Edit tour

Windows Analysis Report
964232908.eml

Overview

General Information

Sample name:	964232908.eml
Analysis ID:	1474138
MD5:	0f3b4b86d101d2d34db0836881e86921
SHA1:	b1f44700f20fb200633cdd5fc9edef62c4186180
SHA256:	c30da1ac66a33b15a7fb781249fd031c4bcbc10963f60587a3fa356fb3596d32
Infos:

Detection

MeshAgent

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

AI detected suspicious e-Mail

Changes security center settings (notifications, updates, antivirus, firewall)

Chrome blocked dangerous download

Creates files in the system32 config directory

Deletes keys which are related to windows safe boot (disables safe mode boot)

Enables network access during safeboot for specific services

Tries to delay execution (extensive OutputDebugStringW loop)

Yara detected MeshAgent RemoteAdmin Tool

Adds / modifies Windows certificates

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected non-DNS traffic on DNS port

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Queries disk information (often used to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Stores files to the Windows start menu directory

Stores large binary data to the registry

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 5768 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\964232908.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 548 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "CF355990-3FFB-4DC5-A0EC-B46857C4D5E5" "739F14CA-99A2-4385-AA8C-C8E0ECBBDDEA" "5768" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

chrome.exe (PID: 7076 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://tracking.validatax.com/tracking/click?d=zPandM5XSJ-ctAFgXFJ878Q_kKuk6ZUdgr_Xi_5UN4ixyzSniijTwou2LFwq8gT9fsttFTPoA1tQ-Ub7eeWeTbs9kTETQWK2KKTXq_lRxVdeSsG7WIGPHNf7vqHFfvuY32JYAW2u3ya1S-PUW9QU7rSsaZpMbinqz36M6PkEshqSed6Q_4xlSawkJjHH-cc6_g2 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 6268 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=2008,i,17153952914528669363,8766277294368052657,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 7832 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5552 --field-trial-handle=2008,i,17153952914528669363,8766277294368052657,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 8088 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4384 --field-trial-handle=2008,i,17153952914528669363,8766277294368052657,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

Voicemail#78770269.exe (PID: 8164 cmdline: "C:\Users\user\Downloads\Voicemail#78770269.exe" MD5: 7D16AD2FAF3F5AAA88A9C01E2383DF28)

conhost.exe (PID: 8172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 6404 cmdline: wmic os get oslanguage /FORMAT:LIST MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 4732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Voicemail#78770269.exe (PID: 6596 cmdline: "C:\Users\user\Downloads\Voicemail#78770269.exe" -fullinstall MD5: 7D16AD2FAF3F5AAA88A9C01E2383DF28)

conhost.exe (PID: 1768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Voicemail#78770269 (1).exe (PID: 7944 cmdline: "C:\Users\user\Downloads\Voicemail#78770269 (1).exe" MD5: 7D16AD2FAF3F5AAA88A9C01E2383DF28)

conhost.exe (PID: 7960 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 2080 cmdline: wmic os get oslanguage /FORMAT:LIST MD5: C37F2F4F4B3CD128BDABCAEB2266A785)

conhost.exe (PID: 2136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Voicemail#78770269 (1).exe (PID: 7404 cmdline: "C:\Users\user\Downloads\Voicemail#78770269 (1).exe" -fullinstall MD5: 7D16AD2FAF3F5AAA88A9C01E2383DF28)

conhost.exe (PID: 7380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 3512 cmdline: /C CHOICE /C Y /N /D Y /T 10 & del "C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 6440 cmdline: CHOICE /C Y /N /D Y /T 10 MD5: 1A9804F0C374283B094E9E55DC5EE128)

cmd.exe (PID: 8116 cmdline: /C CHOICE /C Y /N /D Y /T 10 & del "C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

choice.exe (PID: 8068 cmdline: CHOICE /C Y /N /D Y /T 10 MD5: 1A9804F0C374283B094E9E55DC5EE128)

svchost.exe (PID: 2012 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

SgrmBroker.exe (PID: 6444 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)

svchost.exe (PID: 6464 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6752 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 6860 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

MpCmdRun.exe (PID: 7596 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)

conhost.exe (PID: 7556 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 6828 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

svchost.exe (PID: 7088 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

Receipt2024.exe (PID: 1752 cmdline: "C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe" --meshServiceName="WindowsMediaPlayer" --installedByUser="S-1-5-21-2246122658-3693405117-2476756634-1003" MD5: 7D16AD2FAF3F5AAA88A9C01E2383DF28)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\Downloads\Unconfirmed 261524.crdownload	JoeSecurity_MeshAgent	Yara detected MeshAgent RemoteAdmin Tool	Joe Security
C:\Users\user\Downloads\Unconfirmed 261524.crdownload	JoeSecurity_MeshAgent	Yara detected MeshAgent RemoteAdmin Tool	Joe Security
C:\Users\user\Downloads\Unconfirmed 261524.crdownload	JoeSecurity_MeshAgent	Yara detected MeshAgent RemoteAdmin Tool	Joe Security
C:\Users\user\Downloads\Unconfirmed 261524.crdownload	JoeSecurity_MeshAgent	Yara detected MeshAgent RemoteAdmin Tool	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000010.00000000.1593498306.00007FF7A7236000.00000008.00000001.01000000.00000004.sdmp	JoeSecurity_MeshAgent	Yara detected MeshAgent RemoteAdmin Tool	Joe Security
00000015.00000003.1695553577.0000024ACDDDB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MeshAgent	Yara detected MeshAgent RemoteAdmin Tool	Joe Security
00000010.00000002.1691916620.0000016B29BE0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MeshAgent	Yara detected MeshAgent RemoteAdmin Tool	Joe Security
00000017.00000003.1700580061.000001D6EC0D6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MeshAgent	Yara detected MeshAgent RemoteAdmin Tool	Joe Security
00000010.00000002.1691916620.0000016B29CDC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MeshAgent	Yara detected MeshAgent RemoteAdmin Tool	Joe Security
0000001E.00000003.2243674905.000001EDE6699000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MeshAgent	Yara detected MeshAgent RemoteAdmin Tool	Joe Security
0000001A.00000002.2224697433.000001F4E2A10000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_MeshAgent	Yara detected MeshAgent RemoteAdmin Tool	Joe Security
Click to see the 2 entries

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 5768, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 656, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 2012, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Downloads\Unconfirmed 261524.crdownload

Virustotal: Detection: 9%

Perma Link

Source: https://voicemaill.s3.il-central-1.amazonaws.com/1.html

HTTP Parser: No favicon

Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Directory created: C:\Program Files\Windows Media Player\WindowsMediaPlayer
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Directory created: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Directory created: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.db
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Directory created: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.db.tmp
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Directory created: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.msh

Source: C:\Users\user\Downloads\Voicemail#78770269.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WindowsMediaPlayer

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.74:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.74:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49728 version: TLS 1.2

Source: chrome.exe

Memory has grown: Private usage: 1MB later: 32MB

Networking

Chrome blocked dangerous download

Source: screenshot	OCR Text: e Voicemail Player C voicemaill.s3.il-central-1.amazonaws.com/l.html Recent Downloads A voicemail78770269 Keep (l).exe Blocked Dangerous voicemail7877026g.exe 5.9 MB Done Show all downloads Voicemail #78770269 7/15/2024 - 2M Mb 04-24 Download 07:01 ENG p Type here to search SG 16/07/2024
Source: screenshot	OCR Text: e Voicemail Player C voicemaill.s3.il-central-1.amazonaws.com/l.html Recent Downloads A voicemail78770269 Keep (l).exe Blocked Dangerous voicemail7877026g.exe 5.9 MB Show all downloads Voicemail #78770269 7/15/2024 - 2M Mb 04-24 Download 07:01 ENG p Type here to search SG 16/07/2024

