Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Invoice PSI-3102.msg

Overview

General Information

Sample name:Invoice PSI-3102.msg
Analysis ID:1559804
MD5:cc9b81f0a0d637e20e1b5c4b91de5971
SHA1:7863095ad99909deead48f4579a3c0e791cb77d0
SHA256:b23ead15d4d482abdf13371ea819ec1414778bebad05bf5099a84d8afbcbfc9b
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected landing page (webpage, office document or email)
AI detected potential phishing Email
Creates a window with clipboard capturing capabilities
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Suspicious Office Outbound Connections
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 7076 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Invoice PSI-3102.msg" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7160 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "02D15676-6C87-4131-A725-06E65A651A97" "6C37907D-6491-4304-AFBC-53271C821EA7" "7076" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
    • chrome.exe (PID: 4592 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://userforniabodyworks.us/psi.PDF MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 4396 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1812,i,12353776708869037831,1350883076824126558,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • OUTLOOK.EXE (PID: 5860 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding MD5: 91A5292942864110ED734005B7E005C0)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7076, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.16, DestinationIsIpv6: false, DestinationPort: 49707, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, Initiated: true, ProcessId: 7076, Protocol: tcp, SourceIp: 52.123.243.182, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-20T23:35:55.091450+010020283713Unknown Traffic192.168.2.164970752.123.243.182443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
AI detected landing page (webpage, office document or email)
Source: EmailJoe Sandbox AI: Email contains QR code
AI detected potential phishing Email
Source: EmailJoe Sandbox AI: Detected potential phishing email: The email contains a suspicious external link to a PDF file with a generic domain (userforniabodyworks.us). The sender and recipient are both 'Postmaster' which is highly unusual for a legitimate invoice. The message is generic and lacks specific company details despite claiming to be from a Credit Control Department
Source: https://mjkj.ubszzspy.ru/s6pTqt/HTTP Parser: No favicon
Source: unknownHTTPS traffic detected: 52.123.243.182:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.16:49729 version: TLS 1.2
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49707 -> 52.123.243.182:443
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknownTCP traffic detected without corresponding DNS query: 172.202.163.200
Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknownTCP traffic detected without corresponding DNS query: 199.232.214.172
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.147.4
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.147.4
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.147.4
Source: unknownTCP traffic detected without corresponding DNS query: 20.190.147.4
Source: global trafficDNS traffic detected: DNS query: userforniabodyworks.us
Source: global trafficDNS traffic detected: DNS query: mjkj.ubszzspy.ru
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: global trafficDNS traffic detected: DNS query: a.nel.cloudflare.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
Source: unknownHTTPS traffic detected: 52.123.243.182:443 -> 192.168.2.16:49707 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.202.163.200:443 -> 192.168.2.16:49729 version: TLS 1.2
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow created: window name: CLIPBRDWNDCLASS
Source: classification engineClassification label: mal48.winMSG@19/24@8/136
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241120T1735470884-7076.etl
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Invoice PSI-3102.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "02D15676-6C87-4131-A725-06E65A651A97" "6C37907D-6491-4304-AFBC-53271C821EA7" "7076" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "02D15676-6C87-4131-A725-06E65A651A97" "6C37907D-6491-4304-AFBC-53271C821EA7" "7076" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://userforniabodyworks.us/psi.PDF
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1812,i,12353776708869037831,1350883076824126558,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://userforniabodyworks.us/psi.PDF
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1812,i,12353776708869037831,1350883076824126558,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dll
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation2
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote Services1
Clipboard Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
Registry Run Keys / Startup Folder		1
Registry Run Keys / Startup Folder		1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Invoice PSI-3102.msg0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
mira-tmc.tm-4.office.com
52.123.243.182
truefalse
    		high
    a.nel.cloudflare.com
    		35.190.80.1
    		truefalse
      		high
      mjkj.ubszzspy.ru
      		172.67.136.194
      		truefalse
        		unknown
        www.google.com
        		172.217.21.36
        		truefalse
          		high
          userforniabodyworks.us
          		104.21.24.61
          		truetrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            https://mjkj.ubszzspy.ru/s6pTqt/false
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              172.217.19.238
              		unknownUnited States
              		15169GOOGLEUSfalse
              1.1.1.1
              		unknownAustralia
              		13335CLOUDFLARENETUSfalse
              52.109.89.18
              		unknownUnited States
              		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
              172.217.17.35
              		unknownUnited States
              		15169GOOGLEUSfalse
              52.111.252.17
              		unknownUnited States
              		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
              104.21.24.61
              		userforniabodyworks.usUnited States
              		13335CLOUDFLARENETUStrue
              20.42.65.85
              		unknownUnited States
              		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
              74.125.205.84
              		unknownUnited States
              		15169GOOGLEUSfalse
              239.255.255.250
              		unknownReserved
              		unknownunknownfalse
              172.67.136.194
              		mjkj.ubszzspy.ruUnited States
              		13335CLOUDFLARENETUSfalse
              52.109.89.19
              		unknownUnited States
              		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
              172.217.21.35
              		unknownUnited States
              		15169GOOGLEUSfalse
              172.217.21.36
              		www.google.comUnited States
              		15169GOOGLEUSfalse
              35.190.80.1
              		a.nel.cloudflare.comUnited States
              		15169GOOGLEUSfalse
              52.123.243.182
              		mira-tmc.tm-4.office.comUnited States
              		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

