https://nqnservices.com/0l-ll0/lanqchxnfdbxgjzhrm27yf-nraub6fghdvh43vh1-4lxnfdbxgjzhrm27yf-ztnraub6fghdvh4aqtqjxuk-zt8muvztnraub6fghdvh43vp-sjeuodcaqtqjxukm-egipphskbfty-llvkbftyrhjlsugipph-hxnfdbxgjzhrm27yf-rhjlsugipphgk/HTTP Parser: Number of links: 0
    Source: https://nqnservices.com/0l-ll0/lanqchxnfdbxgjzhrm27yf-nraub6fghdvh43vh1-4lxnfdbxgjzhrm27yf-ztnraub6fghdvh4aqtqjxuk-zt8muvztnraub6fghdvh43vp-sjeuodcaqtqjxukm-egipphskbfty-llvkbftyrhjlsugipph-hxnfdbxgjzhrm27yf-rhjlsugipphgk/HTTP Parser: <input type="password" .../> found but no <form action="...
    Source: https://jsgroup-inc.com/lls/x-file-bxgxdlxnfdj-nraub6fghdvh43vh1-ztnraub6fgdotgdnqchdxsddf-qjxukmjdqpk6jzhrmjllqtl/HTTP Parser: Total embedded image size: 106206
    Source: https://nqnservices.com/0l-ll0/lanqchxnfdbxgjzhrm27yf-nraub6fghdvh43vh1-4lxnfdbxgjzhrm27yf-ztnraub6fghdvh4aqtqjxuk-zt8muvztnraub6fghdvh43vp-sjeuodcaqtqjxukm-egipphskbfty-llvkbftyrhjlsugipph-hxnfdbxgjzhrm27yf-rhjlsugipphgk/HTTP Parser: Title: Outlook does not match URL
    Source: https://nqnservices.com/0l-ll0/lanqchxnfdbxgjzhrm27yf-nraub6fghdvh43vh1-4lxnfdbxgjzhrm27yf-ztnraub6fghdvh4aqtqjxuk-zt8muvztnraub6fghdvh43vp-sjeuodcaqtqjxukm-egipphskbfty-llvkbftyrhjlsugipph-hxnfdbxgjzhrm27yf-rhjlsugipphgk/HTTP Parser: <input type="password" .../> found
    Source: https://jsgroup-inc.com/lls/x-file-bxgxdlxnfdj-nraub6fghdvh43vh1-ztnraub6fgdotgdnqchdxsddf-qjxukmjdqpk6jzhrmjllqtl/HTTP Parser: No favicon
    Source: https://nqnservices.com/0l-ll0/lanqchxnfdbxgjzhrm27yf-nraub6fghdvh43vh1-4lxnfdbxgjzhrm27yf-ztnraub6fghdvh4aqtqjxuk-zt8muvztnraub6fghdvh43vp-sjeuodcaqtqjxukm-egipphskbfty-llvkbftyrhjlsugipph-hxnfdbxgjzhrm27yf-rhjlsugipphgk/HTTP Parser: No <meta name="author".. found
    Source: https://nqnservices.com/0l-ll0/lanqchxnfdbxgjzhrm27yf-nraub6fghdvh43vh1-4lxnfdbxgjzhrm27yf-ztnraub6fghdvh4aqtqjxuk-zt8muvztnraub6fghdvh43vp-sjeuodcaqtqjxukm-egipphskbfty-llvkbftyrhjlsugipph-hxnfdbxgjzhrm27yf-rhjlsugipphgk/HTTP Parser: No <meta name="copyright".. found
    Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49709 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49733 version: TLS 1.2
    Source: unknownTCP traffic detected without corresponding DNS query: 13.107.21.200
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.12.23.50
    Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
    Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
    Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
    Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
    Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
    Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
    Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
    Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
    Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
    Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
    Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.121.39
    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.121.39
    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.121.39
    Source: unknownTCP traffic detected without corresponding DNS query: 23.206.121.39
    Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
    Source: unknownDNS traffic detected: queries for: jsgroup-inc.com
    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49688 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
    Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
    Source: unknownHTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49709 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49733 version: TLS 1.2
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: uxtheme.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: mrmcorer.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wldp.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: textshaping.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: efswrt.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: mpr.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wintypes.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: twinapi.appcore.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: oleacc.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: textinputframework.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coreuicomponents.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coremessaging.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: ntmarta.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: urlmon.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: iertutil.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: srvcli.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: propsys.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: policymanager.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: msvcp110_win.dll
    Source: classification engineClassification label: mal60.phis.winMSG@32/20@16/188
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240321T1101350159-6992.etl
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\desktop.ini
    Source: C:\Windows\SysWOW64\notepad.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\I_ Importante adeguamento del personale.msg"
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "624A9165-168F-4E33-9DFA-2D5F939B113F" "03893FA7-170B-4D2A-9ABF-083103FDC7E9" "6992" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\DUHMNRUK\ATT00001.txt
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://jsgroup-inc.com/lls/x-file-bxgxdlxnfdj-nraub6fghdvh43vh1-ztnraub6fgdotgdnqchdxsddf-qjxukmjdqpk6jzhrmjllqtl/
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1892,i,10504144835218021315,1120151145429709834,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "624A9165-168F-4E33-9DFA-2D5F939B113F" "03893FA7-170B-4D2A-9ABF-083103FDC7E9" "6992" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\DUHMNRUK\ATT00001.txt
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://jsgroup-inc.com/lls/x-file-bxgxdlxnfdj-nraub6fghdvh43vh1-ztnraub6fgdotgdnqchdxsddf-qjxukmjdqpk6jzhrmjllqtl/
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1856,i,12848406741023009643,9123952882044040590,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://jsgroup-inc.com/lls/x-file-bxgxdlxnfdj-nraub6fghdvh43vh1-ztnraub6fgdotgdnqchdxsddf-qjxukmjdqpk6jzhrmjllqtl/
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://jsgroup-inc.com/lls/x-file-bxgxdlxnfdj-nraub6fghdvh43vh1-ztnraub6fgdotgdnqchdxsddf-qjxukmjdqpk6jzhrmjllqtl/
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1892,i,10504144835218021315,1120151145429709834,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 --field-trial-handle=1856,i,12848406741023009643,9123952882044040590,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformation
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformation
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
    Source: C:\Windows\SysWOW64\notepad.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\DUHMNRUK\ATT00001.txt VolumeInformation
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
    DLL Side-Loading    		1
    Process Injection    		1
    Masquerading    		OS Credential Dumping1
    Process Discovery    		Remote ServicesData from Local System2
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/Job1
    Registry Run Keys / Startup Folder    		1
    DLL Side-Loading    		1
    Process Injection    		LSASS Memory1
    File and Directory Discovery    		Remote Desktop ProtocolData from Removable Media1
    Non-Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
    Registry Run Keys / Startup Folder    		1
    DLL Side-Loading    		Security Account Manager14
    System Information Discovery    		SMB/Windows Admin SharesData from Network Shared Drive2
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    jsgroup-inc.com
    		62.72.62.180
    		truefalse
      		unknown
      nqnservices.com
      		84.32.84.229
      		truefalse
        		unknown
        mail.alpro-medical.de
        		185.44.132.165
        		truefalse
          		unknown
          www.google.com
          		142.250.72.100
          		truefalse
            		high