Enables network access during safeboot for specific services

Source: C:\Users\user\Downloads\Voicemail#78770269.exe

Registry value created: NULL Service

Source: global traffic	TCP traffic: 192.168.2.16:61223 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:61223 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:61223 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:61223 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:61223 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.16:61223 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknown	TCP traffic detected without corresponding DNS query: 40.126.32.74

Source: global traffic

HTTP traffic detected: GET /tracking/click?d=zPandM5XSJ-ctAFgXFJ878Q_kKuk6ZUdgr_Xi_5UN4ixyzSniijTwou2LFwq8gT9fsttFTPoA1tQ-Ub7eeWeTbs9kTETQWK2KKTXq_lRxVdeSsG7WIGPHNf7vqHFfvuY32JYAW2u3ya1S-PUW9QU7rSsaZpMbinqz36M6PkEshqSed6Q_4xlSawkJjHH-cc6_g2 HTTP/1.1Host: tracking.validatax.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: tracking.validatax.com
Source: global traffic	DNS traffic detected: DNS query: voicemaill.s3.il-central-1.amazonaws.com
Source: global traffic	DNS traffic detected: DNS query: filedn.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: sync.hiddenvnc.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61243 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61228 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61226
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61227
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61228
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61229
Source: unknown	Network traffic detected: HTTP traffic on port 61237 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61233 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61240 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61225
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 61246 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61225 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61242 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61229 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61237
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61238
Source: unknown	Network traffic detected: HTTP traffic on port 61236 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61239
Source: unknown	Network traffic detected: HTTP traffic on port 61232 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61231
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61232
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61233
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61234
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61235
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61236
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 61245 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61226 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61241 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61235 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61231 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61240
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61241
Source: unknown	Network traffic detected: HTTP traffic on port 61239 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61242
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61243
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61244
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61245
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 61246
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61244 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61227 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 61234 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 61238 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.74:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 40.126.32.74:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.16:49728 version: TLS 1.2

Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\732DA73003C264E71A546DADB8191B486F01ED08
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\735C63D28551E57778FA8B0BAC378FB634BCC742
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\8F6AE7EE3F174BF3DB42C8B3E4E0A6CD459AA5B2
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\97B9EE540B304BC1D7086ED93489F6E04628FA70

Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe

File deleted: C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\732DA73003C264E71A546DADB8191B486F01ED08

Source: classification engine

Classification label: mal80.troj.evad.winEML@70/23@9/134

Source: C:\Users\user\Downloads\Voicemail#78770269.exe

File created: C:\Program Files\Windows Media Player\WindowsMediaPlayer

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1768:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7960:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4732:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7380:120:WilError_03

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240716T0700390929-5768.etl

Source: C:\Users\user\Downloads\Voicemail#78770269.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Users\user\Downloads\Voicemail#78770269.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\964232908.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "CF355990-3FFB-4DC5-A0EC-B46857C4D5E5" "739F14CA-99A2-4385-AA8C-C8E0ECBBDDEA" "5768" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "CF355990-3FFB-4DC5-A0EC-B46857C4D5E5" "739F14CA-99A2-4385-AA8C-C8E0ECBBDDEA" "5768" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://tracking.validatax.com/tracking/click?d=zPandM5XSJ-ctAFgXFJ878Q_kKuk6ZUdgr_Xi_5UN4ixyzSniijTwou2LFwq8gT9fsttFTPoA1tQ-Ub7eeWeTbs9kTETQWK2KKTXq_lRxVdeSsG7WIGPHNf7vqHFfvuY32JYAW2u3ya1S-PUW9QU7rSsaZpMbinqz36M6PkEshqSed6Q_4xlSawkJjHH-cc6_g2
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=2008,i,17153952914528669363,8766277294368052657,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5552 --field-trial-handle=2008,i,17153952914528669363,8766277294368052657,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://tracking.validatax.com/tracking/click?d=zPandM5XSJ-ctAFgXFJ878Q_kKuk6ZUdgr_Xi_5UN4ixyzSniijTwou2LFwq8gT9fsttFTPoA1tQ-Ub7eeWeTbs9kTETQWK2KKTXq_lRxVdeSsG7WIGPHNf7vqHFfvuY32JYAW2u3ya1S-PUW9QU7rSsaZpMbinqz36M6PkEshqSed6Q_4xlSawkJjHH-cc6_g2
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=2008,i,17153952914528669363,8766277294368052657,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5552 --field-trial-handle=2008,i,17153952914528669363,8766277294368052657,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4384 --field-trial-handle=2008,i,17153952914528669363,8766277294368052657,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\Downloads\Voicemail#78770269.exe "C:\Users\user\Downloads\Voicemail#78770269.exe"
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get oslanguage /FORMAT:LIST
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4384 --field-trial-handle=2008,i,17153952914528669363,8766277294368052657,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\Downloads\Voicemail#78770269.exe "C:\Users\user\Downloads\Voicemail#78770269.exe"
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get oslanguage /FORMAT:LIST
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Process created: C:\Users\user\Downloads\Voicemail#78770269.exe "C:\Users\user\Downloads\Voicemail#78770269.exe" -fullinstall
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe "C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe" --meshServiceName="WindowsMediaPlayer" --installedByUser="S-1-5-21-2246122658-3693405117-2476756634-1003"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Process created: C:\Users\user\Downloads\Voicemail#78770269.exe "C:\Users\user\Downloads\Voicemail#78770269.exe" -fullinstall
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\Downloads\Voicemail#78770269 (1).exe "C:\Users\user\Downloads\Voicemail#78770269 (1).exe"
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get oslanguage /FORMAT:LIST
Source: C:\Windows\System32\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Process created: C:\Users\user\Downloads\Voicemail#78770269 (1).exe "C:\Users\user\Downloads\Voicemail#78770269 (1).exe" -fullinstall
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Process created: C:\Windows\System32\cmd.exe /C CHOICE /C Y /N /D Y /T 10 & del "C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe"
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Process created: C:\Windows\System32\cmd.exe /C CHOICE /C Y /N /D Y /T 10 & del "C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe CHOICE /C Y /N /D Y /T 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe CHOICE /C Y /N /D Y /T 10
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\Downloads\Voicemail#78770269 (1).exe "C:\Users\user\Downloads\Voicemail#78770269 (1).exe"
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get oslanguage /FORMAT:LIST
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Process created: C:\Users\user\Downloads\Voicemail#78770269 (1).exe "C:\Users\user\Downloads\Voicemail#78770269 (1).exe" -fullinstall
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Process created: C:\Windows\System32\cmd.exe /C CHOICE /C Y /N /D Y /T 10 & del "C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe"
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Process created: C:\Windows\System32\cmd.exe /C CHOICE /C Y /N /D Y /T 10 & del "C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe CHOICE /C Y /N /D Y /T 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe CHOICE /C Y /N /D Y /T 10