              Private

              IP
              192.168.2.16

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1559804
              Start date and time:2024-11-20 23:35:14 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:defaultwindowsinteractivecookbook.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:16
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • EGA enabled
              Analysis Mode:stream
              Analysis stop reason:Timeout
              Sample name:Invoice PSI-3102.msg
              Detection:MAL
              Classification:mal48.winMSG@19/24@8/136
              Cookbook Comments:
              • Found application associated with file extension: .msg

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 52.109.89.18
              • Excluded domains from analysis (whitelisted): ecs.office.com, fs.microsoft.com, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, officeclient.microsoft.com, weu-azsc-config.officeapps.live.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mira.config.skype.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtQueryAttributesFile calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.
              • VT rate limit hit for: Invoice PSI-3102.msg

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:XML 1.0 document, ASCII text, with very long lines (1869), with no line terminators
              Category:dropped
              Size (bytes):1869
              Entropy (8bit):5.084889636508524
              Encrypted:false
              SSDEEP:
              MD5:1C85C94C658B6F5A35322596B9777AFC
              SHA1:9EA8F3698E51FED8BD62EF1C343C91F00E977CBF
              SHA-256:547B8B4C35E268F66F76AD6905082345162FA1FF56B3D777CA0D5A6A5B59F49C
              SHA-512:DF130C452AA426FA89CBC8F027E2FD823298CBE7B55BF3C33EA4E1B844BA82C70520F93AA4648AD81DB6BC1BECB005A9DBD257C8B07300C777254E05834DE24B
              Malicious:false
              Reputation:unknown
              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?><root><version>1</version><Count>12</Count><Resource><Id>Aptos_26215680</Id><LAT>2024-11-20T22:35:51Z</LAT><key>29939506207.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos_45876480</Id><LAT>2024-11-20T22:35:51Z</LAT><key>27160079615.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_26215424</Id><LAT>2023-10-06T09:25:29Z</LAT><key>31558910439.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos Display_26215680</Id><LAT>2023-10-06T09:25:29Z</LAT><key>23001069669.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_45876224</Id><LAT>2023-10-06T09:25:29Z</LAT><key>24153076628.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos Display_45876480</Id><LAT>2023-10-06T09:25:29Z</LAT><key>30264859306.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos_

              C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7ACD4CB1-C427-4734-A4DB-B94D06290B42

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):180335
              Entropy (8bit):5.289219317479308
              Encrypted:false
              SSDEEP:
              MD5:A9DAD9982BC25BB22D5EA3A598B55A23
              SHA1:C271FA3B38E0219D76A58F9AB0D8D693BEA94135
              SHA-256:94FA5657F307A7A46A143F7EE052A0A81B749D6220C1581C98DE4C9DA809D266
              SHA-512:3C55188F1B8CB7CC7D6848B52DC17E1956A9DD8F8F8C479E2B3A81CE671F9CAA06105FE1162BB7BD7C11FD591EFCB60660591F7C2EA8457AD34F0120ABC0960E
              Malicious:false
              Reputation:unknown
              Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-11-20T22:35:51">.. Build: 16.0.18307.40125-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

              C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:data
              Category:dropped
              Size (bytes):32768
              Entropy (8bit):0.04604146709717531
              Encrypted:false
              SSDEEP:
              MD5:44B7C564EA19FCEC4B5302F3D647DBB8
              SHA1:146B96095FC8B43AAEB5B6B632DE55E961BD5080
              SHA-256:0497DC9FA66CFBCBCFF8FF138A389C76C176D83DB0FC218319B910367540F3B6
              SHA-512:74026961D4C45C35831BECA6126D8D97B87EEDEC1EB30DF9506EC2F8EEA6F6682C6729855FE68161D69B87F1FFCB2C205CA983379452754354F4AA89CFFD85A8
              Malicious:false
              Reputation:unknown
              Preview:..-.....................n....z...Q.s`./.].k.0;E...-.....................n....z...Q.s`./.].k.0;E.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:SQLite Write-Ahead Log, version 3007000
              Category:dropped
              Size (bytes):49472
              Entropy (8bit):0.48348955293761975
              Encrypted:false
              SSDEEP:
              MD5:95086B23F3DFFE7145AB9EE71B888B9C
              SHA1:D9EBFDC18E54304FEA2DED82426F1CA4D232FA3F
              SHA-256:7F16FAF0260588688E1E63773DC7016459EA566E0A66F38809DD5292A2DF3A52
              SHA-512:B86491A6CE292446A793DE984255AA550D57D59B022E1D3265F6CAAF16B01A7025D737A248978AAC2C7E22C941D271B84F1E96FBB06A54CD415BFEDFE4223FB4
              Malicious:false
              Reputation:unknown
              Preview:7....-...........Q.s`./.H.T1...6.........Q.s`./.I...{CN.SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\241272FA.dat