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://nqnservices.com/0l-ll0/lanqchxnfdbxgjzhrm27yf-nraub6fghdvh43vh1-4lxnfdbxgjzhrm27yf-ztnraub6fghdvh4aqtqjxuk-zt8muvztnraub6fghdvh43vp-sjeuodcaqtqjxukm-egipphskbfty-llvkbftyrhjlsugipph-hxnfdbxgjzhrm27yf-rhjlsugipphgk/true
              		unknown
              https://jsgroup-inc.com/lls/x-file-bxgxdlxnfdj-nraub6fghdvh43vh1-ztnraub6fgdotgdnqchdxsddf-qjxukmjdqpk6jzhrmjllqtl/false
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                52.113.194.132
                		unknownUnited States
                		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                142.250.80.35
                		unknownUnited States
                		15169GOOGLEUSfalse
                1.1.1.1
                		unknownAustralia
                		13335CLOUDFLARENETUSfalse
                52.109.4.7
                		unknownUnited States
                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                84.32.84.229
                		nqnservices.comLithuania
                		33922NTT-LT-ASLTfalse
                84.32.84.119
                		unknownLithuania
                		33922NTT-LT-ASLTfalse
                62.72.62.180
                		jsgroup-inc.comGermany
                		5427PRTL-DEfalse
                23.51.58.94
                		unknownUnited States
                		4788TMNET-AS-APTMNetInternetServiceProviderMYfalse
                142.250.80.74
                		unknownUnited States
                		15169GOOGLEUSfalse
                142.250.64.100
                		unknownUnited States
                		15169GOOGLEUSfalse
                104.46.162.224
                		unknownUnited States
                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                142.251.167.84
                		unknownUnited States
                		15169GOOGLEUSfalse
                52.111.230.25
                		unknownUnited States
                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                142.250.65.238
                		unknownUnited States
                		15169GOOGLEUSfalse
                239.255.255.250
                		unknownReserved
                		unknownunknownfalse
                185.44.132.165
                		mail.alpro-medical.deGermany
                		62177OSCONDEfalse
                142.251.40.195
                		unknownUnited States
                		15169GOOGLEUSfalse
                142.250.72.100
                		www.google.comUnited States
                		15169GOOGLEUSfalse
                142.250.72.99
                		unknownUnited States
                		15169GOOGLEUSfalse
                142.251.16.84
                		unknownUnited States
                		15169GOOGLEUSfalse
                52.109.0.91
                		unknownUnited States
                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                142.251.35.174
                		unknownUnited States
                		15169GOOGLEUSfalse