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: dbgcore.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: symsrv.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usosvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: updatepolicy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usocoreps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usoapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wlidsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gamestreamingext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msauserext.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: tbs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dhcpcsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptnet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elscore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: elstrans.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptngc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: propsys.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: edputil.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: netutils.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: smartscreenps.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: policymanager.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: shdocvw.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: thumbcache.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: appresolver.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: slc.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: sppc.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: pcacli.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: mpr.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: dbgcore.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: symsrv.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: napinsp.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: wshbth.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: winrnr.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: amsi.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: firewallapi.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: fwbase.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: uxtheme.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: apphelp.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: dbghelp.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: ncrypt.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: dbgcore.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: ntasn1.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: symsrv.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: napinsp.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: pnrpnsp.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: wshbth.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: nlaapi.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: mswsock.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: dnsapi.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: winrnr.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: cryptbase.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: ntmarta.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: pcpksp.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: tbs.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: ncryptprov.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: cryptsp.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: rsaenh.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: winsta.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: powrprof.dll
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Section loaded: umpdc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: apphelp.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: dbghelp.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: dbgcore.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: symsrv.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: msasn1.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: textinputframework.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: coremessaging.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: ntmarta.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: wintypes.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: textshaping.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: propsys.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: edputil.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: urlmon.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: iertutil.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: srvcli.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: netutils.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: smartscreenps.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: policymanager.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: msvcp110_win.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: shdocvw.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: gpapi.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: thumbcache.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: appresolver.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: slc.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: sppc.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: pcacli.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: mpr.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: vcruntime140_1.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: dbghelp.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: dbgcore.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: symsrv.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: napinsp.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: wshbth.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: nlaapi.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: mswsock.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: winrnr.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: firewallapi.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: fwbase.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: fwpolicyiomgr.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: amsi.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: profapi.dll
Source: C:\Windows\System32\choice.exe	Section loaded: version.dll
Source: C:\Windows\System32\choice.exe	Section loaded: version.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Directory created: C:\Program Files\Windows Media Player\WindowsMediaPlayer
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Directory created: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Directory created: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.db
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Directory created: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.db.tmp
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Directory created: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.msh

Source: C:\Users\user\Downloads\Voicemail#78770269.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WindowsMediaPlayer

Persistence and Installation Behavior

AI detected suspicious e-Mail

Source: e-Mail

LLM: Score: 9 Reasons: The email appears to impersonate a voice mail service, which is a common tactic to create a sense of urgency. The use of a generic company name 'VOICE MAIL LTD' and the inclusion of a download link are suspicious. The email body contains a 'Download' link, which is a common phishing tactic to induce clicks. The email also includes a 'Manage Notifications' link, which could be another attempt to deceive the recipient. The overall design and content of the email suggest it is attempting to trick the recipient into clicking on potentially harmful links.

Creates files in the system32 config directory

Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\732DA73003C264E71A546DADB8191B486F01ED08
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\735C63D28551E57778FA8B0BAC378FB634BCC742
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\8F6AE7EE3F174BF3DB42C8B3E4E0A6CD459AA5B2
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\97B9EE540B304BC1D7086ED93489F6E04628FA70

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\7e5c6b99-f28a-407f-876f-f22b3ae8aaef.tmp			Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Unconfirmed 261524.crdownload			Jump to dropped file

Source: C:\Users\user\Downloads\Voicemail#78770269.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WindowsMediaPlayer

Source: C:\Users\user\Downloads\Voicemail#78770269.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WindowsMediaPlayer

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Section loaded: OutputDebugStringW count: 1895
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Section loaded: OutputDebugStringW count: 1896

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe

Window / User API: threadDelayed 9985

Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe TID: 3192	Thread sleep count: 9985 > 30
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe TID: 7428	Thread sleep count: 82 > 30
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe TID: 7428	Thread sleep time: -82000s >= -30000s

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Source: C:\Users\user\Downloads\Voicemail#78770269.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_ComputerSystem

Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	File Volume queried: C:\Windows\SysWOW64 FullSizeInformation

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get oslanguage /FORMAT:LIST
Source: C:\Users\user\Downloads\Voicemail#78770269.exe	Process created: C:\Users\user\Downloads\Voicemail#78770269.exe "C:\Users\user\Downloads\Voicemail#78770269.exe" -fullinstall
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Process created: C:\Windows\System32\wbem\WMIC.exe wmic os get oslanguage /FORMAT:LIST
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Process created: C:\Users\user\Downloads\Voicemail#78770269 (1).exe "C:\Users\user\Downloads\Voicemail#78770269 (1).exe" -fullinstall
Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe	Process created: C:\Windows\System32\cmd.exe /C CHOICE /C Y /N /D Y /T 10 & del "C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe CHOICE /C Y /N /D Y /T 10
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\choice.exe CHOICE /C Y /N /D Y /T 10

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval

Deletes keys which are related to windows safe boot (disables safe mode boot)

Source: C:\Users\user\Downloads\Voicemail#78770269 (1).exe

Registry key or value deleted: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\WindowsMediaPlayer

Source: C:\Users\user\Downloads\Voicemail#78770269.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'

Stealing of Sensitive Information

Yara detected MeshAgent RemoteAdmin Tool

Source: Yara match	File source: 00000010.00000000.1593498306.00007FF7A7236000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Downloads\Unconfirmed 261524.crdownload, type: DROPPED
Source: Yara match	File source: 00000015.00000003.1695553577.0000024ACDDDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1691916620.0000016B29BE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1700580061.000001D6EC0D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1691916620.0000016B29CDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.2243674905.000001EDE6699000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2224697433.000001F4E2A10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected MeshAgent RemoteAdmin Tool

Source: Yara match	File source: 00000010.00000000.1593498306.00007FF7A7236000.00000008.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Downloads\Unconfirmed 261524.crdownload, type: DROPPED
Source: Yara match	File source: 00000015.00000003.1695553577.0000024ACDDDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1691916620.0000016B29BE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.1700580061.000001D6EC0D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1691916620.0000016B29CDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.2243674905.000001EDE6699000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2224697433.000001F4E2A10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Windows Management Instrumentation	21 Windows Service	21 Windows Service	113 Masquerading	OS Credential Dumping	14 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	1 Inhibit System Recovery
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Browser Extensions	11 Process Injection	1 Modify Registry	LSASS Memory	14 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	14 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	1 DLL Side-Loading	21 Disable or Modify Tools	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Extra Window Memory Injection	11 Process Injection	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	34 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Extra Window Memory Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Source	Detection	Scanner	Label	Link
964232908.eml	0%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Downloads\Unconfirmed 261524.crdownload	5%	ReversingLabs
C:\Users\user\Downloads\Unconfirmed 261524.crdownload	10%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
api.smtprelay.co	0%	Virustotal	Browse
filedn.com	2%	Virustotal	Browse
www.google.com	0%	Virustotal	Browse
bg.microsoft.map.fastly.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://tracking.validatax.com/tracking/click?d=zPandM5XSJ-ctAFgXFJ878Q_kKuk6ZUdgr_Xi_5UN4ixyzSniijTwou2LFwq8gT9fsttFTPoA1tQ-Ub7eeWeTbs9kTETQWK2KKTXq_lRxVdeSsG7WIGPHNf7vqHFfvuY32JYAW2u3ya1S-PUW9QU7rSsaZpMbinqz36M6PkEshqSed6Q_4xlSawkJjHH-cc6_g2	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false	0%, Virustotal, Browse	unknown
sync.hiddenvnc.com	66.94.109.162	true	false		unknown
api.smtprelay.co	91.134.146.190	true	false	0%, Virustotal, Browse	unknown
s3-r-w.il-central-1.amazonaws.com	16.12.14.7	true	false		unknown
www.google.com	172.217.16.132	true	false	0%, Virustotal, Browse	unknown
filedn.com	23.109.93.100	true	false	2%, Virustotal, Browse	unknown
tracking.validatax.com	unknown	unknown	false		unknown
voicemaill.s3.il-central-1.amazonaws.com	unknown	unknown	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://tracking.validatax.com/tracking/click?d=zPandM5XSJ-ctAFgXFJ878Q_kKuk6ZUdgr_Xi_5UN4ixyzSniijTwou2LFwq8gT9fsttFTPoA1tQ-Ub7eeWeTbs9kTETQWK2KKTXq_lRxVdeSsG7WIGPHNf7vqHFfvuY32JYAW2u3ya1S-PUW9QU7rSsaZpMbinqz36M6PkEshqSed6Q_4xlSawkJjHH-cc6_g2	false	Avira URL Cloud: safe	unknown
https://voicemaill.s3.il-central-1.amazonaws.com/1.html	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.113.194.132	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.185.99	unknown	United States	15169	GOOGLEUS	false
34.104.35.123	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
16.12.14.7	s3-r-w.il-central-1.amazonaws.com	United States	unknown	unknown	false
142.250.186.174	unknown	United States	15169	GOOGLEUS	false
142.250.186.163	unknown	United States	15169	GOOGLEUS	false
66.94.109.162	sync.hiddenvnc.com	United States	394513	AWESOMENET-CORPUS	false
20.189.173.27	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
64.233.167.84	unknown	United States	15169	GOOGLEUS	false
40.126.32.74	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
52.109.28.47	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
2.19.126.160	unknown	European Union	16625	AKAMAI-ASUS	false
91.134.146.190	api.smtprelay.co	France	16276	OVHFR	false
172.217.18.110	unknown	United States	15169	GOOGLEUS	false
199.232.210.172	bg.microsoft.map.fastly.net	United States	54113	FASTLYUS	false
172.217.16.132	www.google.com	United States	15169	GOOGLEUS	false
23.109.93.100	filedn.com	Netherlands	7979	SERVERS-COMUS	false

