Edit tour

Windows Analysis Report
FW_ Orderbevestiging - 85500000571-1.msg

Overview

General Information

Sample name:	FW_ Orderbevestiging - 85500000571-1.msg
Analysis ID:	1545398
MD5:	a9422298d9085c485ab3d4f845b623f6
SHA1:	d1c2d34e89a750af95778144444a2b223c32dc0c
SHA256:	4d0f3996b52628d5b6c260c37705d02b6d6b5b0b7799460b47688566205ccac7
Infos:

Detection

Score:	22
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

AI detected potential phishing Email

AV process strings found (often used to terminate AV products)

Creates a window with clipboard capturing capabilities

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Classification

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 7920 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\FW_ Orderbevestiging - 85500000571-1.msg" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 2336 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "DD02958B-7185-4644-81E8-81708E0B3128" "3F917F8C-9997-4D7C-89FB-9D3959AF9CA5" "7920" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

DWWIN.EXE (PID: 3096 cmdline: C:\Windows\SysWOW64\DWWIN.EXE -x -s 3528 MD5: 57A4F3E9F6F5AA7AFA57FAACBF578453)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: FW_ Orderbevestiging - 85500000571-1.msg	String found in binary or memory: <https://www.youtube.com/@thermo-cleangroup5215> <https://nl.linkedin.com/company/thermo-clean/> <https://www.facebook.com/thermoclean/> equals www.facebook.com (Facebook)
Source: FW_ Orderbevestiging - 85500000571-1.msg	String found in binary or memory: <https://www.youtube.com/@thermo-cleangroup5215> <https://nl.linkedin.com/company/thermo-clean/> <https://www.facebook.com/thermoclean/> equals www.linkedin.com (Linkedin)
Source: FW_ Orderbevestiging - 85500000571-1.msg	String found in binary or memory: <https://www.youtube.com/@thermo-cleangroup5215> <https://nl.linkedin.com/company/thermo-clean/> <https://www.facebook.com/thermoclean/> equals www.youtube.com (Youtube)
Source: ~WRS{E802F7F6-D7DE-4690-B58C-8C6BEC1107DB}.tmp.0.dr	String found in binary or memory: HYPERLINK "https://www.facebook.com/thermoclean/" equals www.facebook.com (Facebook)
Source: ~WRS{E802F7F6-D7DE-4690-B58C-8C6BEC1107DB}.tmp.0.dr	String found in binary or memory: HYPERLINK "https://www.youtube.com/@thermo-cleangroup5215" equals www.youtube.com (Youtube)
Source: FW_ Orderbevestiging - 85500000571-1.msg	String found in binary or memory: tube.com/@thermo-cleangroup5215","url/urlTextSpan":{"beginIndex":2552,"length":0},"@EntityId":"324415ba-acef-4051-b4a9-bd180f3392d0","@extractionTimeUtc":"2024-10-30T12:29:27.3557852\u002B00:00"},{"url":"https://nl.linkedin.com/company/thermo-clean/","url/urlTextSpan":{"beginIndex":2984,"length":0},"@EntityId":"10c067f5-29d7-4e1b-94fc-7e511b11d108","@extractionTimeUtc":"2024-10-30T12:29:27.3557884\u002B00:00"},{"url":"https://www.facebook.com/thermoclean/","url/urlTextSpan":{"beginIndex":3461,"length":0},"@EntityId":"2bea24bf-21ad-43ef-a97d-8c5ab54acc10","@extractionTimeUtc":"2024-10-30T12:29:27.3557894\u002B00:00"},{"url":"http://www.thermoclean.com/en/about-us/privacy-declaration","url/urlTextSpan":{"beginIndex":4766,"length":51},"@EntityId":"9a116a41-a1e6-4c84-ae9d-9caee7378991","@extractionTimeUtc":"2024-10-30T12:29:27.3557916\u002B00:00"}][{"url":"http://www.thermoclean.com","url/anchorText":"www.thermoclean.com","url/urlTextSpan":{"beginIndex":2373,"length":19},"@EntityId":"c15abe4f-b6d0-488a-bc53-8feda93f35ef","@extractionTimeUtc":"2024-10-30T12:29:27.3557799\u002B00:00"},{"url":"https://www.youtube.com/@thermo-cleangroup5215","url/anchorText":"","url/urlTextSpan":{"beginIndex":2552,"length":0},"@EntityId":"229f0902-1c7e-4ad6-8644-0a0c0945375d","@extractionTimeUtc":"2024-10-30T12:29:27.3557852\u002B00:00"},{"url":"https://nl.linkedin.com/company/thermo-clean/","url/anchorText":"","url/urlTextSpan":{"beginIndex":2984,"length":0},"@EntityId":"9419ca8e-7554-453f-a32d-381b6c939ecb","@extractionTimeUtc":"2024-10-30T12:29:27.3557884\u002B00:00"},{"url":"https://www.facebook.com/thermoclean/","url/anchorText":"","url/urlTextSpan":{"beginIndex":3461,"length":0},"@EntityId":"417c3a6d-d068-4490-a440-d6731d36cbf5","@extractionTimeUtc":"2024-10-30T12:29:27.3557894\u002B00:00"},{"url":"http://www.thermoclean.com/en/about-us/privacy-declaration","url/anchorText":"www.thermoclean.com/en/about-us/privacy-declaration","url/urlTextSpan":{"beginIndex":4766,"length":51},"@EntityId":"d652c086-b055-43b2-9015-c318a9b9515b","@extractionTimeUtc":"2024-10-30T12:29:27.3557916\u002B00:00"}]ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(425001)(930097)(140003);dFpKbsRK3L9RjnFLSuKGiNiEQgQy/A8PgFlzsnwt8+fHv7WtVhjdinysRNYPlN+x/VsHn9UAD4hqMuc9HCzKhVhjGSkiA11GClKxr+DpE+uP0IgusjkLYq2d6OH4h+OFChIRNFf3SiCyM4yIFbhSzjADuWycM0VRlbmvNwj+uCF2ge+EptlN++uw2nAWGJOn9r7LH7mUB2uQK0E4Kfed3g6uyImrvZe8dNrZZr2Ot4azG/yShJnY6qBct6li/N0jA1OsJD7yGGyVwSVxMmxNwtogTS8FivoYPXCKLdq00PpV9pSNXzUvvIRfvVKXRZ0rCm7gc/HyMUiyRz7ibSaUH/YI4bVKKMaeiwrnUIt33ZhwdwPEFTwfgvvqGzLwwnTgt5gmPvARcBQpWfrVJc+1IMZ0KiM498IZty6AO3cO1mh3aqcxVWyiiWYI3E3MlYdZiX8hlMLJmi9yD/lw7Meky4FVayZxEsMLfvB7q7Y2BLqUId+2L3zeL8AEP3Uhn8YXuc5Eb1ClHFPh5k4SmzmfzgNeCxslBYgqGT3YARRNueBcCPZozB2V57/ip0VbcsVJtD3+tCi1WJaoXAf2vLLWhPq73298tqPB+hTcbovhz39mhkKEPm+057w2JKu+Uhn7UKQbuaAcmncTdX21OEDNXY6e5iPMfVla0WBIi4C066N6/C50gO2ntNN+ts4IFlo8G3PaZ5IH0fk5hZLULtiEXHrv8RvumfMpgSVEDSVrKZsOspHLECr/0ft1F4RxBO69pB2fBUva69Px2kip3fY2yRkzYFjsFL70R