                Private

                IP
                192.168.2.16
                192.168.2.4

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1413126
                Start date and time:2024-03-21 11:01:07 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:defaultwindowsinteractivecookbook.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:20
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • EGA enabled
                Analysis Mode:stream
                Analysis stop reason:Timeout
                Sample name:I_ Importante adeguamento del personale.msg
                Detection:MAL
                Classification:mal60.phis.winMSG@32/20@16/188
                Cookbook Comments:
                • Found application associated with file extension: .msg

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe
                • Excluded IPs from analysis (whitelisted): 52.109.0.91, 52.113.194.132, 23.51.58.94, 52.111.230.25, 52.111.230.27, 52.111.230.26, 52.111.230.24, 52.109.4.7
                • Excluded domains from analysis (whitelisted): ecs.office.com, fs.microsoft.com, us1.odcsm1.live.com.akadns.net, odc.officeapps.live.com, prod.configsvc1.live.com.akadns.net, prod-na.naturallanguageeditorservice.osi.office.net.akadns.net, s-0005-office.config.skype.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, prod-eus-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, ecs-office.s-0005.s-msedge.net, eus2-azsc-000.odc.officeapps.live.com, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, nleditor.osi.office.net, s-0005.s-msedge.net, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, e16604.g.akamaiedge.net, wus-azsc-config.officeapps.live.com, officeclient.microsoft.com, osiprod-eus2-bronze-azsc-000.eastus2.cloudapp.azure.com, ecs.office.trafficmanager.net, prod.fs.microsoft.com.akadns.net, prod.odcsm1.live.com.akadns.net
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtQueryAttributesFile calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtSetValueKey calls found.
                • VT rate limit hit for: jsgroup-inc.com
                • VT rate limit hit for: mail.alpro-medical.de
                • VT rate limit hit for: nqnservices.com

                Created / dropped Files

                C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):231348
                Entropy (8bit):4.394570471786771
                Encrypted:false
                SSDEEP:
                MD5:F6ED202EF1D56B6D6178FA40CD8B53B2
                SHA1:CA9F0E2AE5659EE2A58729C68D0A919E7B68B990
                SHA-256:3BA48ABD5C425775DF9DFB96A2F5742B7AA8A43BF902F6903FDB4C50C327409C
                SHA-512:6E03F0ED0EB70ACD6DF5E3787372015791B64C0E868EE1A742EDC6320ADB6BB664204F9B369088C5B9E9AF3E336EFC847FAD153CAE7223CB13459E86355F6849
                Malicious:false
                Reputation:unknown
                Preview:TH02...... .p)..v{......SM01X...,....B..v{..........IPM.Activity...........h...............h............H..h.........`G....h............H..h\cal ...pDat...h.C..0..........h.g.............h........_`.j...h.e..@...I.lw...h....H...8..j...0....T...............d.........2h...............k..............!h.............. h}............#h....8.........$h........8....."h8.............'h..,...........1h.g..<.........0h....4....j../h....h......jH..h...p.........-h .......D.....+h.g.................. ...... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

                C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2D99EA36-46B7-46F0-AC66-95C5332E8CF2