Private

IP
192.168.2.16
192.168.2.7

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1474138
Start date and time:	2024-07-16 13:00:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	964232908.eml
Detection:	MAL
Classification:	mal80.troj.evad.winEML@70/23@9/134
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 88.221.110.91, 2.16.100.168
Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, download.windowsupdate.com.edgesuite.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

LLM Input / Output

Input	Output
URL: e-Mail	```json{ "riskscore": 9, "brand_impersonated": "Voice Mail Service", "reasons": "The email appears to impersonate a voice mail service, which is a common tactic to create a sense of urgency. The use of a generic company name 'VOICE MAIL LTD' and the inclusion of a download link are suspicious. The email body contains a 'Download' link, which is a common phishing tactic to induce clicks. The email also includes a 'Manage Notifications' link, which could be another attempt to deceive the recipient. The overall design and content of the email suggest it is attempting to trick the recipient into clicking on potentially harmful links."}

URL: https://voicemaill.s3.il-central-1.amazonaws.com/1.html	{"loginform": false,"urgency": false,"captcha": false,"reasons": ["The webpage title 'Voicemail Player' and text 'Voicemail #78770269 7/15/2024 -2 1 Mb 04-24 Download' do not contain a login form requesting sensitive information.","The text does not create a sense of urgency or interest by not including phrases like 'Click here to view document' or 'To view secured document click here'.","The webpage does not contain a CAPTCHA or any other anti-robot detection mechanism."]}
Title: Voicemail Player OCR: Voicemail #78770269 7/15/2024 -2 1 Mb 04-24 Download

Created / dropped Files

C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.msh

Download File

Process:	C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe
File Type:	Unicode text, UTF-8 text, with very long lines (64988), with CRLF line terminators
Category:	dropped
Size (bytes):	141629
Entropy (8bit):	5.5309891254674515
Encrypted:	false
SSDEEP:
MD5:	5CE29B3E5F5BF432F5E1BF3D790BE739
SHA1:	418F6385064921EEC2ACD6A21F2E93F1368537E4
SHA-256:	981EFDCB38932947F56E9C24582B222A7DE47A17F4A9DC48790695D515231CF2
SHA-512:	E0A343479B7D0CE9CC260C87F79017757281C1D543A1794CB2A0E8B80544E7010256FC4A300B598B22376C3B3CE7DF53D56F058426409983279D5B64B5AAFF45
Malicious:	false
Reputation:	unknown
Preview:	..MeshName=1000 Bot..MeshType=2..MeshID=0xFB511161E19D8EA1C35AF878AAD2CB1940B921122CA0F5F405683ABD07EABD0711745ACB53E5E0D993C66C1E2E9B9FA6..ServerID=4D178A285A314638BAB6AA08AEB58AC66BFB0621E3D58A193C4D68B282AF9DF74FE37ACD4F10F0A80EAABEF96189C45E..MeshServer=wss://sync.hiddenvnc.com:443/agent.ashx..InstallFlags=2..displayName=Windows Media Player...description=Windows Media Player. Product. agent for remote monitoring, management and assistance...companyName=Windows Media Player..meshServiceName=WindowsMediaPlayer..fileName=Receipt2024..image=data:image/png;base64,/9j/4AAQSkZJRgABAQACWAJYAAD/4QAC/9sAhAADAgICAgIDAgICAwMDAwQGBAQEBAQIBgYFBgkICgoJCAkJCgwPDAoLDgsJCQ0RDQ4PEBAREAoMEhMSEBMPEBAQAQMDAwQDBAgEBAgQCwkLEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBD/wgARCAeAB4ADAREAAhEBAxEB/8QANwABAQACAgMBAAAAAAAAAAAAAAgGBwUJAQMEAgEBAAICAwEAAAAAAAAAAAAAAAUHBAYBAwgC/9oADAMBAAIQAxAAAADtTAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	unknown
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.2242657028498987
Encrypted:	false
SSDEEP:
MD5:	8817D9563540CEAFFB7BFF9A69002E92
SHA1:	6D8D8163E1A6E71B11CF0E7B0CC82B9B101A251E
SHA-256:	EAD89D279A2BCEFB37362196628216C89C9FC3992C318B262183C83ADDBE306E
SHA-512:	05CC638A92B347F7A19D8AA4A37488A73E977E464922DD7EDD9B0A5DA3288631514901C630BD64E1777FD0201853DCD26105591C6D57F6A6BCDCFBCD03111C1F
Malicious:	false
Reputation:	unknown
Preview:	p...... ........u{Jyo...(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.385134089430193
Encrypted:	false
SSDEEP:
MD5:	ADA9F2991B072A2F91150DC5C4059A5F
SHA1:	A4AA6FEED833B7CD8A5877116CA407576D7914AC
SHA-256:	48E5E15A23ABA23A488E23F535D4C9EEFB2AAA8BF78E9DACF6EDC2285CB50DD2
SHA-512:	C3F0CEE9A51CFC56FA946C6B17350590B00261F83F069E5D922B4A9A553C2D0A4AC75B23053D57E2E0DB6F4CD9A07BD5AD13E35B62659DE0F95BF8B0C15FD732
Malicious:	false
Reputation:	unknown
Preview:	TH02...... ...9[o.......SM01X...,.....+[o...........IPM.Activity...........h...............h............H..h\|.O......t1L...h........`...H..h\cal ...pDat...h.K..0....O....h\|p.'...........h........_`Rk...h q.'@...I.lw...h....H...8.Wk...0....T...............d.........2h...............k..............!h.............. h........O...#h....8.........$h`.......8....."h.a......P^....'h..............1h\|p.'<.........0h....4....Wk../h....h.....WkH..h@...p...\|.O...-h .........O...+h.s.'....p.O................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	322260
Entropy (8bit):	4.000299760592446
Encrypted:	false
SSDEEP:
MD5:	CC90D669144261B198DEAD45AA266572
SHA1:	EF164048A8BC8BD3A015CF63E78BDAC720071305
SHA-256:	89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
SHA-512:	16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
Malicious:	false
Reputation:	unknown
Preview:	51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	10
Entropy (8bit):	2.170950594454669
Encrypted:	false
SSDEEP:
MD5:	91CAD99A764B6F3D07B9A1D85749EADF
SHA1:	8353EC0D9E40E02FAF095915C4FB95224CA4445B
SHA-256:	D112CDC86F83C26B21C7F87388A6EDF8B9B947C8797195F0E938F3CCFB6CFC02
SHA-512:	93AD0E91CB21AE8E174D10B14AF9987050468F4E77625868E1B4CAC5F53AB89C138EE4B1A0B58E642EE6116F661F1199CAC98CF4179846E312911A0932FC0288
Malicious:	false
Reputation:	unknown
Preview:	1721127642