Source: FW_ Orderbevestiging - 85500000571-1.msg	String found in binary or memory: tube.com/@thermo-cleangroup5215","url/urlTextSpan":{"beginIndex":2552,"length":0},"@EntityId":"324415ba-acef-4051-b4a9-bd180f3392d0","@extractionTimeUtc":"2024-10-30T12:29:27.3557852\u002B00:00"},{"url":"https://nl.linkedin.com/company/thermo-clean/","url/urlTextSpan":{"beginIndex":2984,"length":0},"@EntityId":"10c067f5-29d7-4e1b-94fc-7e511b11d108","@extractionTimeUtc":"2024-10-30T12:29:27.3557884\u002B00:00"},{"url":"https://www.facebook.com/thermoclean/","url/urlTextSpan":{"beginIndex":3461,"length":0},"@EntityId":"2bea24bf-21ad-43ef-a97d-8c5ab54acc10","@extractionTimeUtc":"2024-10-30T12:29:27.3557894\u002B00:00"},{"url":"http://www.thermoclean.com/en/about-us/privacy-declaration","url/urlTextSpan":{"beginIndex":4766,"length":51},"@EntityId":"9a116a41-a1e6-4c84-ae9d-9caee7378991","@extractionTimeUtc":"2024-10-30T12:29:27.3557916\u002B00:00"}][{"url":"http://www.thermoclean.com","url/anchorText":"www.thermoclean.com","url/urlTextSpan":{"beginIndex":2373,"length":19},"@EntityId":"c15abe4f-b6d0-488a-bc53-8feda93f35ef","@extractionTimeUtc":"2024-10-30T12:29:27.3557799\u002B00:00"},{"url":"https://www.youtube.com/@thermo-cleangroup5215","url/anchorText":"","url/urlTextSpan":{"beginIndex":2552,"length":0},"@EntityId":"229f0902-1c7e-4ad6-8644-0a0c0945375d","@extractionTimeUtc":"2024-10-30T12:29:27.3557852\u002B00:00"},{"url":"https://nl.linkedin.com/company/thermo-clean/","url/anchorText":"","url/urlTextSpan":{"beginIndex":2984,"length":0},"@EntityId":"9419ca8e-7554-453f-a32d-381b6c939ecb","@extractionTimeUtc":"2024-10-30T12:29:27.3557884\u002B00:00"},{"url":"https://www.facebook.com/thermoclean/","url/anchorText":"","url/urlTextSpan":{"beginIndex":3461,"length":0},"@EntityId":"417c3a6d-d068-4490-a440-d6731d36cbf5","@extractionTimeUtc":"2024-10-30T12:29:27.3557894\u002B00:00"},{"url":"http://www.thermoclean.com/en/about-us/privacy-declaration","url/anchorText":"www.thermoclean.com/en/about-us/privacy-declaration","url/urlTextSpan":{"beginIndex":4766,"length":51},"@EntityId":"d652c086-b055-43b2-9015-c318a9b9515b","@extractionTimeUtc":"2024-10-30T12:29:27.3557916\u002B00:00"}]ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(425001)(930097)(140003);dFpKbsRK3L9RjnFLSuKGiNiEQgQy/A8PgFlzsnwt8+fHv7WtVhjdinysRNYPlN+x/VsHn9UAD4hqMuc9HCzKhVhjGSkiA11GClKxr+DpE+uP0IgusjkLYq2d6OH4h+OFChIRNFf3SiCyM4yIFbhSzjADuWycM0VRlbmvNwj+uCF2ge+EptlN++uw2nAWGJOn9r7LH7mUB2uQK0E4Kfed3g6uyImrvZe8dNrZZr2Ot4azG/yShJnY6qBct6li/N0jA1OsJD7yGGyVwSVxMmxNwtogTS8FivoYPXCKLdq00PpV9pSNXzUvvIRfvVKXRZ0rCm7gc/HyMUiyRz7ibSaUH/YI4bVKKMaeiwrnUIt33ZhwdwPEFTwfgvvqGzLwwnTgt5gmPvARcBQpWfrVJc+1IMZ0KiM498IZty6AO3cO1mh3aqcxVWyiiWYI3E3MlYdZiX8hlMLJmi9yD/lw7Meky4FVayZxEsMLfvB7q7Y2BLqUId+2L3zeL8AEP3Uhn8YXuc5Eb1ClHFPh5k4SmzmfzgNeCxslBYgqGT3YARRNueBcCPZozB2V57/ip0VbcsVJtD3+tCi1WJaoXAf2vLLWhPq73298tqPB+hTcbovhz39mhkKEPm+057w2JKu+Uhn7UKQbuaAcmncTdX21OEDNXY6e5iPMfVla0WBIi4C066N6/C50gO2ntNN+ts4IFlo8G3PaZ5IH0fk5hZLULtiEXHrv8RvumfMpgSVEDSVrKZsOspHLECr/0ft1F4RxBO69pB2fBUva69Px2kip3fY2yRkzYFjsFL70R
Source: FW_ Orderbevestiging - 85500000571-1.msg	String found in binary or memory: tube.com/@thermo-cleangroup5215","url/urlTextSpan":{"beginIndex":2552,"length":0},"@EntityId":"324415ba-acef-4051-b4a9-bd180f3392d0","@extractionTimeUtc":"2024-10-30T12:29:27.3557852\u002B00:00"},{"url":"https://nl.linkedin.com/company/thermo-clean/","url/urlTextSpan":{"beginIndex":2984,"length":0},"@EntityId":"10c067f5-29d7-4e1b-94fc-7e511b11d108","@extractionTimeUtc":"2024-10-30T12:29:27.3557884\u002B00:00"},{"url":"https://www.facebook.com/thermoclean/","url/urlTextSpan":{"beginIndex":3461,"length":0},"@EntityId":"2bea24bf-21ad-43ef-a97d-8c5ab54acc10","@extractionTimeUtc":"2024-10-30T12:29:27.3557894\u002B00:00"},{"url":"http://www.thermoclean.com/en/about-us/privacy-declaration","url/urlTextSpan":{"beginIndex":4766,"length":51},"@EntityId":"9a116a41-a1e6-4c84-ae9d-9caee7378991","@extractionTimeUtc":"2024-10-30T12:29:27.3557916\u002B00:00"}][{"url":"http://www.thermoclean.com","url/anchorText":"www.thermoclean.com","url/urlTextSpan":{"beginIndex":2373,"length":19},"@EntityId":"c15abe4f-b6d0-488a-bc53-8feda93f35ef","@extractionTimeUtc":"2024-10-30T12:29:27.3557799\u002B00:00"},{"url":"https://www.youtube.com/@thermo-cleangroup5215","url/anchorText":"","url/urlTextSpan":{"beginIndex":2552,"length":0},"@EntityId":"229f0902-1c7e-4ad6-8644-0a0c0945375d","@extractionTimeUtc":"2024-10-30T12:29:27.3557852\u002B00:00"},{"url":"https://nl.linkedin.com/company/thermo-clean/","url/anchorText":"","url/urlTextSpan":{"beginIndex":2984,"length":0},"@EntityId":"9419ca8e-7554-453f-a32d-381b6c939ecb","@extractionTimeUtc":"2024-10-30T12:29:27.3557884\u002B00:00"},{"url":"https://www.facebook.com/thermoclean/","url/anchorText":"","url/urlTextSpan":{"beginIndex":3461,"length":0},"@EntityId":"417c3a6d-d068-4490-a440-d6731d36cbf5","@extractionTimeUtc":"2024-10-30T12:29:27.3557894\u002B00:00"},{"url":"http://www.thermoclean.com/en/about-us/privacy-declaration","url/anchorText":"www.thermoclean.com/en/about-us/privacy-declaration","url/urlTextSpan":{"beginIndex":4766,"length":51},"@EntityId":"d652c086-b055-43b2-9015-c318a9b9515b","@extractionTimeUtc":"2024-10-30T12:29:27.3557916\u002B00:00"}]ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(425001)(930097)(140003);dFpKbsRK3L9RjnFLSuKGiNiEQgQy/A8PgFlzsnwt8+fHv7WtVhjdinysRNYPlN+x/VsHn9UAD4hqMuc9HCzKhVhjGSkiA11GClKxr+DpE+uP0IgusjkLYq2d6OH4h+OFChIRNFf3SiCyM4yIFbhSzjADuWycM0VRlbmvNwj+uCF2ge+EptlN++uw2nAWGJOn9r7LH7mUB2uQK0E4Kfed3g6uyImrvZe8dNrZZr2Ot4azG/yShJnY6qBct6li/N0jA1OsJD7yGGyVwSVxMmxNwtogTS8FivoYPXCKLdq00PpV9pSNXzUvvIRfvVKXRZ0rCm7gc/HyMUiyRz7ibSaUH/YI4bVKKMaeiwrnUIt33ZhwdwPEFTwfgvvqGzLwwnTgt5gmPvARcBQpWfrVJc+1IMZ0KiM498IZty6AO3cO1mh3aqcxVWyiiWYI3E3MlYdZiX8hlMLJmi9yD/lw7Meky4FVayZxEsMLfvB7q7Y2BLqUId+2L3zeL8AEP3Uhn8YXuc5Eb1ClHFPh5k4SmzmfzgNeCxslBYgqGT3YARRNueBcCPZozB2V57/ip0VbcsVJtD3+tCi1WJaoXAf2vLLWhPq73298tqPB+hTcbovhz39mhkKEPm+057w2JKu+Uhn7UKQbuaAcmncTdX21OEDNXY6e5iPMfVla0WBIi4C066N6/C50gO2ntNN+ts4IFlo8G3PaZ5IH0fk5hZLULtiEXHrv8RvumfMpgSVEDSVrKZsOspHLECr/0ft1F4RxBO69pB2fBUva69Px2kip3fY2yRkzYFjsFL70R

Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: FW_ Orderbevestiging - 85500000571-1.msg, ~WRS{E802F7F6-D7DE-4690-B58C-8C6BEC1107DB}.tmp.0.dr	String found in binary or memory: http://www.thermoclean.com
Source: FW_ Orderbevestiging - 85500000571-1.msg, ~WRS{E802F7F6-D7DE-4690-B58C-8C6BEC1107DB}.tmp.0.dr	String found in binary or memory: http://www.thermoclean.com/en/about-us/privacy-declaration
Source: OUTLOOK_16_0_16827_20130-20241030T0926300138-7920.etl.0.dr	String found in binary or memory: https://login.windows.local
Source: OUTLOOK_16_0_16827_20130-20241030T0926300138-7920.etl.0.dr	String found in binary or memory: https://login.windows.localR
Source: OUTLOOK_16_0_16827_20130-20241030T0926300138-7920.etl.0.dr	String found in binary or memory: https://login.windows.localnullD
Source: OUTLOOK_16_0_16827_20130-20241030T0926300138-7920.etl.0.dr	String found in binary or memory: https://login.windows.localnullche
Source: FW_ Orderbevestiging - 85500000571-1.msg, ~WRS{E802F7F6-D7DE-4690-B58C-8C6BEC1107DB}.tmp.0.dr	String found in binary or memory: https://nl.linkedin.com/company/thermo-clean/
Source: FW_ Orderbevestiging - 85500000571-1.msg	String found in binary or memory: https://www.you__substg1.0_8023001F
Source: FW_ Orderbevestiging - 85500000571-1.msg, ~WRS{E802F7F6-D7DE-4690-B58C-8C6BEC1107DB}.tmp.0.dr	String found in binary or memory: https://www.youtube.com/

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process created: C:\Windows\SysWOW64\DWWIN.EXE C:\Windows\SysWOW64\DWWIN.EXE -x -s 3528

Source: classification engine

Classification label: sus22.winMSG@5/24@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\DWWIN.EXE

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7920

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241030T0926300138-7920.etl

Jump to behavior

Source: C:\Windows\SysWOW64\DWWIN.EXE

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\FW_ Orderbevestiging - 85500000571-1.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "DD02958B-7185-4644-81E8-81708E0B3128" "3F917F8C-9997-4D7C-89FB-9D3959AF9CA5" "7920" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Windows\SysWOW64\DWWIN.EXE C:\Windows\SysWOW64\DWWIN.EXE -x -s 3528
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "DD02958B-7185-4644-81E8-81708E0B3128" "3F917F8C-9997-4D7C-89FB-9D3959AF9CA5" "7920" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Windows\SysWOW64\DWWIN.EXE C:\Windows\SysWOW64\DWWIN.EXE -x -s 3528	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: c2r64.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: c2r32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: phoneinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: dsreg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: windows.security.authentication.onlineid.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Section loaded: twinapi.appcore.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Persistence and Installation Behavior

AI detected potential phishing Email

Source: Email

LLM: Detected potential phishing email: The email claims to be from Dustin B.V. but is being forwarded through internal company addresses, which is unusual for order confirmations

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\DWWIN.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\DWWIN.EXE TID: 2708

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: DWWIN.EXE, 00000007.00000003.3652895010.0000000003583000.00000004.00000020.00020000.00000000.sdmp, DWWIN.EXE, 00000007.00000002.3783272164.0000000003547000.00000004.00000020.00020000.00000000.sdmp, DWWIN.EXE, 00000007.00000003.3782061721.0000000003584000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllid" val="433" />
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Clipboard Data	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
https://login.windows.local	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://login.windows.local	OUTLOOK_16_0_16827_20130-20241030T0926300138-7920.etl.0.dr	false	URL Reputation: safe	unknown
https://nl.linkedin.com/company/thermo-clean/	FW_ Orderbevestiging - 85500000571-1.msg, ~WRS{E802F7F6-D7DE-4690-B58C-8C6BEC1107DB}.tmp.0.dr	false		unknown
https://www.you__substg1.0_8023001F	FW_ Orderbevestiging - 85500000571-1.msg	false		unknown
http://upx.sf.net	Amcache.hve.7.dr	false	URL Reputation: safe	unknown
https://login.windows.localnullche	OUTLOOK_16_0_16827_20130-20241030T0926300138-7920.etl.0.dr	false		unknown
http://www.thermoclean.com/en/about-us/privacy-declaration	FW_ Orderbevestiging - 85500000571-1.msg, ~WRS{E802F7F6-D7DE-4690-B58C-8C6BEC1107DB}.tmp.0.dr	false		unknown
https://www.youtube.com/	FW_ Orderbevestiging - 85500000571-1.msg, ~WRS{E802F7F6-D7DE-4690-B58C-8C6BEC1107DB}.tmp.0.dr	false		unknown
https://login.windows.localnullD	OUTLOOK_16_0_16827_20130-20241030T0926300138-7920.etl.0.dr	false		unknown
http://www.thermoclean.com	FW_ Orderbevestiging - 85500000571-1.msg, ~WRS{E802F7F6-D7DE-4690-B58C-8C6BEC1107DB}.tmp.0.dr	false		unknown
https://login.windows.localR	OUTLOOK_16_0_16827_20130-20241030T0926300138-7920.etl.0.dr	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545398
Start date and time:	2024-10-30 14:25:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	FW_ Orderbevestiging - 85500000571-1.msg
Detection:	SUS
Classification:	sus22.winMSG@5/24@0/0
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .msg

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.32.97
Excluded domains from analysis (whitelisted): www.bing.com, ecs.office.com, slscr.update.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, tse1.mm.bing.net, arc.msn.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, config.officeapps.live.com, crl3.digicert.com, officeclient.microsoft.com, umwatson.events.data.microsoft.com, ukw-azsc-config.officeapps.live.com, europe.configsvc1.live.com.akadns.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: FW_ Orderbevestiging - 85500000571-1.msg

Simulations

Behavior and APIs

Time	Type	Description
09:29:40	API Interceptor	1x Sleep call for process: DWWIN.EXE modified