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):161832
                Entropy (8bit):5.344033267369527
                Encrypted:false
                SSDEEP:
                MD5:3BAD0E4ECCD4F6375CEE278B06F625FA
                SHA1:BDD0A1F0A3FD49EB6A6D3D6F60DC1D57E29BE31E
                SHA-256:E33911F9B74E145F5F9D6CF1AB8563E27B939C4DF0E3F6F3949B222719180F36
                SHA-512:9E7528F8B0F2D3D9183EB0143EF5AD39BF8A527ACA4818610E555A8447693F2B6166712E590011E665E95A5BBE01CFB7F8A8082B84DAB5CBCC04DEC02F1D01AE
                Malicious:false
                Reputation:unknown
                Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-03-21T10:01:37">.. Build: 16.0.17517.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuth

                C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):32768
                Entropy (8bit):0.04575125179552959
                Encrypted:false
                SSDEEP:
                MD5:CEED63782D561C82E54EE64A5A34B789
                SHA1:E9AE45771E6CE3D1E1FF0087B5CD5026F1ED88F5
                SHA-256:8922586BF5B20B83D53C2FB639149C0627A799808A90EFDF5E8501103205852C
                SHA-512:4FF2650092B555C4E78A7D2A06F4F12681A43C872DF25221D916CE0098EDA8317D7324A74C13E85505982EBB03F88EAA4966B3B18A6E7743531E8B6F853CABC0
                Malicious:false
                Reputation:unknown
                Preview:..-......................Lq........c+..`v..n...-......................Lq........c+..`v..n.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:SQLite Write-Ahead Log, version 3007000
                Category:modified
                Size (bytes):49472
                Entropy (8bit):0.4850778740399313
                Encrypted:false
                SSDEEP:
                MD5:5024FAAD207432ED636048A65AE89D78
                SHA1:2A20F49E301D0B7130F6C466889620A2D0646866
                SHA-256:30DFDF10258FBE0EF07010DBE644449C8199F889E7B3DD1F746F29E92539E5B4
                SHA-512:C8337C58AC15554D34B4176BBBE5CA893A1B4D2B538F2F031F6C61A8C24178B3CE4058676F33983F1F192C800F86959BB935C9DEE02D55D0A613272AE29D2C28
                Malicious:false
                Reputation:unknown
                Preview:7....-..............c+.....%...-............c+..........SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\DUHMNRUK\ATT00001.txt:Zone.Identifier

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:
                MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
                SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
                SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
                SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
                Malicious:false
                Reputation:unknown
                Preview:[ZoneTransfer]..ZoneId=3..

                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{B8D178DC-4DBD-4EFB-8C31-DECB7AE746BF}.tmp

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):2196
                Entropy (8bit):2.9860768607778434
                Encrypted:false
                SSDEEP:
                MD5:8189A33B6838259D1932C2A92E072475
                SHA1:E98ADBED0C228D9D64C0A09FD8960DA001DD15D7
                SHA-256:642C82BA86785E04E66C9E79E66C0CDCC0E00F6971EB64B3DDB413DCBC883046
                SHA-512:673663B4EBEEAA9FE244F70F4A3991185F6BECD32DA74BA9B96B0469A8D18ECA3AB557FB7F5DA250C45C501964C4E4E9C151493C1582A9CD48937701F81D232B
                Malicious:false
                Reputation:unknown
                Preview:....C.i.a.o. .C.e.c.c.h.e.,....... .s.p.a.m.?.....M.e. .n.e. .s.t.a.n.n.o. .a.r.r.i.v.a.n.d.o. .t.a.n.t.e. .d.a. .L.u.c.a.& ........D.a.:. .L.u.c.a. .C.u.z.z.i.o.l. .<.l.u.c.a...c.u.z.z.i.o.l.@.c.u.z.z.i.o.l...i.t.>. ...I.n.v.i.a.t.o.:. .g.i.o.v.e.d... .2.1. .m.a.r.z.o. .2.0.2.4. .1.0.:.3.9...A.:. .C.u.z.z.i.o.l. .G.r.a.n.d.i.V.i.n.i. .<.c.u.z.z.i.o.l.g.r.a.n.d.i.v.i.n.i.@.c.u.z.z.i.o.l...i.t.>...O.g.g.e.t.t.o.:. ............................................................................................................... ...0...2...~...............J...L...X...\.......2......................................................................................................................................................................................................................................................................................................................................................................................................................................-

                C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1711015295372764800_37B12E2A-6BD8-4512-8421-549C10E335D5.log