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:PNG image data, 112 x 112, 8-bit/color RGBA, non-interlaced
              Category:dropped
              Size (bytes):11727
              Entropy (8bit):7.972554765970449
              Encrypted:false
              SSDEEP:
              MD5:E503E8AB938247A9E2A8F3D6F1E5B197
              SHA1:940159E700C4B874043527164E40E9A87F81496E
              SHA-256:7E7936935A78DCEBC6AFB86A1F8951ADAC06679BE3C76444D0B21F4E34AB1FD9
              SHA-512:B50691E0CF133347DFC4BFB7E3E2F40292758C91DDB78167825399DFFA7187AE4863C9F676823EF9E2170C1012928B2466FDE21D0660816341866EF228341BCA
              Malicious:false
              Reputation:unknown
              Preview:.PNG........IHDR...p...p........K....sRGB....... .IDATx^.].XTG.~....W.AD.bG....{E.1j..4&..F.{..[b.5..5.D..{EE...z..Y.......3.>.{..s..3<..8..>......G......~.....G........>..y....*.J.T..|x....x:......._.w....' _..<.B..5.C..-L....o4^.P........~.@...\..J..W..a....j../..>.V...4.A.cK.......vF.070.T.RSS..j......H$..D.......L&c.....?....r..q...I.eA...>..K`ob.:.N.c.*...hl...5L...J ...2j.PX..... ...<..BXK..aj..GO.v...6n0...........e.i......EM...ha..5.``..X...LMc.......(...6.X......6..i.k.x.....E.3.v.........<..C.>.M.......>sQ................O...3..id..TPq.O..V....?._.{.W...Fb)\.]0.zK|R..xr5{....c..E.......x...a..T(f....6w*....S.0.~g8KL..k.+.....cZ#O.._.. U.^...x.,R.0.........22.8>.J>....j.!.D....jS.8.!TB.8!...5.A.Ly<x;ya..@x...)abl....\K.`j"...A..A...s..8.[a.?q?%.5.*...Qb\z.2*..i..c2a.+.(Y..CsT.p.....m`im.3ss.d.......T*.P*U..2AZ6...qq...G..7x...w...V......V.PZ..FB...r..,;.^,Aw..P.5.Z.23..K.......2=..+.f.g%5.....k....ln...t.....+...dX.J...=..[ .e.\+U..T..X.m.....D.

              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\692972B3.dat

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:PNG image data, 91 x 103, 8-bit/color RGBA, non-interlaced
              Category:dropped
              Size (bytes):15248
              Entropy (8bit):7.97422773082355
              Encrypted:false
              SSDEEP:
              MD5:9A1144ADB8D0F2E56C9D85E082094690
              SHA1:78133C6927F1505BE32A9DFC30E2EE91429A2A43
              SHA-256:3FDCD948D2AFA8070CCD6BF3F98F3657AE22DDDE115B964449BC2EE89733E0DF
              SHA-512:F3B2C1E9B67ECD8DC5BE403F002513B18B18968AFE618A05000337883FDA7478405716A52CB3292BB4BA8124451642A7B619DC8E6BBBF5593D7735D9787D1D77
              Malicious:false
              Reputation:unknown
              Preview:.PNG........IHDR...[...g.....o.>O....sRGB....... .IDATx^.........m.^.]..`A,......{Kb.1.cn.j....5...PA..A.h.....0..vz}...{....................k......0M...._.0..._p./9...........`..{.".....>..~D`?~...>..~D`?~...>..~D`?~...>..~D`?~...>..~D`?~...>..~D`?~.........T..4p.....n..p8...IL.....a`.....#........3sd.Y....\....Z...V....!.........cZ..xV>O.....G,;G2.....my....\.h.......l.d2..a..1H$.8.nlroFN....-O...w.-_......v~..@!....k.....,.v.N;F..l.r9..{..R..</(K.;.J`......mr.y..[.Z.../..y.=^W..n........[7.H%I%...~.67.l.0d.&..dhjjQ.......x.6...P....dY...U.v.@/...........e....5&......e....... ..~{3O=9...6.n.F"..>_..#F0.s9}.D.e6.8.6..w...^.T:..e..]c.....W.....^...t#_...=/..)XN.]M.vK;.g>...DSC+......P..l.$...(...*n..w.6.?C.W(.r....S@...f._.....2./v#.j..o.......a.+.'...........^a..M.uP.*#. ......&..X.i.2:8n.Q....L<f...].+...N.e.r..=}{O0......./Y...5h.O..+.1{.|..j......L*G&e...q8.$.)2.,N.S.]...+M$...f......r...~.d.......[A..J.......n.k...@...26.e...&~T..N...T.$

              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\70932D0C.dat

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:PNG image data, 270 x 57, 8-bit/color RGB, non-interlaced
              Category:dropped
              Size (bytes):7341
              Entropy (8bit):7.966282725790193
              Encrypted:false
              SSDEEP:
              MD5:1F7849CB5ECED63CAB3A47A1DA67AFB5
              SHA1:EA99B6D439C3D420D8F8A5CE1D1E8526366AE59C
              SHA-256:8E886A5B6615D0728AB8B5FD13F380081B99F81C19F94C91EE6044EFC65FEB67
              SHA-512:16ED689924C406633A32F4BD4317B1CE9EF4F91A0BD356337CFDF5C5EE382A3C956D8EC5D69B975FDBCE31EA3D902E7377904DB8B62C2AF76CEBB406E30F82F8
              Malicious:false
              Reputation:unknown
              Preview:.PNG........IHDR.......9.....H.RS....sRGB........gIDATx..].WTG...5s.b.s^2'3'.M..s.lc.-....l.^@..O.E@....O<.I.eS.!l../jP.7..^.=.~........E...V..j.........9D.n^._..W...M.j..IU...OM@.E...A.E.WkWSKKs..t)...Z....._.....Q.2.ni.<.J.Vc.v...!.b........*1.......o..L.]a.IV.L.]pZR.y.#.H...:`]18.........a...Oo(~Nh.....".A.y.(...c.D...1.,a,f.H..B...P..X/.,g.k.R.i......yh%.&~..O..w".J^....jM..O..0..LNN.B!I...AA.([.s...,......b..XL...n.f!....qUO.e.P.b..(.$I.>U...%U..P...n.#...Hr..gd....t......AH.....D.4..k....dYf,.......,.V<E.-....:.f[~..}.z&/.9.{...9)Z.`.F0.$.].b.....z.1O`.n17.~....;.>...gBH..WI.......D.}.s.4...H}...Q.-y.".9..C.5o.P.>.'K..4.T.)..).6..D1YJ."..4{.....KPI{.....9.k&.j..!..=.P...t..`.T....x*4.G.T.+..'~>a...u..W.p9V..Z.S.....q,@.RkR{j{..x3Xk^.2.~.t.sVD..N...k%....N2.."".=^/......$......4..pcO..x..c.;O?.N!o...nd....J....[<..........p.bl..e.....\.Un..!3..fF.0.d.8.........nh(..k.xt...a..0D(..n... ....4n.Y....D....,....E.. .....!.e.ZJ....\....M:...