LLM Input / Output

Input	Output
URL: Model: claude-3-5-sonnet-latest	{ "explanation": [ "The email claims to be from Dustin B.V. but is being forwarded through internal company addresses, which is unusual for order confirmations", "Generic and vague message body with minimal details about the order", "Contains a PDF attachment with a suspicious naming pattern that could contain malware" ], "phishing": true, "confidence": 8 }
{ "date": "Wed, 30 Oct 2024 13:29:20 +0100", "subject": "FW: Orderbevestiging - 85500000571-1", "communications": [ " \n\n \n\nVriendelijke groeten, Cordialement, mit freundlichen Gren, Best regards, S pozdravom,\n\n \n\n\n\nElke van den Bergh\n\nAccounting Department\n\nThermo-Clean Group\n\nTel: +32 13 53 90 18\n\nwww.thermoclean.com <http://www.thermoclean.com> \n\n <https://www.youtube.com/@thermo-cleangroup5215> <https://nl.linkedin.com/company/thermo-clean/> <https://www.facebook.com/thermoclean/> \n\n \n\nIn light of the European GDPR, we inform you that your personal data is stored in our system and is only used for processing your orders and maintaining our business relationship. If you wish to learn more about our data management and protection policy, please check our Privacy Statement at www.thermoclean.com/en/about-us/privacy-declaration <http://www.thermoclean.com/en/about-us/privacy-declaration> .\n\n \n\n \n\n \n\n", "From: Dustin B.V. <noreply@dustin.com> \nSent: woensdag 30 oktober 2024 13:04\nTo: Invoices <invoices@thermoclean.com>\nSubject: Orderbevestiging - 85500000571-1\n\n \n\nExternal Email \n\nThis email was sent from outside the Thermo-Clean organization.\n\nDear,\n\nSee attached the order confirmation document.\n\nDustin\n\n" ], "from": "Invoices <invoices@thermoclean.com>", "to": "IT Support <it.support@thermoclean.com>", "attachements": [ "85500000571-1.pdf", "image001.png", "image002.jpg", "image003.jpg", "image004.jpg" ] }
URL: PDF document Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "Orderbevestiging", "prominent_button_name": "unknown", "text_input_field_labels": [ "Klantnummer", "Ordernummer", "Uw referentie", "Datum", "MPN", "Stijl", "Omschrijving", "Aantal", "Stukprijs", "Prijs" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: Email Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "See attached the order confirmation document.", "prominent_button_name": "unknown", "text_input_field_labels": [ "Invoices <invoices@thermoclean.com>" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: Email Model: claude-3-haiku-20240307	```json { "brands": [ "THERMO", "CLEAN" ] }
	```json { "brands": [ "THERMO", "CLEAN" ] }
URL: PDF document Model: claude-3-haiku-20240307	```json { "brands": [ "Dustin" ] }
	```json { "brands": [ "Dustin" ] }

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OUTLOOK.EXE_b64c333b1caaf1150975129aa9c55951cdf086_00000000_917002f5-c1bd-4f4b-b950-9964101302c4\Report.wer

Download File

Process:	C:\Windows\SysWOW64\DWWIN.EXE
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.8468981785401877
Encrypted:	false
SSDEEP:	384:jjsMRBjCGJzRlxAob2m0BGsOJOa9Zd/rzuiFpY4IO8:jzjFVlQMzuiFpY4IO8
MD5:	81B9D3F708C97D268906B2647849EBC2
SHA1:	592DE7F22E066FAC957D1E7C66D715E8729E9023
SHA-256:	DD99EAAB93C0887C6C555B37FBBB8FDF8B49D365A58D99EC9DD6F96771B1148C
SHA-512:	6958BCF32491C3F64BED859F0F7722DED986FCDA920C66934B2DA37DB1637296EC20948698D50C371F0150A84CEA3153B64636C93CEAC4766C8AEA353C3CE778
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.7.6.8.4.3.5.4.8.4.1.2.8.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.7.6.8.4.3.5.9.8.4.1.2.6.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.9.6.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.1.7.0.0.2.f.5.-.c.1.b.d.-.4.f.4.b.-.b.9.5.0.-.9.9.6.4.1.0.1.3.0.2.c.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.9.0.a.1.4.d.4.-.9.1.6.f.-.4.b.6.b.-.8.2.0.7.-.d.a.f.f.8.f.5.e.c.8.2.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.O.u.t.l.o.o.k...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.f.0.-.0.0.0.1.-.0.0.1.4.-.3.8.c.b.-.4.2.5.4.c.f.2.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.a.d.9.7.6.e.e.3.1.0.3.2.b.5.a.2.0.f.2.1.0.0.7.9.9.9.6.6.e.0.a.8.0.0.0.0.f.f.f.f.!.0.0.0.0.1.5.3.5.a.2.4.a.2.e.5.a.f.1.b.f.b.6.1.4.3.9.4.e.3.a.5.f.2.5.2.9.8.9.e.0.d.9.b.1.!.O.U.T.L.O.O.K...E.X.E.....T.a.r.g.e.t.A.p.p.V.e.r.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER68B0.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\DWWIN.EXE
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8404
Entropy (8bit):	3.7298846013479072
Encrypted:	false
SSDEEP:	192:R6l7wVeJUq6q56Y9cSUe/4gmf8fE3dN5p1PHocf/VHm:R6lXJx6s6YmSUe/4gmf8fE3nlPHLfdG
MD5:	9595988E0252CFEF3A6A94BCB579F338
SHA1:	276DC26CFCE0F172A6B985A1FC29AA0151A430FA
SHA-256:	8B92DB6F7101327AE69D02F38B97F896297E539E242462BDD6AEB274AB5627ED
SHA-512:	A8B0BBB0CECBA62B97FD0972697CF6302B3E59DF274EC572E08A8E0113424EC6793CB798FC8CC28F957DCBBCCB036AF60086C0406C1FBEC8641D23B1ABCFABDC
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.9.2.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER68F0.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\DWWIN.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	5131
Entropy (8bit):	4.583201740137775
Encrypted:	false
SSDEEP:	48:cvIwWl8zsUiJg77aI94zWpW8VYP0Ym8M4JFKfUWxwAFX+ji8e8+GPfoJuyhquyem:uIjfZI7WC7V+BJFKbmqw+QchhqhFd
MD5:	BAEC3B7DF6BE3A0C9D02329D527DFE7A
SHA1:	DFCAC364A70C77974057D6EF81BCCB359027CF63
SHA-256:	6C7EEF3BD6FCF53BB76C778564076AA73A741C3A858B177B1F1F5B01091BDCA9
SHA-512:	3156513E2332EAA799C52722990CD444B50B9A4AA7A171DC20FB4F45CA2CCE4E84E53FACA3F639AB72E6E4D91A60C1B22DAACE2A46951C37B437404192378F8F
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="566189" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.399571656578713
Encrypted:	false
SSDEEP:	1536:VVYLgfgsCmmZmW53YgsUVNcAz79ysQqt2wMB2qoQ0jrcm0FvwePyRLhjcNt/cbar:cggpP+gLmiGu2wqoQQrt0FvEfYmEmUD
MD5:	9DAE279F7A4DF8EED505F6687231F98C
SHA1:	006C797F3B430EA7D87EDDB13A2872A9515B1C4F
SHA-256:	8CE9F90F48B80F8265934FC93A225945528D30B53FDFC45D72950FBD79D46AE4
SHA-512:	9563598460AD5C746FFE55842F58993E90C1AD9260C5A9E956C71C35DFA9F934954EC41EF2703E05904DB59DEC09CA9890E9774E1D15F52ADAA8A648A21C95D5
Malicious:	false
Reputation:	low
Preview:	TH02...... ....E.......SM01X...,....e.E...........IPM.Activity...........h...............h............H..hD.\.....y.....h............H..h\jon ...ppDa...h....0.....\....hY..e...........h........_`.j...h...e@...I..v...h....H...8..j...0....T...............d.........2h...............k..............!h.............. hC<{.......\...#h....8.........$h........8....."h0J.......J....'h..............1hY..e<.........0h....4.....j../h....h......jH..h....p...D.\...-h ........\...+h...e....8.\................. ..............F7..............FIPM.Activity.st.Form.e..Standard.tanJournal Entry.pdIPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.000Microsoft.ofThis form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.09216609452072291
Encrypted:	false
SSDEEP:	3:lSWFN3l/klslpF/4llfll:l9F8E0/
MD5:	F138A66469C10D5761C6CBB36F2163C3
SHA1:	EEA136206474280549586923B7A4A3C6D5DB1E25
SHA-256:	C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6
SHA-512:	9D25F943B6137DD2981EE75D57BAF3A9E0EE27EEA2DF19591D580F02EC8520D837B8E419A8B1EB7197614A3C6D8793C56EBC848C38295ADA23C31273DAA302D9
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......................................................................... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	4616
Entropy (8bit):	0.13760166725504608
Encrypted:	false
SSDEEP:	3:7FEG2l+z6d+lll/FllkpMRgSWbNFl/sl+ltlslVlllfllR4n:7+/lTaBg9bNFlEs1EP/6n
MD5:	2576AC7AFE3D15C737BA7DFF3BAD7899
SHA1:	AB1963392C84B9A5D987821FF2EF1B4390FABE9B
SHA-256:	5809409B209B7EE0279076F07C2B1D85765FF4AEF5F408D1ED700989BB96BA54
SHA-512:	A8C55B624022606AE8AE76EFB82EEF6E166501422B0161242676893F5C4735FE2B0F8512534B75D91E3447C8E72D8CEE46B69F5B83848B78284E933C41947F0E
Malicious:	false
Reputation:	low
Preview:	.... .c.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .......................................................................... .................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04482848510499482
Encrypted:	false
SSDEEP:	3:G4l2z26xqYU9oCl2z26xqYUlslL9//Xlvlll1lllwlvlllglbXdbllAlldl+l:G4l2fqz9tl2fqzlEL9XXPH4l942U
MD5:	FAA145C40D6B127D8485C01528F32C21
SHA1:	9C3ED5445286D2CA8E417889A48D881C304C7E9C
SHA-256:	09D73A4AA5299FD8EDA2DCA3F8989EBE1B1F0E3DB408EA5AB186BC6BA90EBBC5
SHA-512:	14A312957CBB6EC7CAC620EF2DD13C7724D41E994E81442D953E5B820999055A5F5E3B46D6B3F0BF58E125D1FB16B35CA44048DA7A8FA2E107F104C17D5197ED
Malicious:	false
Reputation:	low
Preview:	..-.....................%?...T(.=.Ar.....\|......-.....................%?...T(.=.Ar.....\|............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	45352
Entropy (8bit):	0.39463084334341647
Encrypted:	false
SSDEEP:	24:KABQ3zRDACVIUll7DBtDi4kZERDLzqt8VtbDBtDi4kZERD4Ed+:1BQ1lOUll7DYMnzO8VFDYMMEd+
MD5:	C96032E7354D2D0FBBEA22068FD41B4A
SHA1:	A14A839BFFDA541D933722CC0DBDA1FF8541A54A
SHA-256:	BBF94D61EAB32901116DD31193E77AF2D473EB2BBB6ABC7648F441116CC6E57F
SHA-512:	D4932CED15F71277858B4D78BC4B01A9E0F7EC1F165A25FF8379766679CAD26B9892ADC36850587F24D2EA37F24BEF09318A6D6DB35370A892AE6D2EDDFA771D
Malicious:	false
Reputation:	low
Preview:	7....-...........=.Ar....@.............=.Ar.....xF>.SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	2278
Entropy (8bit):	3.8469759345886763
Encrypted:	false
SSDEEP:	48:uiTrlKxsxx6xl9Il8u/1nr0vdFk7oKuAQn8uVi0Nd1rc:v+Y5Nr0WbFkV+
MD5:	3CE7EC1967CC701391F9270D54A77C4E
SHA1:	0748E4ACC7E0594457AA2095A679A6BA6A3A4888
SHA-256:	F2BC6D6376820E55F84C2AB5ED8EE79674B2ADE2256FA0EB054E8DB13AA33FD2
SHA-512:	C22E51ACEB9AA3C131E14C698CE98DF3C40D8E82038237F27D5423D9776C707E1272B3E638B52B851432FA266AAE3C334CB93B1FEC818EB5653B9052F081A023
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".C.J.1.m.u.g.S.o.z.s.S.9.x.S.Z./.Q.v.O.c.+.E.J.4.u.2.c.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".g.C.8.2.z.N.c.q.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.g.6.e.G.v.x.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	2684
Entropy (8bit):	3.9103751343996533
Encrypted:	false
SSDEEP:	48:uiTrlKxJxIHxl9Il8u/jd+6aQ0lJSH5aXAHVbcP10AlgMXLhn0d/vc:BzY5jd+y0lJSH0XAhU02XLhnd
MD5:	DB4895A2DFAB5085AF75FFACC171062A
SHA1:	9C8CFC23A3E0D96F577843258BBE5561FA58C89C
SHA-256:	5D78DD7FA94E8C967C02EB2C6E5424349FF6703F26CAC5ABDB61EA3A54353182
SHA-512:	43A51C32E06AD896E04E1E68F8AACDA2A40C196DA481D7E982EDA39F119D5AF7C6F687C70B69D1ECFF416938821FBDBE28696DB43AAC3ADB633894A57B0CA9E2
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.H.X.L.G.R.5.H.j.D.k.3.C.i.F.b.L.a.m.K.N.+.n.c.g.T.0.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".n.E./.S.5.K.B.J.3.A.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.A.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.g.6.e.G.v.x.

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	4542
Entropy (8bit):	4.00295465292041
Encrypted:	false
SSDEEP:	48:uiTrlKxxx+xD9Il8u/o0A0Jk+jrN+lPtBkMwUwODvcpxDyIn7oldlt5eMtHxhgD6:BY5o0A0J/jIllegwFD6lD9gFh/9WlV
MD5:	743B4109B3A98081E03138341B68D237
SHA1:	38E72BBA9FAAE0104643F780BB94CE3C28F8DAEA
SHA-256:	AD883FF8544039025ABF1B1A150FFD7196F6109ADAF29CE36EA8A6786982A274
SHA-512:	9F6EBEBFAA2920F0860D4665DF38CD91EB8D32029FD5A240528FED651072D2EC538B5C453AA36A326352F64FDABDF7247CFEF16CEC0A57D801F7B401EF6C5481
Malicious:	false
Preview:	{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.q.Y.a.6.3.X.Y.9.b.4.Y.b.C.Z.g.f.0.u.y.E.6.v.n.x.e.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".r.z.D.A.s.c.8.q.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.g.6.e.G.v.x.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\37D085A5.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 23x23, components 3
Category:	dropped
Size (bytes):	913
Entropy (8bit):	7.319644273947828
Encrypted:	false
SSDEEP:	24:49YMWro0XxDuLHeOWXG4OZ7DAJuLHenX3b+VpLLanQQuQkn:49YMzuERAoLLLsQnn
MD5:	B244E9B3CD75CEFCE461377A295A2AE7
SHA1:	684E1EE527807BF111DF82836BA818DD547D84BB
SHA-256:	4E2B8D3EF9EFE23F73213A3459FA0B6F28FEF47A0ED305C76C8B32F5368D9268
SHA-512:	449CDE4206B85E8E03DF92E6E93D2E9D9CA00536A6F3C1A63AB9DF43CBD1D434BE431919E1A6D915229138EB79FA7B402D4E0C122A7FB96D4054FAD319982F91
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?.~..i...jz......9.n..99....J.+..m.....,.[C$.F.7x.d...OJ..t..x?...-........ ,s.M}...&.........N3n.].{..+K......Hf\...<.+...aeo{...[....i...H........h)...YT..t...d..>.....{%ynKE#.....`...mg..h.^....@.@.....QE(S..Q.w...j.n.z->W/.Z...o4..K..kh.Ty..02y..w...+.....J.4.zXL$1.uj.{...

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\48E73734.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 23x23, components 3
Category:	dropped
Size (bytes):	895
Entropy (8bit):	7.242881954141719
Encrypted:	false
SSDEEP:	24:49YMWro0XxDuLHeOWXG4OZ7DAJuLHenX3HBJf/2up8lZA:49YMzuERARDM3A
MD5:	ADBFC623D00FD213733D55CC8E1B0ADF
SHA1:	07965D658CA047DADCDDACEDC298E0B17C51DC5A
SHA-256:	DB3F891E3FF98C4DD721528424EE5578DCB28CC70ED3C6E75F9B4317666B5DEF
SHA-512:	3C175B14A35B9586E06206B71AFA09969A726F540289C2C2C212F7040CE59E5CF6439B9DA7781B53FB86A1DB20DFD7DE1A665DEE97F6DD1374EA98ACEE5022BD
Malicious:	false
Preview:	......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...h...n.k(..U;...O.'...[...\|b........>...]\....?L...v.vz.~"....3.HG.lWs...w...x..:..3.....c...1...T...}v.OS.,uo..k...gx..Y...# ......D..C`.......g...9....q...Z.U..q.>.....73Z\..9<.1....V..*...........].6.:ub.8..]...x.TX..].J..Y9 ..'.(..4cR<.<..3....RJ...?3..

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7B87023F.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	PNG image data, 260 x 143, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	33108
Entropy (8bit):	7.98628344376612
Encrypted:	false
SSDEEP:	768:7Bt7iBlQfoFkjDHHj8sIvOPQqCDYPkjoSAySC6q1Hj84ie26d1VQos:t9iBSgMnjjIvOeRSuiA1Vfs
MD5:	DC746DDBD72AC8A2AB05E30C0C6A1A57
SHA1:	F31BA4696D98302A863D5E43FC12D5AA03AA6B7E
SHA-256:	81F9B2D19E2141309A415E069DC6F78216A3ABFA46054CA394EE583EFD33AE3B
SHA-512:	239E2677BEDD20D580C9CF89C98E41FB7BBA6BA1FBB23B91098D0AC6E145ACBD873DFEB9763BE137256D965424506644DFAAD3A4931D652D2727F659E59B8DE9
Malicious:	false
Preview:	.PNG........IHDR.....................sRGB.........pHYs..........+......tEXtSoftware.Microsoft Office..5q....IDATx^.]..\..>.3............J..wii).-..].(EJ...R....[<.x6Y.....}w..dvw...`..fw..}W.=.;.9..!.#.......z...\..z ....r.!7.r=........d..@..r..;=....<.!....@......?....?[g..$...Q.m...X.u...L...4.....A1,!...^..TBRI....0..uam..j.0..$..4.M6m...L....:3..7..2....IS.J).../$..../@.A\|..~.....k.i.o4..C.=..`2...5muT..'.h..~......9....On..XE..WV\|9[...DF.......K....jX[v...L......\|..D{..z.M)....o^.B.w..Tg.Vc<X.".'..Y.=.....G...<..'..e.N.............=`/.@.D.I.c}yU".o0.p..9.5t..0...y.h3%......... .\y..w.nR1u..g.;....d'p.FW........7;..k....jK).U!..\|.....L9.x...,q...T\hax.>..N.._o...d..RYY......5TZ..B.s.AR.6~y.m2`...I...... .................~......o.J/..wRcs......#.\\|....y.3e..N..?.1...+1.. ....tPK......Kyy.x.X....mF....9\|f..G.....v..a........?.)..#...$..q`...J.;.^.........$g.x.h.qI."...............Q.....+.#......KS.I\..`P..5...5....-........g......

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F7F38762.dat

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 21x23, components 3
Category:	modified
Size (bytes):	827
Entropy (8bit):	7.217130978596527
Encrypted:	false
SSDEEP:	24:pyYHu2o0XxDuLHeOWXG4OZ7DAJuLHenX3CnF5NCa/OPn:pyYyuERAQFWn
MD5:	D6805AFDAB0E00843A87C33BD675B2AC
SHA1:	0A74CF5145E98E12D736CA668480B9751546C099
SHA-256:	7EF2F5A8F4C20DBB2790AAB93EFE424F02F15BF4C00D91D419D42538A5E79E9F
SHA-512:	7E7ED8912E2665EF91CF3CBE077FB3B08951668C1CE93E084FFEB97020DDD3FE504810CE7D792CC3634ED9D7A7434B465CD4775DDB01037A9FF4A4A02818D912
Malicious:	false
Preview:	......JFIF.....`.`.....C...........................$ &%# #"(-90(6+"#2D26;=@@@&0FKE>J9?@=...C...........=)#)==================================================..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...G.F.Ggw;....ko.^.Mmn....ej..L.s.N.Z.F.....}..o.X......8...^.i.GC...S...:N.s...L...c}.`.S.....Ii..:i.4........i&..l.p...N6...u.:.+...)...+1......(.jI.}.Ejs.f.{......"....W....QE..LD.&.q.....

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{E802F7F6-D7DE-4690-B58C-8C6BEC1107DB}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	8124
Entropy (8bit):	3.5217738975483988
Encrypted:	false
SSDEEP:	192:pvZSNdg4wJKgibWgJyTzNoQm7OvcJYTzIdz7o/UBoijKgffpRynBodBIEN6fyZ79:hQ9T+U9
MD5:	0EEB8BAF4251D9F0A4D827C7EF3304AB
SHA1:	5FC3E02AFB94C645C15960217A8F6585FEB84CAE
SHA-256:	430A99A4448149D7FAF7A05A5E66129BCEE228BC1EB568DEC45994B6B35D92B8
SHA-512:	7975BCD39CB98752139FC0F774DFE0DC2B875B05AB6398936786D0CC6A96D74EA455F65BC49FDEAA4ACE4774217055146FD9E5F2251242AEF54522ADC01D7EDA
Malicious:	false
Preview:	........V.r.i.e.n.d.e.l.i.j.k.e. .g.r.o.e.t.e.n.,. .C.o.r.d.i.a.l.e.m.e.n.t.,. .m.i.t. .f.r.e.u.n.d.l.i.c.h.e.n. .G.r.....e.n.,. .B.e.s.t. .r.e.g.a.r.d.s.,. .S. .p.o.z.d.r.a.v.o.m.,.........I.N.C.L.U.D.E.P.I.C.T.U.R.E. .".c.i.d.:.i.m.a.g.e.0.0.1...p.n.g.@.0.1.D.B.2.A.C.F...B.8.9.D.3.9.3.0.". .\.. .M.E.R.G.E.F.O.R.M.A.T.I.N.E.T... . .................................................................................................................................................................................................................................(...R...........................................................................................................................................................................................................................................................................................$..$.If....:V.......t.....6......4........4........a.........d.............dh......$..$.If........!v..h.#v....:V.......t.....6......5.......4........4.

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730294793394492800_D416B852-9DDC-4C2E-84EB-B842733E72B9.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.006187607395642391
Encrypted:	false
SSDEEP:	192:oMkP/K9KTk8LFH4H7KxCxPhA2V0+Sjl/:oMLgTPLFHu7K4xJAe0+Sjl/
MD5:	4FCB3B439743D0598222F11D594649CB
SHA1:	8DA73B78797FD71B3C39BE16CF5707721DCBD1B1
SHA-256:	819EA9F260DEB9850F2779EE23421411FC1C14F5B5D9B163219FD2D800B8DB1C
SHA-512:	0B5287FB0B039C4714C372EA25D8E134EA5140395E49B10C08A0E31FA16046A93F1F896F6A28A9B28EEBEBF0E14080AF1CAAA5C675773996B843A2CE53D633F3
Malicious:	false
Preview:	Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/30/2024 13:26:33.763.OUTLOOK (0x1EF0).0x1EF4.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.System.GracefulExit.GracefulAppExitDesktop","Flags":33777014402039809,"InternalSequenceNumber":17,"Time":"2024-10-30T13:26:33.763Z","Data.PreviousAppMajor":16,"Data.PreviousAppMinor":0,"Data.PreviousAppBuild":16827,"Data.PreviousAppRevision":20130,"Data.PreviousSessionId":"591E95D2-DDF0-4DED-BB8B-C637F87BF8A9","Data.PreviousSessionInitTime":"2024-10-30T13:26:04.663Z","Data.PreviousSessionUninitTime":"2024-10-30T13:26:08.397Z","Data.SessionFlags":2147483652,"Data.InstallMethod":0,"Data.OfficeUILang":1033,"Data.PreviousBuild":"Unknown","Data.EcsETag":"\"\"","Data.ProcessorArchitecture":"x64"}...10/30/2024 13:26:33.841.OUTLOOK (0x1EF0).0x1C8C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":22

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730294793395735100_D416B852-9DDC-4C2E-84EB-B842733E72B9.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:	9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:	CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:	7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241030T0926300138-7920.etl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	147456
Entropy (8bit):	4.865301416833208
Encrypted:	false
SSDEEP:	1536:M4dC9ZBD5w6vEy8of5cNyR74PhIzAWcF/io2ZhQiyFfkbn:M4dCvBX
MD5:	8BE58389CBBA5055EF31EEB0F4D863D8
SHA1:	79E7383F73F7CE426F0136481E5D1A873ADF7ADA
SHA-256:	00E78BE8D22AF5675D0B8E02E564EEE24B6E05F468098FF19791D6A02FFAF722
SHA-512:	E99FF01C5B3730CEFEABD101C59321CDE653C54486DCC8F317101AF5882A2EA5F6356C8C443EC8FF97396B00EF2B840F821992C0FA26D48DF2E329BA6B468E87
Malicious:	false
Preview:	............................................................................b............/yT...................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................0..\............./yT...........v.2._.O.U.T.L.O.O.K.:.1.e.f.0.:.4.1.8.4.6.0.0.f.9.1.6.d.4.c.d.1.8.d.f.a.5.4.1.0.3.4.b.2.a.c.b.c...C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.3.0.T.0.9.2.6.3.0.0.1.3.8.-.7.9.2.0...e.t.l.............P.P.........D.{T.*..................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFED457B9D1FC0D166.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	0.4400424870256099
Encrypted:	false
SSDEEP:	192:rlWV3A3i563T9P5eJLZfb4eMqj18UdAyziBm2NgiXHWQOoqAbAD/:oAgs9Pc54eMWeUdTiQZiXHOoqM
MD5:	C9FE2C469CDB096886223D93AE8C4572
SHA1:	43D31DFA8F1396318F9D3ED832289CD49BDA6335
SHA-256:	66CB9BC36A91A91D57C22DEE0CFFCD04AC14F7DF30DF1F33766FA34F2B3559B3
SHA-512:	2E75C45EE308DD24DEF9A7753C67DA18FE45104E99D3AEFE7CD0B1D88C3543C2ED0057F5EA64802B7AB99AB830809CD54A64DAB7D544B2C2D5905D096685E557
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	1.2389205950315936
Encrypted:	false
SSDEEP:	3:4dml7v:4dm
MD5:	61EFAB5775EF5D73FD453C3936A0B1AA
SHA1:	E21BBB791201B54B2A4C6079382ED43CBFEBE7C4
SHA-256:	7E1CC840E41D289B46063270BDCE1CDFEDB9D14E68443534AA1228D76A14C5A1
SHA-512:	54E262F65176018609D054B22592BDFE626169A572962ED10AB9864DF988F5C72A136BA76A0C6D4B6ACE65C78D1D65780EF2812F1F5A8BF6AEC78F546B905C03
Malicious:	false
Preview:	.....x........................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	0.9348409433928375
Encrypted:	false
SSDEEP:	384:WYmIjc2eizfr9x7hAvQ++DapODF7vp0HUk77SZuzXif:WYmQcAz9y0mcMeZuOf
MD5:	940ED73A1F92D36B3171C9DE454D6406
SHA1:	09BD0DA7750BCE6D00723A56DE36929A66840D24
SHA-256:	0C953931129755C3A7CA6F64581F4F98890CE865C51A7D32AB919FDD219EB29D
SHA-512:	FBC8EF1EAF5CA91CE00571F85165C54BAF225B66154AF647F9FA404C5E2BE6D68EB944DC69737373B0D8105D0179FAC63120A5FDF7F6CFEE4E3CB6309CCC92FA
Malicious:	true
Preview:	!BDN;s..SM......\.......................N................@...........@...@...................................@...........................................................................$.......D.......w..................................................................................................................................................................................................................................................................................................................................*....+......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	0.5287405670486464
Encrypted:	false
SSDEEP:	96:8iE47YUVv0lwf5vjSLxmXx3cWSQq1uPZk3Pq6MpYzmW8:8idnVv0WALxMx3cRQdl6MpYzmH
MD5:	EAAF1078B242FC53D43BBB6178CB57C6
SHA1:	9C63E40616EF79AB76B6F1C6C4C4B62D70B47BC9
SHA-256:	17C3EA8FE9411D7217440F3E5F4ED459E91E4A6E8B18696F4567E90870466D69
SHA-512:	1F57BBB3F730533B320ED7389F5F9EB21C32FE5B312B51523AE88A1B92540FA50EBDF536AC5FADA761084E2F7761F95824E600EC523BC7AD138F376857AFAB50
Malicious:	true
Preview:	.Qb.C...............8.BT.....................#.!BDN;s..SM......\.......................N................@...........@...@...................................@...........................................................................$.......D.......w......................................................................................................................................................................................................................................................................................................................................+..8.BT.*.......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\DWWIN.EXE
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.462953473878024
Encrypted:	false
SSDEEP:	6144:9IXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABT0uN2dwBCswSbn:uXD94+WlLZMM6YzHg+n
MD5:	A8AC1FA2C1CDFDA8D8CFE3B3292738F2
SHA1:	6CB95B8015424AD3350A9E5480651E06631E0BA8
SHA-256:	F7A0F1876103105E2435CC5844E4AD9B29CE75DEB13ECC80C799EFF9ADC9EA9F
SHA-512:	E73DDF3BF2AC9037C8C33CD474D3583876C273DCFF51AA9749D1E0B5FA6FA4CE97F1DAF0E152C032174B87BAE7386C769EA8076F5159DFF11A6CFD0197CFAEFF
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm>.\|o.*..............................................................................................................................................................................................................................................................................................................................................W.k[........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	CDFV2 Microsoft Outlook Message
Entropy (8bit):	6.676970600856281
TrID:	Outlook Message (71009/1) 58.92% Outlook Form Template (41509/1) 34.44% Generic OLE2 / Multistream Compound File (8008/1) 6.64%
File name:	FW_ Orderbevestiging - 85500000571-1.msg
File size:	222'208 bytes
MD5:	a9422298d9085c485ab3d4f845b623f6
SHA1:	d1c2d34e89a750af95778144444a2b223c32dc0c
SHA256:	4d0f3996b52628d5b6c260c37705d02b6d6b5b0b7799460b47688566205ccac7
SHA512:	ced220bee9f6ffdeb633bcdcd23139a6f042dd7d201a30d7b5ce6629e40c1fd2d157352525ebe8e4cf313cc9ca3bc175105946790467cad2584c18cab1ae7545
SSDEEP:	3072:fiZoeooRWf76dAs2TCVyLDv4eFVskmH5UH2ZOjMWsgn1EdPjowBSdnIrBiel:SooEdFVLq5UH2YjMBg1EjoTK
TLSH:	C4245D153AFA4209F377EF724FE690AB8536FC92AD14D69F3191370E0671A409861B3B
File Content Preview:	........................>.......................................................p.......T......................................................................................................................................................................

Static Mail

General

Subject:	FW: Orderbevestiging - 85500000571-1
From:	Invoices <invoices@thermoclean.com>
To:	IT Support <it.support@thermoclean.com>
Cc:
BCC:
Date:	Wed, 30 Oct 2024 13:29:20 +0100
Communications:	Vriendelijke groeten, Cordialement, mit freundlichen Gren, Best regards, S pozdravom, Elke van den Bergh Accounting Department Thermo-Clean Group Tel: +32 13 53 90 18 www.thermoclean.com <http://www.thermoclean.com> <https://www.youtube.com/@thermo-cleangroup5215> <https://nl.linkedin.com/company/thermo-clean/> <https://www.facebook.com/thermoclean/> In light of the European GDPR, we inform you that your personal data is stored in our system and is only used for processing your orders and maintaining our business relationship. If you wish to learn more about our data management and protection policy, please check our Privacy Statement at www.thermoclean.com/en/about-us/privacy-declaration <http://www.thermoclean.com/en/about-us/privacy-declaration> . From: Dustin B.V. <noreply@dustin.com> Sent: woensdag 30 oktober 2024 13:04 To: Invoices <invoices@thermoclean.com> Subject: Orderbevestiging - 85500000571-1 External Email This email was sent from outside the Thermo-Clean organization. Dear, See attached the order confirmation document. Dustin
Attachments:	85500000571-1.pdf image001.png image002.jpg image003.jpg image004.jpg

Headers

Key	Value
Received	from DU0PR02MB8244.eurprd02.prod.outlook.com
12	29:20 +0000
Authentication-Results	dkim=none (message not signed)
by DB9PR02MB6505.eurprd02.prod.outlook.com (2603	10a6:10:1fb::23) with
2024 12	29:20 +0000
([fe80	:d87d:a09f:72c9:8910%5]) with mapi id 15.20.8114.015; Wed, 30 Oct 2024
Content-Type	application/ms-tnef; name="winmail.dat"
Content-Transfer-Encoding	binary
From	Invoices <invoices@thermoclean.com>
To	IT Support <it.support@thermoclean.com>
Subject	FW: Orderbevestiging - 85500000571-1
Thread-Topic	Orderbevestiging - 85500000571-1
Thread-Index	AQHbKsPmyKMgFQz2qkm64MGJmwOO8rKfOSEQ
X-MS-Exchange-MessageSentRepresentingType	1
Date	Wed, 30 Oct 2024 12:29:20 +0000
Message-ID	<DU0PR02MB82447BB07E7660CADD4E70859C542@DU0PR02MB8244.eurprd02.prod.outlook.com>
References	<H1aCV4RgQgWWpF15vKh3ZQ@geopod-ismtpd-9>
In-Reply-To	<H1aCV4RgQgWWpF15vKh3ZQ@geopod-ismtpd-9>
Accept-Language	en-US
Content-Language	en-US
X-MS-Has-Attach	yes
X-MS-Exchange-Organization-SCL	1
X-MS-TNEF-Correlator	<DU0PR02MB82447BB07E7660CADD4E70859C542@DU0PR02MB8244.eurprd02.prod.outlook.com>
MIME-Version	1.0
X-MS-Exchange-Organization-MessageDirectionality	Originating
X-MS-Exchange-Organization-AuthSource	DU0PR02MB8244.eurprd02.prod.outlook.com
X-MS-Exchange-Organization-AuthAs	Internal
X-MS-Exchange-Organization-AuthMechanism	04
X-MS-Exchange-Organization-Network-Message-Id	2d5b5339-3748-4912-a83f-08dcf8de7a7c
X-MS-PublicTrafficType	Email
X-MS-TrafficTypeDiagnostic	DU0PR02MB8244:EE_\|DB9PR02MB6505:EE_\|VI0PR02MB10572:EE_
Return-Path	invoices@thermoclean.com
X-MS-Exchange-Organization-ExpirationStartTime	30 Oct 2024 12:29:20.3319
X-MS-Exchange-Organization-ExpirationStartTimeReason	OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval	1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason	OriginalSubmit
X-MS-Office365-Filtering-Correlation-Id	2d5b5339-3748-4912-a83f-08dcf8de7a7c
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed	True
X-MS-Exchange-AtpMessageProperties	SA\|SL
X-Microsoft-Antispam	BCL:0;ARA:13230040\|366016\|8096899003\|41050700001;
X-Forefront-Antispam-Report	CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DU0PR02MB8244.eurprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(8096899003)(41050700001);DIR:INT;
X-MS-Exchange-CrossTenant-OriginalArrivalTime	30 Oct 2024 12:29:20.1010
X-MS-Exchange-CrossTenant-FromEntityHeader	Hosted
X-MS-Exchange-CrossTenant-Id	65d4cff9-4c55-40d4-a09a-7a5ef1b23f73
X-MS-Exchange-CrossTenant-AuthSource	DU0PR02MB8244.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs	Internal
X-MS-Exchange-CrossTenant-Network-Message-Id	2d5b5339-3748-4912-a83f-08dcf8de7a7c
X-MS-Exchange-CrossTenant-MailboxType	HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName	wNtqMerIkifZ8BG2d215ryk5AKK4imPHjmLJbN58/Rr7IYjYPrQxlUWlLUIrI98lSl3XJrpfTpFj0Aqian2Lq/AWAULwkHQuDTXv/I9dYeevnVlRd8Yx2AQtNfgYdMeg
X-MS-Exchange-Transport-CrossTenantHeadersStamped	DB9PR02MB6505
X-MS-Exchange-Transport-EndToEndLatency	00:00:03.1755309
X-MS-Exchange-Processed-By-BccFoldering	15.20.8114.015
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(425001)(930097)(140003);
X-Microsoft-Antispam-Message-Info	dFpKbsRK3L9RjnFLSuKGiNiEQgQy/A8PgFlzsnwt8+fHv7WtVhjdinysRNYPlN+x/VsHn9UAD4hqMuc9HCzKhVhjGSkiA11GClKxr+DpE+uP0IgusjkLYq2d6OH4h+OFChIRNFf3SiCyM4yIFbhSzjADuWycM0VRlbmvNwj+uCF2ge+EptlN++uw2nAWGJOn9r7LH7mUB2uQK0E4Kfed3g6uyImrvZe8dNrZZr2Ot4azG/yShJnY6qBct6li/N0jA1OsJD7yGGyVwSVxMmxNwtogTS8FivoYPXCKLdq00PpV9pSNXzUvvIRfvVKXRZ0rCm7gc/HyMUiyRz7ibSaUH/YI4bVKKMaeiwrnUIt33ZhwdwPEFTwfgvvqGzLwwnTgt5gmPvARcBQpWfrVJc+1IMZ0KiM498IZty6AO3cO1mh3aqcxVWyiiWYI3E3MlYdZiX8hlMLJmi9yD/lw7Meky4FVayZxEsMLfvB7q7Y2BLqUId+2L3zeL8AEP3Uhn8YXuc5Eb1ClHFPh5k4SmzmfzgNeCxslBYgqGT3YARRNueBcCPZozB2V57/ip0VbcsVJtD3+tCi1WJaoXAf2vLLWhPq73298tqPB+hTcbovhz39mhkKEPm+057w2JKu+Uhn7UKQbuaAcmncTdX21OEDNXY6e5iPMfVla0WBIi4C066N6/C50gO2ntNN+ts4IFlo8G3PaZ5IH0fk5hZLULtiEXHrv8RvumfMpgSVEDSVrKZsOspHLECr/0ft1F4RxBO69pB2fBUva69Px2kip3fY2yRkzYFjsFL70RAEoQjlkVupQEXUocW8uGlVL2FA22XDmyMlMhZTZaw9ovQY1CSWMBQ==
date	Wed, 30 Oct 2024 13:29:20 +0100

File Icon


Icon Hash:	c4e1928eacb280a2

Target ID:	0
Start time:	09:26:29
Start date:	30/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\FW_ Orderbevestiging - 85500000571-1.msg"
Imagebase:	0x350000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	09:27:09
Start date:	30/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "DD02958B-7185-4644-81E8-81708E0B3128" "3F917F8C-9997-4D7C-89FB-9D3959AF9CA5" "7920" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff641a10000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:27:11
Start date:	30/10/2024
Path:	C:\Windows\SysWOW64\DWWIN.EXE
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\DWWIN.EXE -x -s 3528
Imagebase:	0xff0000
File size:	189'440 bytes
MD5 hash:	57A4F3E9F6F5AA7AFA57FAACBF578453
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report FW_ Orderbevestiging - 85500000571-1.msg

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_OUTLOOK.EXE_b64c333b1caaf1150975129aa9c55951cdf086_00000000_917002f5-c1bd-4f4b-b950-9964101302c4\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER68B0.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER68F0.tmp.xml

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\5475cb191e478c39370a215b2da98a37e9dc813d.tbres

C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\37D085A5.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\48E73734.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\7B87023F.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\F7F38762.dat

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{E802F7F6-D7DE-4690-B58C-8C6BEC1107DB}.tmp

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730294793394492800_D416B852-9DDC-4C2E-84EB-B842733E72B9.log

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730294793395735100_D416B852-9DDC-4C2E-84EB-B842733E72B9.log

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241030T0926300138-7920.etl

C:\Users\user\AppData\Local\Temp\~DFED457B9D1FC0D166.TMP

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

Static Mail

Windows Analysis Report
FW_ Orderbevestiging - 85500000571-1.msg