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:ASCII text, with very long lines (28766), with CRLF line terminators
                Category:dropped
                Size (bytes):20971520
                Entropy (8bit):0.17820033670175686
                Encrypted:false
                SSDEEP:
                MD5:E7E20D41CAD11BD6049075ADFD4D92BC
                SHA1:4D30A3C3574561D56E5CA7679495AB7FFA49121C
                SHA-256:7E81B795BF4EEF9946428234EECD74D8FBBB13EFF4B9AAC70296CCA0A6A91559
                SHA-512:33283B54F9F342B4B3020E25CB6A918B4F09F956E602B143C3F7B6AF971CCC3A9B4D87FD1974BCAAF70216380583995B417E37E49CE3DF517B24543120BE1F78
                Malicious:false
                Reputation:unknown
                Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..03/21/2024 10:01:35.414.OUTLOOK (0x1B50).0x1B54.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-03-21T10:01:35.414Z","Contract":"Office.System.Activity","Activity.CV":"Ki6xN9hrEkWEIVScEOM11Q.4.9","Activity.Duration":17,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...03/21/2024 10:01:35.446.OUTLOOK (0x1B50).0x1B54.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-03-21T10:01:35.446Z","Contract":"Office.System.Activity","Activity.CV":"Ki6xN9hrEkWEIVScEOM11Q.4.10","Activity.Duration":15720,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

                C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1711015295373496900_37B12E2A-6BD8-4512-8421-549C10E335D5.log

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):20971520
                Entropy (8bit):0.0
                Encrypted:false
                SSDEEP:
                MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                Malicious:false
                Reputation:unknown
                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240321T1101350159-6992.etl

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:modified
                Size (bytes):94208
                Entropy (8bit):4.453692741441485
                Encrypted:false
                SSDEEP:
                MD5:3E88F69D9F03BC583DBFB138B270F812
                SHA1:887511EA544ECDDBEF11408E5D39761E2102C125
                SHA-256:A338B24950A071D29F7C0523F53FF2507C6CEE70F2E8EF7526F63DC2A35A86F1
                SHA-512:9BC1C99BEFEFDB572B9DF435659EDBC2ACBA9A3D97DAC83D148A765EE6E12537D4447950B1F61F409A6B3B0AAF31547DDCDACBFD82F66ADA3DCB231877E7FFB0
                Malicious:false
                Reputation:unknown
                Preview:............................................................................`...T...P.......v{..................eJ..............Zb..2.......................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1............................................................h.N.Y..............v{..........v.2._.O.U.T.L.O.O.K.:.1.b.5.0.:.d.e.8.9.b.5.1.2.2.4.9.b.4.b.7.e.8.5.d.c.0.1.1.c.3.3.3.2.6.8.b.6...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.3.2.1.T.1.1.0.1.3.5.0.1.5.9.-.6.9.9.2...e.t.l.......P.P.T...P.......v{..........................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Local\Temp\~DFBCF4EC227AE24527.TMP

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):163840
                Entropy (8bit):0.3676056824327746
                Encrypted:false
                SSDEEP:
                MD5:883CB323DD7082BB050F32D70F542EE4
                SHA1:685F3D579ACF859EE2CF579054C15BADB2CD9424
                SHA-256:DE03FE56D27804AD45B0F620C41C6D5D275A5A2AA5B32D3AAAF4895BB2C1978E
                SHA-512:7FB7BEC66E8E136C8BFF4C19CCD9311B1F9E84542D754D54D5E64199E9A1038FEDDFB7B73003E6BD61A109B4642F5EF68BDC5D1CD92BFDCAB2C4DF1FA178CD76
                Malicious:false
                Reputation:unknown
                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):30
                Entropy (8bit):1.2389205950315936
                Encrypted:false
                SSDEEP:
                MD5:5DD12E6C71C3DC1B5757B55991C02114
                SHA1:DFDC2C35DA8661DA8B91272DCFF7A138DFFA33B7
                SHA-256:A7B5C3D97AA53BA32109924DBCB7AAB8FA20C8D4BD014A0CCD9C7FA2CB880CAD
                SHA-512:0740CF1DC13CFFC6C2F808D5B943197B82BA96420A455FC07D0FA95C969A38472228CBFDE0495E357A99D2188266083E301302EC941FA76D03A6504EAC5858DC
                Malicious:false
                Reputation:unknown
                Preview:....'.........................