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	4616
Entropy (8bit):	0.13700485453793962
Encrypted:	false
SSDEEP:
MD5:	0DAC008A93F1893172869FE6470FFC7E
SHA1:	8C129927A8F9265ADEED6484338FFF973104D7CF
SHA-256:	04CEA21EDFC65A4EBE977378498F2FE8F6A4120368D338BB6F03CDB5AC00610A
SHA-512:	4199F5D9B955ECE15D98C63C15B04FFE2AEA7D1167E28491DBB8C4EE01F9745AB656301441A1EEE87A1C26B50E9FD6CC388FF5BC520E856B09C448A7B6B85984
Malicious:	false
Reputation:	unknown
Preview:	.... .c.......a/....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .......................................................................... .................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	1.2389205950315936
Encrypted:	false
SSDEEP:
MD5:	EB6C2EB044AF79FB8195027ECFF50860
SHA1:	01F1805D8CE5D6B04C13C98DE54596B8799153A7
SHA-256:	7F2B1ACF3026160F0AB3CB043517A6BA36EA01C84061467A0D5246ACDE289F35
SHA-512:	8E6805E95FC9DD04F0C001D97B424C1E87063E754AB0B393BD5483B0F025C3C310EC3992C7B9749228A5906EBE6457A3840970F52333D525A485A58B459BF5C1
Malicious:	false
Reputation:	unknown
Preview:	....p.........................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Jul 16 10:00:53 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.98308160647146
Encrypted:	false
SSDEEP:
MD5:	FE7D372A54FA8DB5FB51B2EB9FA0D210
SHA1:	3756925E57E8E0649325446FE68E330398ADC451
SHA-256:	34DAE9FEF2363E7EF1E954F5CC352C957D11E3627DBF578856CD7CD299CF75BF
SHA-512:	A0CEB906284C002C0E99DFE86486A331D70B3B4A97F4A148EC47FCDC842F0B3C7BBE17A2962E6370EA15C92286C853434BB1B5B19E35E8457D916F4D4BE23DF8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....Vumo...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.X....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.X....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.X....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.X..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.X...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............(.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Jul 16 10:00:53 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	3.999877913128028
Encrypted:	false
SSDEEP:
MD5:	32A2E0973514A0DA586251F53AECAF58
SHA1:	30B0E4127CEFB111F796055352734292AE415725
SHA-256:	B99B337619FB8AD04B91585903AD91B561350FA7E6FBAFDE266718198982C571
SHA-512:	ACD22583D097BF4EA9CC211C76207B18E4C6EC779EF551B097227FE7F84CB169D6A999B99D0F3E9E8C1BB69BCE0F30F2A89DD2F9A04B9C8957A0C6174795FBCD
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....fmo...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.X....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.X....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.X....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.X..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.X...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............(.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.009848152330208
Encrypted:	false
SSDEEP:
MD5:	66B90C646679B881233C1E82B2F8E1DA
SHA1:	0917C22C67C39D8036BA900B641EE5A5EF64E5BF
SHA-256:	F938E6FD3C4E50E1AD66AF0249196E0E84A60044D38DB69FD0BBF00E263F11BD
SHA-512:	425124D992672FE01CB72E29623789C4E56B9048DBCF396D932AF402F004EEEDE7B09F66F769D50E6E882F39FB4708F435D72A7D747463EC641FA067D97F33B9
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.X....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.X....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.X....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.X..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............(.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Jul 16 10:00:53 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.997670373295777
Encrypted:	false
SSDEEP:
MD5:	A9FD3224023B32246BFBE311367397CA
SHA1:	02CB5DED38CA42D229BA8AB66AF52DB8097498D0
SHA-256:	516F0034254BA4141CA46D30E6E17C68BD35A362D4A8D620E5D05399337F871B
SHA-512:	BDEBA7DFFF8D4D3713757BBD7AF11E9445C1473A1CD678DB2CCAE424D60291D1896A723EE9D28DED9DF6F8C8A1C472878FAA59EB17E979401DACC5CE424A4873
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....6_mo...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.X....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.X....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.X....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.X..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.X...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............(.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Jul 16 10:00:53 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9859573813502363
Encrypted:	false
SSDEEP:
MD5:	22E382CEF4AABBD43B2CF33ED1EC3ADD
SHA1:	08D08FECC86E0BC3766DCC20A795DC0F7355036B
SHA-256:	D507E2482924E64EE757C00BA018E4378DB9CA3199154BCE81CB582621C38100
SHA-512:	D64254490F067C9A9CC917E1020B54C383D4C3FE010DD25E60A819365E031EA02D40BEDFDBB4A011E7410A26E128754017302C23F88173DC161E7979CE2D5D18
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....<.nmo...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.X....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.X....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.X....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.X..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.X...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............(.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Jul 16 10:00:53 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.997294541270234
Encrypted:	false
SSDEEP:
MD5:	114B1056E06DD975C14070A3759FAA3C
SHA1:	1A4B319574C64CB9CF7D5923F274DC44AEC13CD2
SHA-256:	EAF4636BB2462E18E19EC15A15F136D3B0F3D675AF380AADE80DA2F9620937AB
SHA-512:	6B1BB9E4476A707C9C1440E91AB5FCE5BC97A78606D7A0D8EE34F23391F469BF7FBE4F429EE178ACBF58C2CEBC7B06431BC56EC616DE59A16AC0D4A901C6EF03
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,......Smo...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.X....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X.X....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X.X....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X.X..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X.X...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............(.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\Downloads\7e5c6b99-f28a-407f-876f-f22b3ae8aaef.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	8192
Entropy (8bit):	5.439351356308919
Encrypted:	false
SSDEEP:
MD5:	212AD0ABED6D9AE4CCFA8599B626E688
SHA1:	078E4CBEAAF892289042E0A3601EFEBE6FBCB8CB
SHA-256:	4C7B6796743CF157EE241D7744B998FFE681A61A37CE8EF55AFF2C08FF3826F2
SHA-512:	52ADC7D4F944E3823D3F0CD090441293444A023BBC57CE3D81E922EB659F9A8E715A02DC28322041A8D01BE0C851B2BF141AB7D2D35A772BE41339BC5EFFD935
Malicious:	false
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........Q...0kN.0kN.0kN.HhO.0kN.HnOo0kNy..N.0kNy.hO.0kNy.oO.0kNy.nO.0kN-noOJ1kN.HlO.0kN.HoO.0kN.HjO.0kN.0jN.1kN..nO.0kN..oO.0kN...N.0kN.0.N.0kN..iO.0kNRich.0kN........PE..d....F.f.........."....(..A.........0.7........@..............................^.......\...`................................................../M.,.... \..7....Z.......\..R...`^.xc...{K.8............................yK.@............0A..............................text.....A.......A................. ..`.rdata...*...0A..,....A.............@..@.data........`M......DM.............@....pdata........Z......JW.............@..@.rsrc....7... \..8...hY.............@..@.reloc..xc...`^..d....[.............@..B................................................................................................................................................................................................................