              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\C198119D.dat

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:PNG image data, 733 x 264, 8-bit/color RGBA, non-interlaced
              Category:dropped
              Size (bytes):23478
              Entropy (8bit):7.923630625398491
              Encrypted:false
              SSDEEP:
              MD5:9DA05DCC04D94712C25B14C21BFE6040
              SHA1:B313FF7C196164CC32D76ABBF0BC5BB8966A2DD6
              SHA-256:134BFAC12A11DC15522E4F56A347E16C9F7559FAB82973A666D5614096E85F5D
              SHA-512:F0207CC50FED58119AC83C28D95659CF69D15C5746CD408FB7AE8A3127AD8E175B37075F33F4031684C1DAFBFDB959DBE16DF83D06EF31AFD643CEB19A7A6BAF
              Malicious:false
              Reputation:unknown
              Preview:.PNG........IHDR..............,H.....sRGB....... .IDATx^.y....k........q..h\..F."1..."...(Q..EP!jD.-b..QpC..(j..#F.&.....qAQ...a.g...j..;=....w..{.:.:}.....2.6.................5......b`.............h'..... .. .. .. ....@t[...A..@..@..@..@...{..@..@..@..@..,...................D7...............X&..m.0................n................L...2`... .. .. .. ...... .. .. .. .. `..D.e....@..@..@..@ .....P....h....;r...............S...4.E..._P...z....5.35..8.......@..@..@..@ ..z...q.54...v,l.b...hS[Q..BtG....................#.jh..C.j.E.[{.Nc..D......@..@..@..@ ...-.....i..:.,h.......0@...F...b\............#.8O....tx..<m.......r..F.@t...A@..@..@..@..L..<..n.a.[h.....m..i..j..:.D.*9.............0N......!.F.^.VDG..`tL.. .eh.-............q...}LQMG.?..|5..>...........vL.. .. .. ...&.T....%.4.........D.. .. .. .. .....,...._...35.{..jvCt..(....E[..5...i.O...m%.A[i... .. .. .t......Re.l.....4.....}....9&......nE.o;.m.A3.{.e..........T.0Q....wZ...m..wL...c..@t.E.

              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{BB068097-AD4F-41DF-8479-F1643387EBAE}.tmp

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:data
              Category:dropped
              Size (bytes):1604
              Entropy (8bit):0.6627196631690828
              Encrypted:false
              SSDEEP:
              MD5:059C616BA1C822C669A0161112E878F0
              SHA1:997CF350A5A36FE3E45474403C37209D1BA34301
              SHA-256:86F6B65D449168F976BA36D8613BB4340851B9FD735D37D0D92C2FA02189A0B0
              SHA-512:129391B800CF1F8A409BC7C326C9B7F11AA8BD0464DF6204AC9D1D282A7FD44D1FCCDA8B2332ADC9412A80242D583976A1E8303D1A58878C2A876455ABF0038C
              Malicious:false
              Reputation:unknown
              Preview:....H.Y.P.E.R.L.I.N.K. .".h.t.t.p.s.:././.c.a.l.i.f.o.r.n.i.a.b.o.d.y.w.o.r.k.s...u.s./.p.s.i...P.D.F.".................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1732142148106303600_350C52BD-7616-4176-A903-37480641CBE2.log

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:ASCII text, with very long lines (28764), with CRLF line terminators
              Category:dropped
              Size (bytes):20971520
              Entropy (8bit):0.17905152457081444
              Encrypted:false
              SSDEEP:
              MD5:64196901B277A446B5F0E601D6D901CD
              SHA1:53721BF4570555A72A167EB8322FA0D135271C01
              SHA-256:A22487420287A9EF73B02C8822E3BEDAF17632B31EA715D415B8C956A13F303D
              SHA-512:AA1C15CF33C696668238B0F6461A47A685F189017C6A6DE2243D5FF1F2B14B5C44E0E73FE3BD8DC45A6332E9B15EAC14053C2C7CFB8250241D2B45799787A54E
              Malicious:false
              Reputation:unknown
              Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..11/20/2024 22:35:48.153.OUTLOOK (0x1BA4).0x1BA8.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-11-20T22:35:48.153Z","Contract":"Office.System.Activity","Activity.CV":"vVIMNRZ2dkGpAzdIBkHL4g.4.9","Activity.Duration":16,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...11/20/2024 22:35:48.169.OUTLOOK (0x1BA4).0x1BA8.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-11-20T22:35:48.169Z","Contract":"Office.System.Activity","Activity.CV":"vVIMNRZ2dkGpAzdIBkHL4g.4.10","Activity.Duration":10327,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