                C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                Category:dropped
                Size (bytes):14
                Entropy (8bit):2.699513850319966
                Encrypted:false
                SSDEEP:
                MD5:C5A12EA2F9C2D2A79155C1BC161C350C
                SHA1:75004B4B6C6C4EE37BE7C3FD7EE4AF4A531A1B1A
                SHA-256:61EC0DAA23CBC92167446DADEFB919D86E592A31EBBD0AB56E64148EBF82152D
                SHA-512:B3D5AF7C4A9CB09D27F0522671503654D06891740C36D3089BB5CB21E46AB235B0FA3DC2585A383B9F89F5C6DAE78F49F72B0AD58E6862DE39F440C4D6FF460B
                Malicious:false
                Reputation:unknown
                Preview:..c.a.l.i.....

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

                Download File
                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Mar 21 09:01:48 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                Category:dropped
                Size (bytes):2673
                Entropy (8bit):3.980357222191876
                Encrypted:false
                SSDEEP:
                MD5:93E870AACC7EF202840A83F99D8FE09E
                SHA1:75CD8FD760C692676D50B89D7034DD1C05A8907B
                SHA-256:77B1A4BB7499585CBA5E9D992A84063A122E2411C694B2E6BEB099380274900D
                SHA-512:BF27F18D0EC9220B51BF5CBEEA23AB56CF8287AF698A89527824D8671DD4508C349D9312CC6871F3B58EAEC3E135FD022645C5C678F7EC833D98E01BE89A96F4
                Malicious:false
                Reputation:unknown
                Preview:L..................F.@.. ...$+.,.....X&.v{..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IuX+P....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VuX7P....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VuX7P....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VuX7P..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VuX9P...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............b.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

                Download File
                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Mar 21 09:01:48 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                Category:dropped
                Size (bytes):2675
                Entropy (8bit):3.9987405151975612
                Encrypted:false
                SSDEEP:
                MD5:4A7F2D91BD438186DD0293251C7415B4
                SHA1:9452DC5C26087F2DD01A93141F1C9E6E8EA0288A
                SHA-256:4B01519B3743DFBD1A81B1C95555AC5F06BD2D51D269C98E3999EDF176D4549D
                SHA-512:D4A8A2EC5267FD6BBAA5B91BF751D10B8A54EC1712FDC4A166A52FBF393228019D065DCBB01EEC941F59F80558776E387D38989787C8AA42FCF0350C6E64C9B2
                Malicious:false
                Reputation:unknown
                Preview:L..................F.@.. ...$+.,.....0..v{..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IuX+P....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VuX7P....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VuX7P....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VuX7P..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VuX9P...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............b.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

                Download File
                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                Category:dropped
                Size (bytes):2689
                Entropy (8bit):4.005052433129782
                Encrypted:false
                SSDEEP:
                MD5:2046E3B1DA520D2F2279CE1E1A873E84
                SHA1:0E2ECDDE4B531432BD0FEEF9E52B2F584AE80F38
                SHA-256:5D0908623D60EA292B58C35A6672DA8F98D450C04F04C3A33E5286EB951541BC
                SHA-512:17A18D0D0AD7AE11B74E20EA8573E0FBE5A334EE98A2A3BFA197475E9B08AD6598A0798E360D9DD9C2291DD7532A509A67E87967AAC55592412C3C7BFE27AC0D
                Malicious:false
                Reputation:unknown
                Preview:L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IuX+P....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VuX7P....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VuX7P....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VuX7P..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............b.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

                Download File
                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Mar 21 09:01:48 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                Category:dropped
                Size (bytes):2677
                Entropy (8bit):3.99801672596119
                Encrypted:false
                SSDEEP:
                MD5:3D90CDB2F67DBDFE2F06BA8A417F80B7
                SHA1:1A409054230E97A8A9E7AC34CC5635BC9A3B1A15
                SHA-256:16AC38314A9C1FD96788F0819A6A7B9611575270CEFDC5283DB9C13E3F9FB084
                SHA-512:953703472AE6EB89E061C1972F22EF949633207167AE97448B6FBC080063711BFB7CE09EC75FCF5F56D2A1FC60712109F2BB00649F68FAE2C34C1E84BE917E2F
                Malicious:false
                Reputation:unknown
                Preview:L..................F.@.. ...$+.,....5...v{..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IuX+P....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VuX7P....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VuX7P....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VuX7P..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VuX9P...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............b.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

                Download File
                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Mar 21 09:01:48 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                Category:dropped
                Size (bytes):2677
                Entropy (8bit):3.983217589801335
                Encrypted:false
                SSDEEP:
                MD5:41B597F1E2D9B544F314DAFBEF6DC53B
                SHA1:CD524351927AB307258D632A144A194459414F4B
                SHA-256:9C403949EE00A4343B6F989783BA93243BE71D8AA2815D7ECAB33A133C844BCB
                SHA-512:39997F7DC63EF614145356A483107B9636E6A6DC754A79020B881D546BB3C3FC6FC685DFA101C6F1071011B02A42D8F63255788EBE8812EFC0AB2A0D19ECCE33
                Malicious:false
                Reputation:unknown
                Preview:L..................F.@.. ...$+.,.....r..v{..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IuX+P....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VuX7P....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VuX7P....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VuX7P..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VuX9P...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............b.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

                Download File
                Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Mar 21 09:01:48 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
                Category:dropped
                Size (bytes):2679
                Entropy (8bit):3.994421331677275
                Encrypted:false
                SSDEEP:
                MD5:AFE650D384B8CED9EF24E3E29F6ED4BF
                SHA1:AA688E008218AC1FA34284AB2CA0925A560FD564
                SHA-256:13746702F160486152030C377FD3F28EEA8F2870520C928C93F142B060811E18
                SHA-512:233D1B7A49670C252A0D16C28FC1E77896CCC7C699538EA75BE0166EB609865572E0A2A96A86765EA758C0090C93E95689FBD3C049518B916092D0A726D5FA26
                Malicious:false
                Reputation:unknown
                Preview:L..................F.@.. ...$+.,.....Q..v{..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IuX+P....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VuX7P....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VuX7P....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VuX7P..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VuX9P...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............b.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

                C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:Microsoft Outlook email folder (>=2003)
                Category:dropped
                Size (bytes):271360
                Entropy (8bit):1.318477394004077
                Encrypted:false
                SSDEEP:
                MD5:4990FE71AAAD9FC66D09131824416C0B
                SHA1:D1B67230232E5ADDD02796D61E4C7DFA3E78D870
                SHA-256:8CBAF38CA24B5AF8ED4A3CF36D0B8FCB97E26228D09E414724562C7DFB9E6A97
                SHA-512:6B87E05E10B5FB6D934581CDA1752E59B141DFEFC116A0BC730A94656F3DEED5933A31B7998B779567A2B65E92449953CC877B0D8229FE14F85D2924EF569F2E
                Malicious:false
                Reputation:unknown
                Preview:!BDN....SM......\.......................V................@...........@...@...................................@...........................................................................$.......D......@N.......................................v..................................................................................................................................................................................................................................................................................<............;.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                Download File
                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                File Type:data
                Category:dropped
                Size (bytes):131072
                Entropy (8bit):0.9117414611756831
                Encrypted:false
                SSDEEP:
                MD5:8D798CAB5D64CF71EB4A283E3A93038C
                SHA1:2D2A479640F2BCF3A00252CA1A7623B666A706D1
                SHA-256:5133269307AAAC0D5DA1009B7EF14969363119B917FB7449B1C905CF265E4523
                SHA-512:79D7E2B5ABEE30EEAD5864B136512EAE370A13E43F068C74267E87B82B5F44846A1C25E53EAA67D7FA9CAF9B6465C6D0E3B6DD39B465810C3BE5B486A6126FCD
                Malicious:false
                Reputation:unknown
                Preview:..u<C...].......P....]..v{....................#.!BDN....SM......\.......................V................@...........@...@...................................@...........................................................................$.......D......@N.......................................v..................................................................................................................................................................................................................................................................................<............;..]..v{.......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

                Static File Info

                General

                File type:CDFV2 Microsoft Outlook Message
                Entropy (8bit):3.7074430998596277
                TrID:
                • Outlook Message (71009/1) 58.92%
                • Outlook Form Template (41509/1) 34.44%
                • Generic OLE2 / Multistream Compound File (8008/1) 6.64%
                File name:I_ Importante adeguamento del personale.msg
                File size:46'080 bytes
                MD5:6857abf158dfd628fad4862b10140601
                SHA1:ce0dc8041443225df22f912a6c5bd440d3739e5b
                SHA256:d737e35f2834e821ce4e919ef5da6a450da86e32b9611fd4b7718141663da275
                SHA512:824973d578b00d33100013e72262d6e8db0cafc54e0ebd02e9db729bdea252665e2a8fbb8c8034f4b7a6ae6f134cfb0d15e016670ef713997f509a18e19e2d71
                SSDEEP:768:pmUJoM43IdsKYKrOvHaLHFKoVK1WaHYgC5RIH2gWPRReWysKtyh4SI+6/k3TqsKv:pmBIdAFvHaLHFKoVK1THY/5RK8/i0h4/
                TLSH:8C239B2536E98B09F27ADF769EE280C78526BCD1ED11C78F3291730F0971981A571B2B
                File Content Preview:........................>......................................................................................................................................................................................................................................

                Static Mail

                General

                Subject:I: Importante adeguamento del personale
                From:Milena Piasentin <milena.piasentin@cuzziol.it>
                To:Andrea Ceccherini <andrea.ceccherini@cuzziol.it>
                Cc:
                BCC:
                Date:Thu, 21 Mar 2024 10:41:06 +0100
                Communications:
                • Ciao Cecche, spam? Me ne stanno arrivando tante da Luca Da: Luca Cuzziol <luca.cuzziol@cuzziol.it> Inviato: gioved 21 marzo 2024 10:39 A: Cuzziol GrandiVini <cuzziolgrandivini@cuzziol.it> Oggetto: Importante adeguamento del personale Ciao, Di seguito sono elencate le variazioni significative del personale.sdhhiweihw2382382h28b8bd828223y8hs8h8 https://cuzziol.it.sharepoint.com/_layouts/12/sharepoint.aspx?v=news&e=&Q5d&xp=18 <https://jsgroup-inc.com/lls/x-file-bxgxdlxnfdj-nraub6fghdvh43vh1-ztnraub6fgdotgdnqchdxsddf-qjxukmjdqpk6jzhrmjllqtl/> I tuoi dati e il tuo nome sono stati evidenziati in rosso.dwejwejbwje73273y237273vy2vye777237vyq Distinti saluti444sams8uhquhe828ge3rg92gr42g0zbx173v3r4u34xyn4t3bt473t47t470btx74tb4 Luca Cuzziol
                Attachments:
                • ATT00001.txt

                Headers

                Key Value
                Receivedfrom SRV01.cuzziol.local ([::1]) by SRV01.cuzziol.local ([::1]) with
                Transport; Thu, 21 Mar 2024 1041:07 +0100
                2024 1041:07 +0100
                mapi id 14.03.0513.000; Thu, 21 Mar 2024 1041:07 +0100
                Content-Typeapplication/ms-tnef; name="winmail.dat"
                Content-Transfer-Encodingbinary
                FromMilena Piasentin <milena.piasentin@cuzziol.it>
                ToAndrea Ceccherini <andrea.ceccherini@cuzziol.it>
                SubjectI: Importante adeguamento del personale
                Thread-TopicImportante adeguamento del personale
                Thread-IndexAQHae3Oq8HJJLJTehEicoJdQ6hUNtbFB8LVg
                DateThu, 21 Mar 2024 10:41:06 +0100
                Message-ID<BAA909EF4B505D49BD198FB87F9DA183010CD6AFF8@SRV01.cuzziol.local>
                References<E1rnEtB-000hYc-15@sh001.hostgator.in>
                In-Reply-To<E1rnEtB-000hYc-15@sh001.hostgator.in>
                Accept-Languageit-IT, en-US
                Content-Languageit-IT
                X-MS-Has-Attachyes
                X-MS-Exchange-Organization-SCL-1
                X-MS-TNEF-Correlator<BAA909EF4B505D49BD198FB87F9DA183010CD6AFF8@SRV01.cuzziol.local>
                MIME-Version1.0
                X-MS-Exchange-Organization-MessageDirectionalityOriginating
                X-MS-Exchange-Organization-AuthSourceSRV01.cuzziol.local
                X-MS-Exchange-Organization-AuthAsInternal
                X-MS-Exchange-Organization-AuthMechanism04
                X-Originating-IP[192.168.2.123]
                Return-Pathmilena.piasentin@cuzziol.it
                X-MS-Exchange-Organization-Network-Message-Id36073ab7-989d-44d0-bbed-08dc498b0888
                X-MS-Exchange-Organization-AVStamp-Enterprise1.0
                X-MS-Exchange-Transport-EndToEndLatency00:00:00.5457323
                X-MS-Exchange-Processed-By-BccFoldering15.01.2242.012
                dateThu, 21 Mar 2024 10:41:06 +0100

                File Icon

                Icon Hash:c4e1928eacb280a2