C:\Users\user\Downloads\Unconfirmed 261524.crdownload

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6182608
Entropy (8bit):	6.141285067999811
Encrypted:	false
SSDEEP:
MD5:	7D16AD2FAF3F5AAA88A9C01E2383DF28
SHA1:	8E80D74EB100C9C513936EB0ED8EEBD70A08804E
SHA-256:	AF0122C0DB59F5620D24089E4050EC01A49CFFFA05B2B72F3398A69CCC8F9B07
SHA-512:	E704112AF873FEA08A45624F697A801CBFD4DF2F8F61CE8DA23E4221B7C3682090748ABE9C795F3106383CFA1CE42DC4366868285A93719ED0EC4B943CDB38BA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_MeshAgent, Description: Yara detected MeshAgent RemoteAdmin Tool, Source: C:\Users\user\Downloads\Unconfirmed 261524.crdownload, Author: Joe Security Rule: JoeSecurity_MeshAgent, Description: Yara detected MeshAgent RemoteAdmin Tool, Source: C:\Users\user\Downloads\Unconfirmed 261524.crdownload, Author: Joe Security Rule: JoeSecurity_MeshAgent, Description: Yara detected MeshAgent RemoteAdmin Tool, Source: C:\Users\user\Downloads\Unconfirmed 261524.crdownload, Author: Joe Security Rule: JoeSecurity_MeshAgent, Description: Yara detected MeshAgent RemoteAdmin Tool, Source: C:\Users\user\Downloads\Unconfirmed 261524.crdownload, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 5% Antivirus: Virustotal, Detection: 10%, Browse
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........Q...0kN.0kN.0kN.HhO.0kN.HnOo0kNy..N.0kNy.hO.0kNy.oO.0kNy.nO.0kN-noOJ1kN.HlO.0kN.HoO.0kN.HjO.0kN.0jN.1kN..nO.0kN..oO.0kN...N.0kN.0.N.0kN..iO.0kNRich.0kN........PE..d....F.f.........."....(..A.........0.7........@..............................^.......\...`................................................../M.,.... \..7....Z.......\..R...`^.xc...{K.8............................yK.@............0A..............................text.....A.......A................. ..`.rdata...*...0A..,....A.............@..@.data........`M......DM.............@....pdata........Z......JW.............@..@.rsrc....7... \..8...hY.............@..@.reloc..xc...`^..d....[.............@..B................................................................................................................................................................................................................

C:\Users\user\Downloads\Voicemail#78770269.exe (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	7D16AD2FAF3F5AAA88A9C01E2383DF28
SHA1:	8E80D74EB100C9C513936EB0ED8EEBD70A08804E
SHA-256:	AF0122C0DB59F5620D24089E4050EC01A49CFFFA05B2B72F3398A69CCC8F9B07
SHA-512:	E704112AF873FEA08A45624F697A801CBFD4DF2F8F61CE8DA23E4221B7C3682090748ABE9C795F3106383CFA1CE42DC4366868285A93719ED0EC4B943CDB38BA
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........Q...0kN.0kN.0kN.HhO.0kN.HnOo0kNy..N.0kNy.hO.0kNy.oO.0kNy.nO.0kN-noOJ1kN.HlO.0kN.HoO.0kN.HjO.0kN.0jN.1kN..nO.0kN..oO.0kN...N.0kN.0.N.0kN..iO.0kNRich.0kN........PE..d....F.f.........."....(..A.........0.7........@..............................^.......\...`................................................../M.,.... \..7....Z.......\..R...`^.xc...{K.8............................yK.@............0A..............................text.....A.......A................. ..`.rdata...*...0A..,....A.............@..@.data........`M......DM.............@....pdata........Z......JW.............@..@.rsrc....7... \..8...hY.............@..@.reloc..xc...`^..d....[.............@..B................................................................................................................................................................................................................

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Download File

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	modified
Size (bytes):	4926
Entropy (8bit):	3.2473168675989488
Encrypted:	false
SSDEEP:
MD5:	0126035BDE5251B6CEB404EEB05617E1
SHA1:	56A8E57B85CFEDAB9668553B75D57C169A99FD74
SHA-256:	D1C9044EFE3B9444490DB4D9FCF845BAB6C58E9ED4DB882B213503A139C809A4
SHA-512:	4F92A023DA1B4E557E67532FFD4621FD5CA0B8337F58FF26ED3C812627D167CB0CDCFD13F576DAB7B76CABF0B5984FD87B8B6E0D76B9606E9DCA587A564A3D01
Malicious:	false
Reputation:	unknown
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. F.r.i. .. O.c.t. .. 0.6. .. 2.0.2.3. .1.1.:.3.5.:.2.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e........................................ .W.S.C. .S.t.a.t.e. .I.n.f.o. ................................................................. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. ..............................d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\732DA73003C264E71A546DADB8191B486F01ED08

Download File

Process:	C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe
File Type:	data
Category:	dropped
Size (bytes):	1399
Entropy (8bit):	6.94591868481167
Encrypted:	false
SSDEEP:
MD5:	C2A92380F367CA7FC3D3B24E3A0EAF43
SHA1:	5E57778421B223F934F86FD2FAEC40A98CAAB083
SHA-256:	09216F156F4D3E0F34428EF17BC390BF0EA6D63877A99C69037F6FB2AEE846B7
SHA-512:	1714383F37D946D9C8A3989F259858ABA0EB51CEE3335C24D7187EDFB02776F256A12FA72B9C88E827037FB3DF98747F2DF408D76D647724C21FED4AED827C80
Malicious:	false
Reputation:	unknown
Preview:	............s\c.Q.wx....7..4..B........................................C.N.=.W.i.n.d.o.w.s.M.e.d.i.a.P.l.a.y.e.r._.N.o.d.e.C.e.r.t.i.f.i.c.a.t.e._.p.r.i.v.a.t.e.k.e.y.........M.i.c.r.o.s.o.f.t. .S.o.f.t.w.a.r.e. .K.e.y. .S.t.o.r.a.g.e. .P.r.o.v.i.d.e.r...............s-.0..d..Tm....Ho... .......K...0..G0..........7.x...G.C..e.e..0....H........0O1M0K..U...D.W.i.n.d.o.w.s.M.e.d.i.a.P.l.a.y.e.r._.N.o.d.e.C.e.r.t.i.f.i.c.a.t.e0 ..230716110128Z..20540716110128Z0O1M0K..U...D.W.i.n.d.o.w.s.M.e.d.i.a.P.l.a.y.e.r._.N.o.d.e.C.e.r.t.i.f.i.c.a.t.e0...0....H.............0...............eo.c.PyM.j.8... A.D.T...HC54h.VrB..Y...J.`m.^....iR......p....v..-u...MuT.3...j..&....q.cr....5x.Y.;.~........0....w.....DH...QY[.`B.W......r......4..%=mZ......jzt5..j.......Z.2..zw.J.....1.^..0.....r.l.@..<>.!!OU...'H....s.+cV./t-/.....q..5mUx.D[.{\..G\|..3S.... ..(.()X.1Q.{......?."s..e'.=i.H..w?I.1........K..s.=^....3.'..R........d..1.MD.S./.`.@A.........0.0...U........0...U....0....0...