              C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1732142148107413800_350C52BD-7616-4176-A903-37480641CBE2.log

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:data
              Category:dropped
              Size (bytes):20971520
              Entropy (8bit):0.0
              Encrypted:false
              SSDEEP:
              MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
              SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
              SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
              SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
              Malicious:false
              Reputation:unknown
              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241120T1735470884-7076.etl

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:data
              Category:modified
              Size (bytes):94208
              Entropy (8bit):4.4960056920395495
              Encrypted:false
              SSDEEP:
              MD5:D1DB9F03DEF0DA1A15688DC461EEE45C
              SHA1:C8B40318EBDC91A70C3F28B2A8AABD96E278E168
              SHA-256:7D7BCF6E4CC043802F446803CA99A1AE0A1041CF14F95EF65A58ED71CC0B8AFB
              SHA-512:632D96B836BF07B452E74F85D34368C634744FC99E786C7C2288C82A759C5FC7ADE5D7A7E1F435D63CE1C3085F1622C6A1E3D2435BBEB7F377D02CED5542E520
              Malicious:false
              Reputation:unknown
              Preview:............................................................................`...........c.~..;..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................`H...Y..........c.~..;..........v.2._.O.U.T.L.O.O.K.:.1.b.a.4.:.e.f.f.9.2.3.b.9.6.b.9.c.4.5.2.f.8.0.f.a.4.f.a.b.1.1.6.a.e.a.6.0...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.1.2.0.T.1.7.3.5.4.7.0.8.8.4.-.7.0.7.6...e.t.l.......P.P.........c.~..;..........................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241120T1736040791-5860.etl

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:data
              Category:dropped
              Size (bytes):16384
              Entropy (8bit):3.592766298743559
              Encrypted:false
              SSDEEP:
              MD5:D0330844F9C83D3B913079C1C81CBE1A
              SHA1:DB42860318F4FF9634C52DA14EA2D652225A4062
              SHA-256:3839EEEA3FF695A09A6FB074163100478FF7579543D2A22C9D267CF3FB7D2119
              SHA-512:78CA8A7CEC1AAD69DDC0E32F752672D5C69F80C11543E5BB3F9C0A17134F0E3147E12C942C29B69E53C3C0AAD8DC83509DDA75CE085D24EBB5B0658EF330B726
              Malicious:false
              Reputation:unknown
              Preview:............................................................................`................;..................eJ.........;..Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................`H...Y...............;..........v.2._.O.U.T.L.O.O.K.:.1.6.e.4.:.d.0.3.0.e.d.8.8.d.c.7.4.4.7.5.9.b.a.1.7.b.5.7.6.a.f.6.3.f.6.7.0...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.1.2.0.T.1.7.3.6.0.4.0.7.9.1.-.5.8.6.0...e.t.l.......P.P..............;..........................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Local\Temp\~DF45F7D7E405E21DF9.TMP

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:data
              Category:dropped
              Size (bytes):163840
              Entropy (8bit):0.4241975895971827
              Encrypted:false
              SSDEEP:
              MD5:C8743392A97130D5733C616528129CA9
              SHA1:4D243E8BC159CF9FF912C90524AA2C98ED50D97F
              SHA-256:1202AECECB02A14B8296C8F5253B004A22738C0C2EB3CFA1117508684E6EFEBC
              SHA-512:90974D1CFDCF2733F4B456088A9A09970E96FDF56EC5A6302C38AED8F7E09446C2C26941AB3CDA59C310BFBFFA0AE136807EB25A8DA074C5151224E68FCAC37F
              Malicious:false
              Reputation:unknown
              Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:data
              Category:dropped
              Size (bytes):30
              Entropy (8bit):1.2389205950315936
              Encrypted:false
              SSDEEP:
              MD5:49C1B22ACACA7085318C334B0575E998
              SHA1:F7F426122529A9B78E662A61E400A3D9DA1BBE3C
              SHA-256:F137E1BFF28AB1B18708C2F1E750228D68AF03A8B22847BCB0EB4A248B1CCBDF
              SHA-512:C4E46429AA856216113826AB102E35838F2AE47971C87838E3354A74C779F97B9DA91A78303FE125C5FBEB0CE259A63B9D04A5BC71FFEFE9E3C6375E4E15AABF
              Malicious:false
              Reputation:unknown
              Preview:....s.........................

              C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:modified
              Size (bytes):14
              Entropy (8bit):2.699513850319966
              Encrypted:false
              SSDEEP:
              MD5:C5A12EA2F9C2D2A79155C1BC161C350C
              SHA1:75004B4B6C6C4EE37BE7C3FD7EE4AF4A531A1B1A
              SHA-256:61EC0DAA23CBC92167446DADEFB919D86E592A31EBBD0AB56E64148EBF82152D
              SHA-512:B3D5AF7C4A9CB09D27F0522671503654D06891740C36D3089BB5CB21E46AB235B0FA3DC2585A383B9F89F5C6DAE78F49F72B0AD58E6862DE39F440C4D6FF460B
              Malicious:false
              Reputation:unknown
              Preview:..c.a.l.i.....

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

              Download File
              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 21:36:26 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
              Category:dropped
              Size (bytes):2673
              Entropy (8bit):3.982199756308078
              Encrypted:false
              SSDEEP:
              MD5:AC78C44007EF228566D1C3DDAF951EC5
              SHA1:1CCF6CBD319FF5270DD278F74E8067FD8D3D9FDB
              SHA-256:B717DC4CC73EC56E99B98246CB8440249A013D88BBC4423688B740C145930597
              SHA-512:9A3C0FA9D01558D34C67E987949FAF8D097A52892206ED8935399151D554986509355EFF617876B89CA36DD718C6F7AF47C92057A658BF29733CE282AC2C6F56
              Malicious:false
              Reputation:unknown
              Preview:L..................F.@.. ...$+.,.....qS..;..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.ItYn.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VtY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VtY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VtY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VtY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........v.y......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

              Download File
              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 21:36:26 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
              Category:dropped
              Size (bytes):2675
              Entropy (8bit):3.9966877082662955
              Encrypted:false
              SSDEEP:
              MD5:0AC040F4F81EC81DE2399E746AAF79A8
              SHA1:1CF8BB75E23A245CE29C2A30D29A5896480C9362
              SHA-256:EBF99E5B2E283CD6A02B8D323AEED142CB5B41E68161E56DE7CB9593C116C582
              SHA-512:91E5D39EA28AAA4275A16ECA45517768AEA3A3473B25092D0A9F5C1E5E58142686C9EBCA3583C1F17409175611ABC202498DBD307F32755A6384C51AB815E82E
              Malicious:false
              Reputation:unknown
              Preview:L..................F.@.. ...$+.,....Y.F..;..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.ItYn.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VtY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VtY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VtY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VtY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........v.y......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

              Download File
              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
              Category:dropped
              Size (bytes):2689
              Entropy (8bit):4.0060477899472735
              Encrypted:false
              SSDEEP:
              MD5:ED004F1FC3F57F1AA4C21D2148BA5F72
              SHA1:79EA8367E509716B1DCEE924A487916AD4FC5E97
              SHA-256:DDA4D95EADD779D71BED9E3222C659EE6D394C79F294D30D0CF3732EC981DF5C
              SHA-512:355C6D115E2D586313D293A69252C7A66434D4F17EA01A1051F22951F6C207EEBEA24F61B32266B8D6AD9794111F23745B7B9813A3285267AF46DBC3F9EAF7F9
              Malicious:false
              Reputation:unknown
              Preview:L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.ItYn.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VtY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VtY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VtY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........v.y......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

              Download File
              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 21:36:26 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
              Category:dropped
              Size (bytes):2677
              Entropy (8bit):3.997193630502984
              Encrypted:false
              SSDEEP:
              MD5:6A20B0901A4D7678B4964F1E09A71231
              SHA1:AC02D48C9DE0CA96F6EDA0858EC1B742C0A707BA
              SHA-256:105327B5D24CA3B62044E4D73DABC3C33B6949A70A377E880CFE244B8C54B824
              SHA-512:A921686F08032BD84B455CBC005134171491DF7B25C6491973B5669A0F091F4063353C85E7F11F60795C7C30C28D7925EABC8223C9574D616D72FDFC17BD690F
              Malicious:false
              Reputation:unknown
              Preview:L..................F.@.. ...$+.,.....@..;..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.ItYn.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VtY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VtY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VtY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VtY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........v.y......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

              Download File
              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 21:36:26 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
              Category:dropped
              Size (bytes):2677
              Entropy (8bit):3.98379735460674
              Encrypted:false
              SSDEEP:
              MD5:B18A40FA1CA5E1117C3E9D47814F0F92
              SHA1:3D655CD85023999A98EAE557577EF63163C79FC1
              SHA-256:6037541CBC30A4158A6CD3052C2D9224E4ADB04214BD0EBB2DF0C339BEFB55B3
              SHA-512:6DA81C67DC2FBE7391AEFF4621FEBE918FB00120A560FB803BA725F5F131C0CFA0A864F2CEF7B03B63A7AC28D4B21F67F2908BC96682727192A7F284D21F563C
              Malicious:false
              Reputation:unknown
              Preview:L..................F.@.. ...$+.,....OWM..;..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.ItYn.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VtY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VtY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VtY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VtY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........v.y......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

              Download File
              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Nov 20 21:36:26 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
              Category:dropped
              Size (bytes):2679
              Entropy (8bit):3.9936783010405086
              Encrypted:false
              SSDEEP:
              MD5:C6F8DD3FD3370C607E4446160765F957
              SHA1:579EC9AA8BF5A999FB1329E98AF7820040785D93
              SHA-256:55548D3DB0F5C3E18506D4693F90D38EBEDD5CE749191A4B7B211B2FAA8200B4
              SHA-512:08772B5092D3017E26048C8C553CED4127AD5E1A2E2B7428BEABA8301CD2257AAFF27BC9D4A21E3DC469A852A57DC2C53A031003BF636888AE4CC1CFF99A5235
              Malicious:false
              Reputation:unknown
              Preview:L..................F.@.. ...$+.,.....^7..;..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.ItYn.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VtY......L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VtY......M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VtY............................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VtY.............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........v.y......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

              C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:Microsoft Outlook email folder (>=2003)
              Category:dropped
              Size (bytes):271360
              Entropy (8bit):1.3201831390331757
              Encrypted:false
              SSDEEP:
              MD5:865479267426BC73DC02332D227EA889
              SHA1:67DEA43524388391C6EAD28738EF4396F6B2BA89
              SHA-256:11A29DEC1F222A281271C6E8442F84D25417CD91A624B97E767078C46B1C21E1
              SHA-512:5DBA75696017F251DABD98623FB4A6F67CD9C32E88FC6B0C516127ADD8E87D0B28A7179CA9B6906123CB4268AD8C993B510C8F5A571CBADEABD7C2CFEA15C521
              Malicious:true
              Reputation:unknown
              Preview:!BDN5^.[SM......\........*..............U................@...........@...@...................................@...........................................................................$.......D.......#..........................................................................................................................................................................................................................................................................................................................<........Q..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:data
              Category:dropped
              Size (bytes):131072
              Entropy (8bit):1.234865535541577
              Encrypted:false
              SSDEEP:
              MD5:94B2A862A20B78D2443943413D028A0F
              SHA1:BA27B0E645190CB6A9E4F69B70ADF1F53DFB8A06
              SHA-256:2226022DDE09F77C71F22A2D4D08C938C819B04E721EE2AEEF6B8B6DE6654F1F
              SHA-512:AB2E4C0C35CCBC08FCAD1FC5A654FEEA57D51B54CD9B797664114F98453B39476F524180E0A9102F0B6745C132C18E32D8D3EFA62EFE78586C5F84D393C3CC53
              Malicious:true
              Reputation:unknown
              Preview:Ax..0...a...........-.X..;.......D............#..............?..............................................................?............................................................................................................................................................................................................................................................................................................................................................................................................................................D......h.8.0...b...........-.X..;.......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

              Static File Info

              General

              File type:CDFV2 Microsoft Outlook Message
              Entropy (8bit):5.800891357891066
              TrID:
              • Outlook Message (71009/1) 58.92%
              • Outlook Form Template (41509/1) 34.44%
              • Generic OLE2 / Multistream Compound File (8008/1) 6.64%
              File name:Invoice PSI-3102.msg
              File size:162'304 bytes
              MD5:cc9b81f0a0d637e20e1b5c4b91de5971
              SHA1:7863095ad99909deead48f4579a3c0e791cb77d0
              SHA256:b23ead15d4d482abdf13371ea819ec1414778bebad05bf5099a84d8afbcbfc9b
              SHA512:2895e30336cd15b42bb3b1d7e901b03a70517700f58bd610764466a32747b7d1eefced0d0de8ab93b4a919a6d6134e7b5b3baf2c690701f1b0b9632027c0d683
              SSDEEP:1536:7novWTWjWsWGW5WDUhXr5YYW+OdjMSF0ZXrQGLDkN4Q/xeax7Hzcr1OUgatHe3nQ:8OYV+OdjqFRLNQ/xNx7Ir11D16qlSA
              TLSH:68F3D92435F9061AF377DF718BE390A78522FC92EE15975F31D5334E0632A41A863B2A
              File Content Preview:........................>......................................................................................................................................................................................................................................

              Static Mail

              General

              Subject:Invoice PSI-3102
              From:Postmaster <postmaster@highlandreeds.com>
              To:Postmaster <postmaster@highlandreeds.com>
              Cc:
              BCC:
              Date:Tue, 19 Nov 2024 23:36:57 +0100
              Communications:
              • <https://californiabodyworks.us/psi.PDF> Good Morning, Please find attached invoice(s). Kind regards Credit Control Department Your Right to Disconnect: This email is being sent at a time that is convenient for me, should you receive it outside of your working hours please note there is no obligation to respond or take action outside of your normal working hours. DISCLAIMER: This email contains proprietary information some or all of which may be legally privileged. It is for the intended recipient only. If an addressing or transmission error has misdirected this email, please notify the author by replying to this email. If you are not the intended recipient, you must not use, disclose, distribute, copy, print or rely on this email. All services carried out, quoted, and invoiced by Slicker Recycling Ltd are subject to our Standard Terms & Conditions of Business, available on request. If you have received this in error, we apologise and please advise us by reply email and then delete this and any attachment. If this email was not addressed to you then you may not use any of it: it may contain material that is confidential or covered by client legal privilege.
              Attachments:
              • image001.png
              • image002.png
              • image003.png
              • image004.png

              Headers

              Key Value
              Receivedfrom CWXP123MB2790.GBRP123.PROD.OUTLOOK.COM
              2236:57 +0000
              Authentication-Resultsdkim=none (message not signed)
              by CWLP123MB4228.GBRP123.PROD.OUTLOOK.COM (260310a6:400:8f::10) with
              2024 2236:57 +0000
              ([fe80:ba88:b699:4ee5:fe0e%7]) with mapi id 15.20.8158.023; Tue, 19 Nov 2024
              Content-Typeapplication/ms-tnef; name="winmail.dat"
              Content-Transfer-Encodingbinary
              FromPostmaster <postmaster@highlandreeds.com>
              ToPostmaster <postmaster@highlandreeds.com>
              SubjectInvoice PSI-3102
              Thread-TopicInvoice PSI-3102
              Thread-IndexAQHavx9aDTLc/J9ey02KyvaxqOUDr7LADl6AgAAZ9fA=
              DateTue, 19 Nov 2024 22:36:57 +0000
              Message-ID<CWXP123MB2790E041EE516DC620C29844DD202@CWXP123MB2790.GBRP123.PROD.OUTLOOK.COM>
              References<DU0PR08MB929931E825D9ED26559A1B88BD9DA@DU0PR08MB9299.eurprd08.prod.outlook.com>
              In-Reply-To<CWXP123MB279019208373FB020B94602ADD202@CWXP123MB2790.GBRP123.PROD.OUTLOOK.COM>
              Accept-Languageen-US
              Content-Languageen-US
              X-MS-Has-Attachyes
              X-MS-Exchange-Organization-SCL1
              X-MS-TNEF-Correlator<CWXP123MB2790E041EE516DC620C29844DD202@CWXP123MB2790.GBRP123.PROD.OUTLOOK.COM>
              MIME-Version1.0
              X-MS-Exchange-Organization-MessageDirectionalityOriginating
              X-MS-Exchange-Organization-AuthSourceCWXP123MB2790.GBRP123.PROD.OUTLOOK.COM
              X-MS-Exchange-Organization-AuthAsInternal
              X-MS-Exchange-Organization-AuthMechanism04
              X-MS-Exchange-Organization-Network-Message-Id69f0a5bb-e8d0-4e58-ef02-08dd08eaacd3
              X-MS-PublicTrafficTypeEmail
              X-MS-TrafficTypeDiagnosticCWXP123MB2790:EE_|CWLP123MB4228:EE_|CWXP123MB2790:EE_
              Return-Pathpostmaster@highlandreeds.com
              X-MS-Exchange-Organization-ExpirationStartTime19 Nov 2024 22:36:57.3274
              X-MS-Exchange-Organization-ExpirationStartTimeReasonOriginalSubmit
              X-MS-Exchange-Organization-ExpirationInterval1:00:00:00.0000000
              X-MS-Exchange-Organization-ExpirationIntervalReasonOriginalSubmit
              X-MS-Office365-Filtering-Correlation-Id69f0a5bb-e8d0-4e58-ef02-08dd08eaacd3
              X-Microsoft-AntispamBCL:0;ARA:13230040|366016|8096899003|3613699012|41050700001;
              X-Forefront-Antispam-ReportCIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CWXP123MB2790.GBRP123.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(366016)(8096899003)(3613699012)(41050700001);DIR:INT;
              X-MS-Exchange-CrossTenant-OriginalArrivalTime19 Nov 2024 22:36:57.1020
              X-MS-Exchange-CrossTenant-FromEntityHeaderHosted
              X-MS-Exchange-CrossTenant-Id367d3172-dd9b-4fac-a669-c8c434c90cfd
              X-MS-Exchange-CrossTenant-AuthSourceCWXP123MB2790.GBRP123.PROD.OUTLOOK.COM
              X-MS-Exchange-CrossTenant-AuthAsInternal
              X-MS-Exchange-CrossTenant-Network-Message-Id69f0a5bb-e8d0-4e58-ef02-08dd08eaacd3
              X-MS-Exchange-CrossTenant-MailboxTypeHOSTED
              X-MS-Exchange-CrossTenant-UserPrincipalNamejofRTKKsv9G+wfhajg4QkpVOPjmbm4m/HCZmC/qzvZUxBIXDlKL3JStiQBdB16ZHHAsa3s2DPF8a8OJAbHpWm121Mpd1HOxaXHFtrMIFMHA=
              X-MS-Exchange-Transport-CrossTenantHeadersStampedCWLP123MB4228
              X-MS-Exchange-Transport-EndToEndLatency00:00:01.2547176
              X-MS-Exchange-Processed-By-BccFoldering15.20.8158.023
              X-Microsoft-Antispam-Mailbox-Deliveryucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(425001)(930097)(140003);
              X-Microsoft-Antispam-Message-InfoWVi6aMG1as1L0GzOoxmf053xRJ1L65LGfqxJMeomeCdyEWouxg3hYuie41aX7VDKescI/ABgfZrM4j9NyT3CERzGD3iLZAdEo1kzBqDbph8+HtucONgoUVDJKenwtdMlfZISJ+58mqqrBMSI7NHEvAlKtn9bfID05vyEukRiJJYcFF0aSzDhMDWYd8gX4NW6OL08FT4IPRQtv4gKjWqoKwJZ03yiwdx8m0yYRgpXUbw4MMl+PI9emLernYqJFgkomSIwDSfwhlPJY9aPZNE+v8/+4OSRltlroTWETtWRWSkQANCcbE7wzFOwzGbD8hPTWKdwqZZEm+WRsJUBMd5H5oM5J2PHbClcGfObf+lt4DAwc7bQxE/zzYa8h/innioZ+1BUdetNtVkFAapeYw8/1fxdb5q49TPLyAef2Yv2gqObuxEQ7VB4lXbee5AWrNMRyOlYbK8cM4tmfKbwqolnNg76JBrUAjjJzi/ga1kIRZv/2nQXAKVyQTjpubzlgk3aWOIo2i99Fr4avUhimFkbH3TVRxAoylyxDIroGMjZdUWwVIni5HeFZhqbRvLhPxHIl8RbiUyODhoZJv9AC2htM/b2WCj/KDQ/HucCwG4MLIiM26biHek+E+yGNj4uEu3FdV5D7EhF0MMXjUc/vpGVa8f/Kw1pPL8OYJfKQWHtLMDVlPsdVaGxjez3VM2UU2frHM5RlAQr8vIkNkyywocwdmMzKsvAwAXrYsA1CZYdxPNloRox5RNn2VVTeSMfg4idOj7LfzzFEH68iw5rj415sVGx3K+pFqW5xe//0WboPnIRkoYJKmhrlYYXZ9l0KAw2MkKkJmxRCDtSkJzZ0aViVkqy9ey5tnb7o2782tj3ejoXshkvK0OUKRPEZ7msPm/jVSIcxHesjLxjcrvt0U2bpg==
              dateTue, 19 Nov 2024 23:36:57 +0100

              File Icon

              Icon Hash:c4e1928eacb280a2