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\8F6AE7EE3F174BF3DB42C8B3E4E0A6CD459AA5B2

Download File

Process:	C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe
File Type:	data
Category:	dropped
Size (bytes):	1399
Entropy (8bit):	7.004277124044441
Encrypted:	false
SSDEEP:
MD5:	BFF1EA02A9137613988D0675552A1CCA
SHA1:	9588B872D52D55A581D7B9119F09763D7425B265
SHA-256:	5F8622347A275CA02B7A61486DDC102CF866AC6B0FFA76A5FCC3A4EF8CE38331
SHA-512:	45A5CB4DDACBB6ED01A1357EA8F4999E3807C780417BFA430998D6A40052D1821C1E6C474048FF5A884128294B3D16A90063CF12119EEF9F2CDA4CDCB9E4BF51
Malicious:	false
Reputation:	unknown
Preview:	...............T.0K...n.4...F(.p........................................C.N.=.W.i.n.d.o.w.s.M.e.d.i.a.P.l.a.y.e.r._.N.o.d.e.C.e.r.t.i.f.i.c.a.t.e._.p.r.i.v.a.t.e.k.e.y.........M.i.c.r.o.s.o.f.t. .S.o.f.t.w.a.r.e. .K.e.y. .S.t.o.r.a.g.e. .P.r.o.v.i.d.e.r................j..?.K..B....E... .......K...0..G0...........X..ZE~.De.j..8.0....H........0O1M0K..U...D.W.i.n.d.o.w.s.M.e.d.i.a.P.l.a.y.e.r._.N.o.d.e.C.e.r.t.i.f.i.c.a.t.e0 ..230716110128Z..20540716110128Z0O1M0K..U...D.W.i.n.d.o.w.s.M.e.d.i.a.P.l.a.y.e.r._.N.o.d.e.C.e.r.t.i.f.i.c.a.t.e0...0....H.............0..........D..u{......s..G..$.o....Q...)..._.Z[.u.....Q$.o...{{.h.C......c7.8t...x....U.........r.I}..Q........b..Zf......+...H.ag.+..a..1j!...r..i...8 6...D0..^.<.....u.o........-I..[f>.L...o.....v...B...l.J~<..6]..e....Nc.J+.P..'[D..zc{..I?...k...?.._...Y.>..=..........e.9Q.....K.>#.)"B.+.2'..R.z..._.s.)....-1\|U.....!."v.5yRB.....p~.Yw.'...w....S[...>........U.KB.).......0.0...U........0...U....0....0...

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\735C63D28551E57778FA8B0BAC378FB634BCC742

Download File

Process:	C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe
File Type:	data
Category:	dropped
Size (bytes):	256
Entropy (8bit):	3.273389432060166
Encrypted:	false
SSDEEP:
MD5:	2E97F828821DBA8A04F43275D40B86FF
SHA1:	EC36ADF1CDDB0D1446B9A893D14FC662351BEE0C
SHA-256:	395D6EFEFAAB9B2AFBDD7B1B33CDE36C17AA4BA57C86E249130908E3BBF4BFA1
SHA-512:	DD11287B30D5490A7D4E2C729D266787B6F05E58D6B3EE5CD53A4EF6C1FDD6C3C4D6C4DC6C2089C8CF0DC2EEAE624B6F58AE080CA74A65F47378D2CD233D7E25
Malicious:	false
Reputation:	unknown
Preview:	........................................C.N.=.W.i.n.d.o.w.s.M.e.d.i.a.P.l.a.y.e.r._.N.o.d.e.C.e.r.t.i.f.i.c.a.t.e._.p.r.i.v.a.t.e.k.e.y.........M.i.c.r.o.s.o.f.t. .S.o.f.t.w.a.r.e. .K.e.y. .S.t.o.r.a.g.e. .P.r.o.v.i.d.e.r...#...........s\c.Q.wx....7..4..B

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\97B9EE540B304BC1D7086ED93489F6E04628FA70

Download File

Process:	C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe
File Type:	data
Category:	dropped
Size (bytes):	256
Entropy (8bit):	3.282235769976144
Encrypted:	false
SSDEEP:
MD5:	22071E722A463CE8918029909D5FFD00
SHA1:	F2105A57E92D83EE29E0A600965A992EBAF1CA92
SHA-256:	1ACBCEF47FA1992042DD4A5B66D2B88D5FF8E4E54BD8F1E7A0EE6036C49985E0
SHA-512:	42240468D89923A6F9EFB44530199B76F0ACFF16AF8E6CC288A33D69068207B7334C6AA90349C09EA5A78B1AC8570B606FE91F7F18860F9C71C9427C31824991
Malicious:	false
Reputation:	unknown
Preview:	........................................C.N.=.W.i.n.d.o.w.s.M.e.d.i.a.P.l.a.y.e.r._.N.o.d.e.C.e.r.t.i.f.i.c.a.t.e._.p.r.i.v.a.t.e.k.e.y.........M.i.c.r.o.s.o.f.t. .S.o.f.t.w.a.r.e. .K.e.y. .S.t.o.r.a.g.e. .P.r.o.v.i.d.e.r...#..............T.0K...n.4...F(.p

\Device\ConDrv

Download File

Process:	C:\Users\user\Downloads\Voicemail#78770269 (1).exe
File Type:	ASCII text, with CR, LF line terminators
Category:	dropped
Size (bytes):	732
Entropy (8bit):	4.9605247829081875
Encrypted:	false
SSDEEP:
MD5:	81B0B0D8164728962F530F13CFCC614F
SHA1:	6D5D854D83E90371BB744D65792F192BB0828310
SHA-256:	26B3AD1D66970E7410D5384C762C0596BE84F084046A7F4CBFAA52E2DB228272
SHA-512:	2521F39DB8B52A6901F3972439E048C541F4DD41A978399C40446482EE1CEB143D02DED66439FCA7053E41C05CED6FADAD9DA979E22549D21D10D90B6C68BBC3
Malicious:	false
Reputation:	unknown
Preview:	...Checking for previous installation of "WindowsMediaPlayer" [FOUND: C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe]. -> Checking firewall rules for previous installation... [0%]. -> Checking firewall rules for previous installation... [0%]. -> Checking firewall rules for previous installation... [5%]. -> Checking firewall rules for previous installation... [10%]. -> Checking firewall rules for previous installation... [DONE]. -> Stopping Service... [STOPPED]. -> Uninstalling previous installation... [DONE]. -> Checking for secondary agent... [NONE]....Installing service [ERROR] fs.openSync(): Error opening 'C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.exe'

Static File Info

General

File type:	ASCII text, with very long lines (599)
Entropy (8bit):	6.059629183255496
TrID:
File name:	964232908.eml
File size:	8'706 bytes
MD5:	0f3b4b86d101d2d34db0836881e86921
SHA1:	b1f44700f20fb200633cdd5fc9edef62c4186180
SHA256:	c30da1ac66a33b15a7fb781249fd031c4bcbc10963f60587a3fa356fb3596d32
SHA512:	f81ea3bdaaaf11871d2d092af394236f99ad03ec288e59bf4b74d4ea7516d1bb8ef478fb6dbd63430da65e1dbe1c585098168a9af788c0d5418810211b2a215c
SSDEEP:	192:6Yfn4vwQtrIc0ywrUzKdlueNQRQ3HTZWFQDLxYtGXeUXs4GzGqHeiGGJHzq+YMU:3fn4YQdIc0v2MlueUQXT+QDLxcGBHhCK
TLSH:	0B0208C256FBD03258083D7865C4F4B3557D7B8BC540B5E19098D98AD2CFCAE6AF058D
File Content Preview:	DKIM-Signature: v=1; a=rsa-sha256; d=emails.zixflow.us; s=api;..c=relaxed/simple; t=1721079516; h=from:date:subject:reply-to:to;..bh=a0XmH9N+ZzP1kN3vlxlLALTXIPXUt4zndOkMLBtf8P0=;..b=T2UTbJ3eYmU7WNWzWnHTcucukCVpyJE7V6eaHP03kHn6W17hXiHMQt3hVMZgfrT6FKkN02UZ/

Static Mail

General

Subject:	You've Got a Voicemail Waiting!
From:	Voice Details <newss@validatax.com>
To:	info@example.ru
Cc:
BCC:
Date:	Mon, 15 Jul 2024 21:38:36 +0000
Communications:	New Voice Mail Message From: +1 575-417-1200 Date:7/15/2024 04:24 <http://tracking.validatax.com/tracking/click?d=zPandM5XSJ-ctAFgXFJ878Q_kKuk6ZUdgr_Xi_5UN4ixyzSniijTwou2LFwq8gT9fsttFTPoA1tQ-Ub7eeWeTbs9kTETQWK2KKTXq_lRxVdeSsG7WIGPHNf7vqHFfvuY32JYAW2u3ya1S-PUW9QU7rSsaZpMbinqz36M6PkEshqSed6Q_4xlSawkJjHH-cc6_g2> Downloa <http://tracking.validatax.com/tracking/click?d=zPandM5XSJ-ctAFgXFJ878Q_kKuk6ZUdgr_Xi_5UN4ixyzSniijTwou2LFwq8gT9fsttFTPoA1tQ-Ub7eeWeTbs9kTETQWK2KKTXq_lRxVcAeRvksjXHlq_qvf0zXksnySGjzLusZ5ZuKMRLQfmevE4Qy72hlFw1mIvWSquvcOi5ucNjigvmUWi6RzoIbeecAQ2> d This is an automated message. Please do not reply. VOICE MAIL LTD, NewYork , NewYork, NewYork, 12111, United States <http://tracking.validatax.com/tracking/unsubscribe?d=rcLDE6HsFSoSPBCXL-dr-WNfv2YWfEwaq9LnXYx0uueer-OmzyaIDqwpoaqQAc4O1G2TcHtyraq48bwVqjW1Elc1> MANAGE NOTIFICATIONS <http://tracking.validatax.com/tracking/botclick?msgid=xCe556kJCrtfsSi0jSME1Q2&c=1812965013477083960>
Attachments:

Headers

Key	Value
DKIM-Signature	v=1; a=rsa-sha256; d=emails.zixflow.us; s=api; c=relaxed/simple; t=1721079516; h=from:date:subject:reply-to:to; bh=a0XmH9N+ZzP1kN3vlxlLALTXIPXUt4zndOkMLBtf8P0=; b=T2UTbJ3eYmU7WNWzWnHTcucukCVpyJE7V6eaHP03kHn6W17hXiHMQt3hVMZgfrT6FKkN02UZ/1H N5Fl0FhC2kRc56b25Ej+WjsbkRku6HtnY4ywrOvyAM27ndY2z/oXotIvOf76EXgnFL4Z777P14ch1 lIq1qj1wP/w9qF6h9FQ=
From	Voice Details <newss@validatax.com>
Date	Mon, 15 Jul 2024 21:38:36 +0000
Subject	You've Got a Voicemail Waiting!
Message-ID	<4unl0x7dj8x5.xCe556kJCrtfsSi0jSME1Q2@tracking.validatax.com>
Reply-To	Voice Details <newss@validatax.com>
Sender	noreply@emails.zixflow.us
To	info@example.ru
X-Msg-EID	xCe556kJCrtfsSi0jSME1Q2
set	salessimplify
campaignId	66959697463fd5d7b98d6108
accountId	668c13eef6cc778f15283482
customerId	669596a540274e7224c187a3
email	info@example.ru
callbackUrl
X-Postback	66959697463fd5d7b98d6108,668c13eef6cc778f15283482,669596a540274e7224c187a3,info@example.ru,
MIME-Version	1.0
Content-Type	multipart/alternative; boundary="=-eZCfHEHQq3CaLO29eN0pehrIgg5R+Nt0/XWKzQ=="
X-KSMG-Rule-ID	1
X-KSMG-Message-Action	skipped, MessageAuthentication
X-KSMG-AntiSpam-Lua-Profiles	186526 [Jul 15 2024]
X-KSMG-AntiSpam-Version	6.1.0.4
X-KSMG-AntiSpam-Envelope-From	noreply@emails.zixflow.us
X-KSMG-AntiSpam-Rate	55
X-KSMG-AntiSpam-Status	not_detected
X-KSMG-AntiSpam-Method	none
X-KSMG-AntiSpam-Auth	dmarc=fail header.from=validatax.com policy=quarantine;spf=temperror smtp.mailfrom=emails.zixflow.us;dkim=pass header.d=emails.zixflow.us
X-KSMG-AntiSpam-Info	LuaCore: 24 0.3.24 186c4d603b899ccfd4883d230c53f273b80e467f, {rep_avail}, {Tracking_phishing_bb, bb3}, {Tracking_cat_phish}, {Tracking_marketers, three}, {Tracking_from_domain_doesnt_match_to}, d41d8cd98f00b204e9800998ecf8427e.com:7.1.1;tracking.validatax.com:7.1.1;127.0.0.199:7.1.2;69.72.31.108:7.1.2;validatax.com:7.1.1;w108.mxout.mta1.net:7.1.1;emails.zixflow.us:7.1.1, FromAlignment: n, {dmarc_black}, {Tracking_dmark_f}, {Tracking_smtp_domain_mismatch}, {Tracking_smtp_domain_2level_mismatch}, {Tracking_dmarc_smtp}, ApMailHostAddress: 69.72.31.108, {DNS response errors}
X-KSMG-AntiSpam-Interceptor-Info	scan successful
X-KSMG-AntiPhishing	Clean, bases: 2024/07/15 19:02:00
X-KSMG-AntiVirus	Kaspersky Secure Mail Gateway, version 1.1.2.30, bases: 2024/07/15 19:50:00 #26010659
X-KSMG-AntiVirus-Status	Clean, skipped
Return-Path	noreply@emails.zixflow.us
X-KSE-AntiSpam-Interceptor-Info	scan successful
X-KSE-AntiSpam-Version	6.1.0, Database issued on: 07/15/2024 19:49:59
X-KSE-AntiSpam-Status	KAS_STATUS_NOT_DETECTED
X-KSE-AntiSpam-Method	none
X-KSE-AntiSpam-Rate	0
X-KSE-AntiSpam-Info	Auth:dkim=pass header.d=emails.zixflow.us
X-KSE-Antiphishing-Info	Clean
X-KSE-Antiphishing-ScanningType	Heuristic
X-KSE-Antiphishing-Method	None
X-KSE-Antiphishing-Bases	07/15/2024 19:53:00
X-KSE-Attachment-Filter-Triggered-Rules	Clean
X-KSE-Attachment-Filter-Triggered-Filters	Clean
X-KSE-ServerInfo	PDC-EXCH-2.example.ru, 9

File Icon


Icon Hash:	46070c0a8e0c67d6

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Driver: Driver Load, File: File Metadata, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Service: Service Creation, Service: Service Modification, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 964232908.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Program Files\Windows Media Player\WindowsMediaPlayer\Receipt2024.msh

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\Downloads\7e5c6b99-f28a-407f-876f-f22b3ae8aaef.tmp

C:\Users\user\Downloads\Unconfirmed 261524.crdownload

C:\Users\user\Downloads\Voicemail#78770269.exe (copy)

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\732DA73003C264E71A546DADB8191B486F01ED08

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\8F6AE7EE3F174BF3DB42C8B3E4E0A6CD459AA5B2

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\735C63D28551E57778FA8B0BAC378FB634BCC742

C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\97B9EE540B304BC1D7086ED93489F6E04628FA70

\Device\ConDrv

Static File Info

General

Windows Analysis Report
964232908.eml

Description:	Adversaries may delete or remove built-in data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.This may deny access to available backups and recovery options.
Tactics:	Impact
Data Sources:	Cloud Storage: Cloud Storage Deletion, Command: Command Execution, File: File Deletion, Process: Process Creation, Service: Service Metadata, Snapshot: Snapshot Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre