Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
96c27caf-3816-d26f-4af5-19e1d76e6c15.eml

Overview

General Information

Sample name:96c27caf-3816-d26f-4af5-19e1d76e6c15.eml
Analysis ID:1560023
MD5:4da7ecd4816e136809a84b0f99d5783a
SHA1:bbb47156a5400b63989ae890e9ef38cbb51db5d9
SHA256:198320cfe4f29fe98d87798c9dc681a5f6f44d659f9c9b7dadfbebfeab085ce7
Infos:

Detection

HTMLPhisher
Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected phishing page
Yara detected HtmlPhish10
AI detected potential phishing Email
Creates a window with clipboard capturing capabilities
HTML body contains low number of good links
HTML page contains hidden javascript code
HTML title does not match URL
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Office Macro File Download
Sigma detected: Outlook Security Settings Updated - Registry
Stores files to the Windows start menu directory
Stores large binary data to the registry
Suspicious form URL found

Classification

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 6168 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\96c27caf-3816-d26f-4af5-19e1d76e6c15.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7048 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "52219CC3-D128-49CD-B18D-27F7A690C07A" "B17A7844-3450-4021-8DC1-21F90BFCBE78" "6168" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
    • notepad.exe (PID: 1992 cmdline: C:\Windows\SysWOW64\notepad.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\V8I52AC6\details.txt MD5: E92D3A824A0578A50D2DD81B5060145F)
    • chrome.exe (PID: 6828 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://transportesgarcia.com/Webmail/webmail.php?email=com_agarcia@ahorramas.com MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 1468 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1916,i,13485597059835569467,11056857493409090340,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup

Yara Signatures

HTML

SourceRuleDescriptionAuthorStrings
1.0.pages.csvJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security

    Sigma Signatures

    Sigma detected: Office Autorun Keys Modification
    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6168, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
    Sigma detected: Office Macro File Download
    Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6168, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm
    Sigma detected: Outlook Security Settings Updated - Registry
    Source: Registry Key setAuthor: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\V8I52AC6\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6168, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder
    Sigma detected: Office Macro File Creation
    Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6168, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    Phishing

    barindex
    AI detected phishing page
    Source: https://transportesgarcia.com/Webmail/webmail.php?email=com_agarcia@ahorramas.comJoe Sandbox AI: Score: 8 Reasons: The brand 'Webmail' is a generic term and not associated with a specific well-known brand., The URL 'transportesgarcia.com' does not match the expected domain for a webmail service., The domain 'transportesgarcia.com' appears to be unrelated to any known webmail service., The presence of input fields for 'Email Address' and 'Password' on an unrelated domain is suspicious., The URL does not contain any well-known webmail service provider's domain name. DOM: 1.0.pages.csv
    Yara detected HtmlPhish10
    Source: Yara matchFile source: 1.0.pages.csv, type: HTML
    AI detected potential phishing Email
    Source: EmailJoe Sandbox AI: Detected potential phishing email: The email claims to be from 'Mailer-Daemon' but uses a suspicious domain 'hawdweb.com' instead of the recipient's domain. The error message contains inconsistent information - mentions domain 'sohda.so' which doesn't match either sender or recipient domains. The format mimics legitimate bounce messages but contains technical inconsistencies typical of phishing attempts
    Source: https://transportesgarcia.com/Webmail/webmail.php?email=com_agarcia@ahorramas.comHTTP Parser: Number of links: 0
    Source: https://transportesgarcia.com/Webmail/webmail.php?email=com_agarcia@ahorramas.comHTTP Parser: Base64 decoded: <svg xmlns="http://www.w3.org/2000/svg" width="359pt" height="320" viewBox="0 0 359 240"><defs><clipPath id="a"><path d="M123 0h235.37v240H123zm0 0"/></clipPath></defs><path d="M89.69 59.102h67.802l-10.5 40.2c-1.605 5.6-4.605 10.1-9 13.5-4.402 3.4-9.504 5...
    Source: https://transportesgarcia.com/Webmail/webmail.php?email=com_agarcia@ahorramas.comHTTP Parser: Title: Webmail Login does not match URL
    Source: https://transportesgarcia.com/Webmail/webmail.php?email=com_agarcia@ahorramas.comHTTP Parser: Form action: https://transportesgarcia.com/Webmail/login.php
    Source: https://transportesgarcia.com/Webmail/webmail.php?email=com_agarcia@ahorramas.comHTTP Parser: <input type="password" .../> found
    Source: https://transportesgarcia.com/Webmail/webmail.php?email=com_agarcia@ahorramas.comHTTP Parser: No <meta name="author".. found
    Source: https://transportesgarcia.com/Webmail/webmail.php?email=com_agarcia@ahorramas.comHTTP Parser: No <meta name="copyright".. found
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries
    Source: unknownHTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.16:49739 version: TLS 1.2
    Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
    Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
    Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
    Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
    Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
    Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
    Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
    Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
    Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
    Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
    Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
    Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
    Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
    Source: unknownTCP traffic detected without corresponding DNS query: 52.149.20.212
    Source: global trafficDNS traffic detected: DNS query: transportesgarcia.com
    Source: global trafficDNS traffic detected: DNS query: www.google.com
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
    Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
    Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
    Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
    Source: unknownHTTPS traffic detected: 52.149.20.212:443 -> 192.168.2.16:49739 version: TLS 1.2
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow created: window name: CLIPBRDWNDCLASS
    Source: classification engineClassification label: mal60.phis.winEML@19/28@6/78
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\Chrome\Application\Dictionaries
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241121T0421410931-6168.etl
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\desktop.ini
    Source: C:\Windows\SysWOW64\notepad.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\96c27caf-3816-d26f-4af5-19e1d76e6c15.eml"
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "52219CC3-D128-49CD-B18D-27F7A690C07A" "B17A7844-3450-4021-8DC1-21F90BFCBE78" "6168" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\V8I52AC6\details.txt
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "52219CC3-D128-49CD-B18D-27F7A690C07A" "B17A7844-3450-4021-8DC1-21F90BFCBE78" "6168" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Windows\SysWOW64\notepad.exe C:\Windows\SysWOW64\notepad.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\V8I52AC6\details.txt
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://transportesgarcia.com/Webmail/webmail.php?email=com_agarcia@ahorramas.com
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1916,i,13485597059835569467,11056857493409090340,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://transportesgarcia.com/Webmail/webmail.php?email=com_agarcia@ahorramas.com
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1916,i,13485597059835569467,11056857493409090340,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: kernel.appcore.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: uxtheme.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: mrmcorer.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: windows.storage.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wldp.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: textshaping.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: efswrt.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: mpr.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: wintypes.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: twinapi.appcore.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: oleacc.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: textinputframework.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coreuicomponents.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: coremessaging.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: ntmarta.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: urlmon.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: iertutil.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: srvcli.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: netutils.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: propsys.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: policymanager.dll
    Source: C:\Windows\SysWOW64\notepad.exeSection loaded: msvcp110_win.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56FDF344-FD6D-11d0-958A-006097C9A090}\InProcServer32
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformation
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformation
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
    Source: C:\Windows\SysWOW64\notepad.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\V8I52AC6\details.txt VolumeInformation

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
    Browser Extensions    		1
    Process Injection    		3
    Masquerading    		OS Credential Dumping1
    Process Discovery    		Remote Services1
    Clipboard Data    		2
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/Job1
    Registry Run Keys / Startup Folder    		1
    Registry Run Keys / Startup Folder    		1
    Modify Registry    		LSASS Memory1
    File and Directory Discovery    		Remote Desktop ProtocolData from Removable Media1
    Non-Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAt1
    DLL Side-Loading    		1
    DLL Side-Loading    		1
    Process Injection    		Security Account Manager13
    System Information Discovery    		SMB/Windows Admin SharesData from Network Shared Drive2
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Obfuscated Files or Information    		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    NameIPActiveMaliciousAntivirus DetectionReputation
    transportesgarcia.com
    		187.86.152.164
    		truetrue
      		unknown
      www.google.com
      		142.250.186.100
      		truefalse
        		high

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        https://transportesgarcia.com/Webmail/webmail.php?email=com_agarcia@ahorramas.comtrue
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          52.113.194.132
          		unknownUnited States
          		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
          1.1.1.1
          		unknownAustralia
          		13335CLOUDFLARENETUSfalse
          20.189.173.8
          		unknownUnited States
          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
          74.125.133.84
          		unknownUnited States
          		15169GOOGLEUSfalse
          216.58.206.67
          		unknownUnited States
          		15169GOOGLEUSfalse
          187.86.152.164
          		transportesgarcia.comBrazil
          		53066VETORIALNETINFESERVICOSDEINTERNETLTDABRtrue
          52.109.28.48
          		unknownUnited States
          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
          239.255.255.250
          		unknownReserved
          		unknownunknownfalse
          52.109.32.97
          		unknownUnited States
          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
          2.19.126.160
          		unknownEuropean Union
          		16625AKAMAI-ASUSfalse
          52.109.89.19
          		unknownUnited States
          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
          142.250.186.100
          		www.google.comUnited States
          		15169GOOGLEUSfalse
          142.250.184.238
          		unknownUnited States
          		15169GOOGLEUSfalse
          172.217.18.10
          		unknownUnited States
          		15169GOOGLEUSfalse

          Private

          IP
          192.168.2.16

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1560023
          Start date and time:2024-11-21 10:21:10 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:defaultwindowsinteractivecookbook.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:19
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • EGA enabled
          Analysis Mode:stream
          Analysis stop reason:Timeout
          Sample name:96c27caf-3816-d26f-4af5-19e1d76e6c15.eml
          Detection:MAL
          Classification:mal60.phis.winEML@19/28@6/78
          Cookbook Comments:
          • Found application associated with file extension: .eml

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 52.109.32.97
          • Excluded domains from analysis (whitelisted): config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, europe.configsvc1.live.com.akadns.net
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtQueryAttributesFile calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtSetValueKey calls found.
          • VT rate limit hit for: 96c27caf-3816-d26f-4af5-19e1d76e6c15.eml

          Created / dropped Files

          C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:data
          Category:dropped
          Size (bytes):231348
          Entropy (8bit):4.3874733495338605
          Encrypted:false
          SSDEEP:
          MD5:47E60525318CFE9DA1D1E517F6030F7E
          SHA1:91ECAA8B00B8AF51CDDB29A0994A1EF9FBAE8EB9
          SHA-256:81E24919C336A7E549633FBCFDE020D4CE529819D3C9473CC003FB0D87710BAC
          SHA-512:4708414CFEEE25510456C391C0445E1A864FB047A698601F0B3469C03F9FDBFCD1E55FFCDD5EB74D72806DACF6C14FDC5DDBE110821BA5FCFAFB397A6963E7D4
          Malicious:false
          Reputation:unknown
          Preview:TH02...... ...(..;......SM01X...,.......;..........IPM.Activity...........h...............h............H..h...............h..........+.H..h\cal ...pDat...hh.%.0.........h/.L...+........h........_`Pk...h..L.@...I.lw...h....H...8.Uk...0....T...............d.........2h...............k..............!h.............. h4.............#h....8.........$h..+.....8....."h..............'h..T...........1h/.L.<.........0h....4....Uk../h....h.....UkH..h..+.p.........-h .......4.....+h..L................ ...... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

          C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:ASCII text, with very long lines (65536), with no line terminators
          Category:dropped
          Size (bytes):322260
          Entropy (8bit):4.000299760592446
          Encrypted:false
          SSDEEP:
          MD5:CC90D669144261B198DEAD45AA266572
          SHA1:EF164048A8BC8BD3A015CF63E78BDAC720071305
          SHA-256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
          SHA-512:16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
          Malicious:false
          Reputation:unknown
          Preview:51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

          C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:ASCII text, with no line terminators
          Category:dropped
          Size (bytes):10
          Entropy (8bit):2.7219280948873625
          Encrypted:false
          SSDEEP:
          MD5:C5D51E266C7CF4911AB72BA00EA5FA44
          SHA1:7D94CC4C86B65C699896406D36EE1F847A36439D
          SHA-256:B96AD94002B0BF4F0F0ED98B8C19B1AB444BD552F64FF3FCC3C576370C9CCA61
          SHA-512:77E3E47CFF4743CAAC69FE62B686D2C3E6AA3DB4444A3E2417A838AF9CC90D9DA4358FC4E18748B1ABE6EBA2DE5055B0B3F348CA014537DC916755331890DF94
          Malicious:false
          Reputation:unknown
          Preview:1732180909

          C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\10A61812-3C27-4077-8FE5-276C078C796A

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):180335
          Entropy (8bit):5.2892232871645355
          Encrypted:false
          SSDEEP:
          MD5:9EEBAE6211811D00930499A098B5A79D
          SHA1:713ED070BCD5A33FC7972F2526EBCAF41D390331
          SHA-256:1476889920B8D2D42A24EA72537C370A87DB73A22A09610DE0D61007E7354FCB
          SHA-512:C73BF8BC81163B1F1D83E971A6E202F6478D79125130B76C28E67BB54633D4F7464CA46F502A62D42F2D0C1553D6A9A38B8E0AD845610BF6A7DB5D2BCC7E8E7B
          Malicious:false
          Reputation:unknown
          Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-11-21T09:21:45">.. Build: 16.0.18307.40125-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

          C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
          Category:dropped
          Size (bytes):4096
          Entropy (8bit):0.09216609452072291
          Encrypted:false
          SSDEEP:
          MD5:F138A66469C10D5761C6CBB36F2163C3
          SHA1:EEA136206474280549586923B7A4A3C6D5DB1E25
          SHA-256:C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6
          SHA-512:9D25F943B6137DD2981EE75D57BAF3A9E0EE27EEA2DF19591D580F02EC8520D837B8E419A8B1EB7197614A3C6D8793C56EBC848C38295ADA23C31273DAA302D9
          Malicious:false
          Reputation:unknown
          Preview:SQLite format 3......@ .......................................................................... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:SQLite Rollback Journal
          Category:dropped
          Size (bytes):4616
          Entropy (8bit):0.13760166725504608
          Encrypted:false
          SSDEEP:
          MD5:4AE3AE3BD5FF43C8A6EE719253B8AE7F
          SHA1:9CA5B3145D4972DB9B06814CDECBDFD6E67825C8
          SHA-256:AD0F82A43D65BC97F56F8BE1D4E127D598A4EC21276E6377B0296A4A0686638C
          SHA-512:F05C21DC7FDA669D81E59956C79B6FBF829F11B953260CEE98D6061B4F038404026649D129B42E24DBC6846CDBAD878D0EB6B776EE1098008AFD2E1701CD40A6
          Malicious:false
          Reputation:unknown
          Preview:.... .c.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .......................................................................... .................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:data
          Category:dropped
          Size (bytes):32768
          Entropy (8bit):0.043554236194211254
          Encrypted:false
          SSDEEP:
          MD5:68C8CF68649C3899AFBC23B42B4821DF
          SHA1:5DDAEC0BE8669E65FB2B6D6C432DBFBCBA1A8E94
          SHA-256:DA1EBAF6B7BFE27D0BABD2E932AF21FEF186B06D16994AFB2239DAFD2E0D4B48
          SHA-512:007678E48F9A8B18978CBA524EA250B4FC7780434250F1B9AD93851EFFA94F392FE4BD9678511FFD6420FDA3AA4053D30B773CBA848428D9C74C26FA0ED53ABC
          Malicious:false
          Reputation:unknown
          Preview:..-.....................M.I...D..J..f......g.~...-.....................M.I...D..J..f......g.~.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:SQLite Write-Ahead Log, version 3007000
          Category:dropped
          Size (bytes):45352
          Entropy (8bit):0.39234900682764107
          Encrypted:false
          SSDEEP:
          MD5:BE436A1A4C2B24716ADC72FDA21E392C
          SHA1:E394EB0C49B529AEF6B4B98EC0DE62C9E635EF94
          SHA-256:707CD755BA791B7DB6FDA91039C5F35214704E5CA20BBDDCC0BFFA4F45C7A047
          SHA-512:B9E34EF2F08D1B5D7EC4D2423978B252DBBF52E45DEA38EFA9406AD6FD10CABE8E42E7FD0B4561165958808927A7003C47A8A5C5B1967114DD060F87500953E0
          Malicious:false
          Reputation:unknown
          Preview:7....-...........J..f....M..............J..f....$......SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:data
          Category:dropped
          Size (bytes):4542
          Entropy (8bit):3.998359744656745
          Encrypted:false
          SSDEEP:
          MD5:739A54C15E0DFA8C3D2638BA3299F282
          SHA1:DDFFA92E7990CD0F8F1CCDCE66E3EBD3BEFC8610
          SHA-256:BF590158BB8C335CDB9FD31DBB8AFF1E61EA3A36AE48B218FA19A049A6DF55F4
          SHA-512:03C4713D8ACC823C6D96AAFB21941912DA21441D84A62FE34A3EABA5EA90C588279DAF0CDCAA1AD79D3BEE9EF0FE0ABA0C56BE7EBA463E6743DC7379D92E2553
          Malicious:false
          Reputation:unknown
          Preview:{.".T.B.D.a.t.a.S.t.o.r.e.O.b.j.e.c.t.".:.{.".H.e.a.d.e.r.".:.{.".O.b.j.e.c.t.T.y.p.e.".:.".T.o.k.e.n.R.e.s.p.o.n.s.e.".,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.a.j.o.r.".:.2.,.".S.c.h.e.m.a.V.e.r.s.i.o.n.M.i.n.o.r.".:.1.}.,.".O.b.j.e.c.t.D.a.t.a.".:.{.".S.y.s.t.e.m.D.e.f.i.n.e.d.P.r.o.p.e.r.t.i.e.s.".:.{.".R.e.q.u.e.s.t.I.n.d.e.x.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".V.q.Y.a.6.3.X.Y.9.b.4.Y.b.C.Z.g.f.0.u.y.E.6.v.n.x.e.w.=.".}.,.".E.x.p.i.r.a.t.i.o.n.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".Q.v.y.d.E.P.c.7.2.w.E.=.".}.,.".S.t.a.t.u.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.f.a.l.s.e.,.".V.a.l.u.e.".:.".A.w.A.A.A.A.=.=.".}.,.".R.e.s.p.o.n.s.e.B.y.t.e.s.".:.{.".T.y.p.e.".:.".I.n.l.i.n.e.B.y.t.e.s.".,.".I.s.P.r.o.t.e.c.t.e.d.".:.t.r.u.e.,.".V.a.l.u.e.".:.".A.Q.A.A.A.N.C.M.n.d.8.B.F.d.E.R.j.H.o.A.w.E./.C.l.+.s.B.A.A.A.A.0.t.s.O.1.j.

          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\V8I52AC6\details (002).txt

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):122
          Entropy (8bit):4.922753073433605
          Encrypted:false
          SSDEEP:
          MD5:4A08EE3C2F7F1BC7F8D579E1AF5644F6
          SHA1:D698F6DC9B9FA667D894B1C9C9E2CC22F8E1E227
          SHA-256:EEEECAD084FE05DDB7DA31CC0087755692CD42BE0F1F1F732848D04F63805EEB
          SHA-512:B6B391A037154455C6A2AD17793648DE625B9890651CD821020187D4DBE77853A3929AC94339D1110943B95ACB3689AEBC6F46F61EAA53142DF87A783042DE79
          Malicious:false
          Reputation:unknown
          Preview:Reporting-MTA: dns; baal.hawdweb.com....Action: failed..Final-Recipient: rfc822;com_agarcia@ahorramas.com..Status: 5.0.0..

          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\V8I52AC6\details (002).txt:Zone.Identifier

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:ASCII text, with CRLF line terminators
          Category:dropped
          Size (bytes):26
          Entropy (8bit):3.95006375643621
          Encrypted:false
          SSDEEP:
          MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
          SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
          SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
          SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
          Malicious:false
          Reputation:unknown
          Preview:[ZoneTransfer]..ZoneId=3..

          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{7077200F-17E2-4EBD-A973-9FB1EF91EA7B}.tmp

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:data
          Category:dropped
          Size (bytes):1024
          Entropy (8bit):0.03351732319703582
          Encrypted:false
          SSDEEP:
          MD5:830FBF83999E052538EAF156AB6ECB17
          SHA1:9F6C69FA4232801D3A4857C630BA7A719662135A
          SHA-256:D5098A2CEAE815DB29CD53C76F85240C95DC4D2E3FEDDD71D628617064C29869
          SHA-512:A83E2E9D5274F0065A26C306F355E9590D6126297EAD87AF053CC78FB64CB31694C533139F72686C77FC772148181D8AAE973E65978D04E5F20F6F6C6BA0A013
          Malicious:false
          Reputation:unknown
          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{7123B32E-4833-4E84-AC60-462C21A947A4}.tmp

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:data
          Category:modified
          Size (bytes):14412
          Entropy (8bit):3.877959698151607
          Encrypted:false
          SSDEEP:
          MD5:04BE93520C9692962D21D1BD3351D52D
          SHA1:E65ADAEF8074CCB5E3FEBB6DCCFCB02992107597
          SHA-256:89CBE694AD552BB73A4F64465838DD6835BF9D0BA63C120AF93D239778E23094
          SHA-512:03FAD7BEC9AEE51649CB86F6FD4F58644B3D0412481DA6B1A0A93F2386ACBA132025E69785FFC0C588D7FA61F56B533C2B3974E290FB0A3D96CDBCC8F71E7BB5
          Malicious:false
          Reputation:unknown
          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ ..."...$...&...........|...~........................................................................................................................................................................................................................................................................................................................................dw...*...$..$.If........!v..h.#v....:V.......t.....6......5.......4

          C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1732180902108201900_9FB0C6BF-1776-44EB-A526-AF7370175334.log

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:data
          Category:dropped
          Size (bytes):20971520
          Entropy (8bit):0.007153907091400464
          Encrypted:false
          SSDEEP:
          MD5:119E4DE1BD64D92208630BD3E133560D
          SHA1:5BE24FB273E8BE4053323001579D7AF3F34C6163
          SHA-256:ED987F3204F851611C067D5F5DCE10ED17330637930C9209F7E829B1AD6C40AC
          SHA-512:87F66860708164FDAB65828984BF722F5A5ACF7E757F925BC889F42AF7B2EAD16F31D8CF419E0B37CC2554F2C9BBDAA4E7135738EAB68278DCCD14B50C32E9D2
          Malicious:false
          Reputation:unknown
          Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..11/21/2024 09:21:42.138.OUTLOOK (0x1818).0x18A4.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.System.GracefulExit.GracefulAppExitDesktop","Flags":33777014402039809,"InternalSequenceNumber":17,"Time":"2024-11-21T09:21:42.138Z","Data.PreviousAppMajor":16,"Data.PreviousAppMinor":0,"Data.PreviousAppBuild":16827,"Data.PreviousAppRevision":20130,"Data.PreviousSessionId":"3A990603-E2A0-4570-A6A8-9F35F44CBB8B","Data.PreviousSessionInitTime":"2024-11-21T09:21:23.266Z","Data.PreviousSessionUninitTime":"2024-11-21T09:21:26.610Z","Data.SessionFlags":2147483652,"Data.InstallMethod":0,"Data.OfficeUILang":1033,"Data.PreviousBuild":"Unknown","Data.EcsETag":"\"\"","Data.ProcessorArchitecture":"x64"}...11/21/2024 09:21:42.154.OUTLOOK (0x1818).0x44C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":22,

          C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1732180902109016000_9FB0C6BF-1776-44EB-A526-AF7370175334.log

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:data
          Category:dropped
          Size (bytes):20971520
          Entropy (8bit):0.0
          Encrypted:false
          SSDEEP:
          MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
          SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
          SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
          SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
          Malicious:false
          Reputation:unknown
          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241121T0421410931-6168.etl

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:data
          Category:modified
          Size (bytes):212992
          Entropy (8bit):4.9164199318883846
          Encrypted:false
          SSDEEP:
          MD5:B2C77893A7F7071115C0FA9D9872E8AF
          SHA1:DCFE66DFC8DA5C4AB0E5398FF0336FF81D593637
          SHA-256:BC2DA2B52E2C9B0E4F86C1C2C706ACC7F5B05626CAF45C0BEFE49046300D11D2
          SHA-512:DBD95E076C7593F63CDACC9A4DDEAFE8F84649053F67D2C82EDAFFC9CF03FBF3FCD83F1A35760C73880104A7B1F5F22DC6AA45A0AF34D5A206F4F539B6F14D34
          Malicious:false
          Reputation:unknown
          Preview:............................................................................`............/...;..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...............................................................Y.........../...;..........v.2._.O.U.T.L.O.O.K.:.1.8.1.8.:.5.4.4.a.d.3.e.7.b.e.5.6.4.3.d.9.8.c.7.4.0.4.1.0.7.a.3.1.9.4.d.6...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.1.2.1.T.0.4.2.1.4.1.0.9.3.1.-.6.1.6.8...e.t.l.......P.P........../...;..........................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:data
          Category:dropped
          Size (bytes):30
          Entropy (8bit):1.2389205950315936
          Encrypted:false
          SSDEEP:
          MD5:B68BC8045305398229C782B65672A99A
          SHA1:C680B442A68F003F7A0EC4A8FB1F2EBE1AE4C2BC
          SHA-256:F43E9018E02BE6AFEB3C50B75B4647ACC28814ED2926098306F229B8CBFC9C3E
          SHA-512:65A80417EBB3A9F7D485567C9898CE369713C18EB85708BC10664C936FC37E737E93E7E6243B24F13C2D828ADCC7C70D79A34001BB266A4FC9C4C20053DE0227
          Malicious:false
          Reputation:unknown
          Preview:....~.........................

          C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:Composite Document File V2 Document, Cannot read section info
          Category:dropped
          Size (bytes):2560
          Entropy (8bit):2.021821096143215
          Encrypted:false
          SSDEEP:
          MD5:B845BCF80E023EEFDD8E164FC955E47D
          SHA1:035E0655EAD427F1DD56E51D310D3C7A42C12B02
          SHA-256:BDD95086A367DE63E833C0A74F7169160EFE3B9F82F0796FC331A6D7FD5BCAB1
          SHA-512:4A54E673A2A8F9A1AD2B2D7E7CED8338F6F3825ACF293F87878954064E068EF289F04BF64D32FA256A271EC539FDF0EE3E03B1CB59887730A36842C11924B55A
          Malicious:true
          Reputation:unknown
          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\AppData\Roaming\Microsoft\Templates\NormalEmail.dotm (copy)

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:Microsoft Word 2007+
          Category:dropped
          Size (bytes):0
          Entropy (8bit):0.0
          Encrypted:false
          SSDEEP:
          MD5:4A25F61944145B4DB5EFAC7BE757B5B6
          SHA1:857ECA9DD2F0DBAC6CB692DC638F5FC30693A987
          SHA-256:BBE918F4C84106F6F2FE68836D751D70096E96D97B411E469CE4538FC583530B
          SHA-512:A606067F73711EBBB04C6EAF2BC591DC75EFD907E86738E8128334B72EFF84A6DF640F9C418EC4C4EBB5D913FD84941CD7A4B17508E5E21D64CE4C9455965818
          Malicious:true
          Reputation:unknown
          Preview:PK..........!.Q3.p............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-J\X ......J..0....K......H...R*.D.g..3.H....M!`.l.....J.j;*...>.b.Fa...B....wz...<`F..K6.._s.r.F`.<X.T....7....U.._t:.\:...<&....A%&:f.9..H.hd..*1y.Lx.k)".........e..k.g.....)....&......A...3..WNN.U..e...<....'4(.....x.....nh.t.....p7..j..s...I@.w6.X..C.Tp...r+..^..F.N...".az...h.[!F.!...g...i"...C..n9.~l...3.....H..V..9.2.,)s..GZD..mo6M..a.!...q$.......O..r-.........PK..........!.........N......

          C:\Users\user\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:data
          Category:dropped
          Size (bytes):162
          Entropy (8bit):3.623442533040259
          Encrypted:false
          SSDEEP:
          MD5:71C658969BFC20EF0D48FB7976ACE8EA
          SHA1:B7D0BF60AEE06539D2E981A9BD051BB64BEF486E
          SHA-256:0826BF88467082C8C2E02C4A3E2059CF10E407FEE2B9459A2F2ACD4F1A12B359
          SHA-512:0CDB82BC62BCBD7549FCF8D0FDAA96351211FA71E870F47542BC3FBA93F1ED72938DCD00469AACBD2B16C71C6A0AD0D1571170D26E6E75FD6F14707276A8F136
          Malicious:true
          Reputation:unknown
          Preview:.user...................................................c.a.l.i...,CS..<.u.....K...V..XS.XzZ^M....CS....\.....K...V..jS.X.........M...............K..@YS..jS.

          C:\Users\user\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:Microsoft Word 2007+
          Category:dropped
          Size (bytes):19602
          Entropy (8bit):7.47708774062727
          Encrypted:false
          SSDEEP:
          MD5:4A25F61944145B4DB5EFAC7BE757B5B6
          SHA1:857ECA9DD2F0DBAC6CB692DC638F5FC30693A987
          SHA-256:BBE918F4C84106F6F2FE68836D751D70096E96D97B411E469CE4538FC583530B
          SHA-512:A606067F73711EBBB04C6EAF2BC591DC75EFD907E86738E8128334B72EFF84A6DF640F9C418EC4C4EBB5D913FD84941CD7A4B17508E5E21D64CE4C9455965818
          Malicious:false
          Reputation:unknown
          Preview:PK..........!.Q3.p............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-J\X ......J..0....K......H...R*.D.g..3.H....M!`.l.....J.j;*...>.b.Fa...B....wz...<`F..K6.._s.r.F`.<X.T....7....U.._t:.\:...<&....A%&:f.9..H.hd..*1y.Lx.k)".........e..k.g.....)....&......A...3..WNN.U..e...<....'4(.....x.....nh.t.....p7..j..s...I@.w6.X..C.Tp...r+..^..F.N...".az...h.[!F.!...g...i"...C..n9.~l...3.....H..V..9.2.,)s..GZD..mo6M..a.!...q$.......O..r-.........PK..........!.........N......

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Nov 21 08:22:15 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
          Category:dropped
          Size (bytes):2673
          Entropy (8bit):3.9883085021649514
          Encrypted:false
          SSDEEP:
          MD5:7FD6AF6C326DA2D9357652B335A8E2D9
          SHA1:1CD4712C291B79635F93D86B4321029B8C85C53F
          SHA-256:DD0E3C681E3A7E20FB61E0DB70BE9B68AA9D0B0F6D5A0D6D4EB35DA3EB2C467F
          SHA-512:A8F8E44230E7D44BB78F062ACE5088F5CF1794457D9C75B2943A752A5EA9A4E33495510B99725DA796A37DA73ABE3FAC4C9B5DFEEB5B18F7B5BB90E7C062F134
          Malicious:false
          Reputation:unknown
          Preview:L..................F.@.. ...$+.,....U....;..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IuY.J....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VuY.J....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VuY.J....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VuY.J..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VuY.J...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............tu......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Nov 21 08:22:15 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
          Category:dropped
          Size (bytes):2675
          Entropy (8bit):4.005367798910723
          Encrypted:false
          SSDEEP:
          MD5:D3FDB940D042A32C3FCBC195C6520887
          SHA1:F0D1ED50E33AF0AFB1793213F16E1BDEF0415848
          SHA-256:88A250E1747D26E860C2E427CEA48F59BA6B56F2BD82EF0E1BA9386A483DAE50
          SHA-512:ED4433C0DF49183D6B44EE2BE52BC615A0288037C3308D80909BD134828360EA3631F2EAF9CABF7C1882C2383C0E57CA9010B6D24272559897117AC7C7CD5A37
          Malicious:false
          Reputation:unknown
          Preview:L..................F.@.. ...$+.,....QQ...;..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IuY.J....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VuY.J....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VuY.J....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VuY.J..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VuY.J...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............tu......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
          Category:dropped
          Size (bytes):2689
          Entropy (8bit):4.01074586322235
          Encrypted:false
          SSDEEP:
          MD5:85ED12F994BEF1D86955A6402C64BDF5
          SHA1:58E016E190EB422DF9467C93EE887832001BD214
          SHA-256:6E7EF0D54CC7D39E76DDAB20AFA7BF562C798646A2B9787B4138368571510303
          SHA-512:7D93FD2FC9F0F7EB01A489B310E071E28855CBC506EE0CF040206CC5D66D999F0E1C851BB3F6BD3D9FD79E136CC186F8A622446A51D19F3CEE04DC620D0AE07D
          Malicious:false
          Reputation:unknown
          Preview:L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IuY.J....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VuY.J....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VuY.J....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VuY.J..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............tu......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Nov 21 08:22:15 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
          Category:dropped
          Size (bytes):2677
          Entropy (8bit):4.003450290885557
          Encrypted:false
          SSDEEP:
          MD5:A69C7E5C89CFD0137DAA410F000AF746
          SHA1:A8A4EF8F2536A491D18DB94D05B303B0269DA60C
          SHA-256:C6F64E4F673F4530C83B57C0156BFFEDEC09AAC02A5FF9B1A641B4C72C8FA67C
          SHA-512:0686217770179401DF3A4E6AB79B7BEB2BAB8FA425B04C1286BF996D414F78248EEC6421D52F191B21E3E8BDD9042FDD82C3988D0728BB547B590884D69D5113
          Malicious:false
          Reputation:unknown
          Preview:L..................F.@.. ...$+.,.........;..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IuY.J....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VuY.J....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VuY.J....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VuY.J..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VuY.J...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............tu......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Nov 21 08:22:15 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
          Category:dropped
          Size (bytes):2677
          Entropy (8bit):3.9908341208959017
          Encrypted:false
          SSDEEP:
          MD5:1CCB77A2574F6398BFBF146F215856FD
          SHA1:F733668EC5B534AF518EB9B833E4BC3651CCB3F1
          SHA-256:162F9241A8BBD09C6D578E6AC5F099AB5EAD231AE7C8F7545A45DEC94DF1D67E
          SHA-512:DE114B376F167E675D4A91CB21E1ADBB2DB9CF26041F4E9938875FFADC685193A1349D7BB2E43BC9B025A6D4ED4F2E9965C8BCE4BD8190ECE0D69F76063DC69E
          Malicious:false
          Reputation:unknown
          Preview:L..................F.@.. ...$+.,.........;..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IuY.J....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VuY.J....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VuY.J....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VuY.J..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VuY.J...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............tu......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Thu Nov 21 08:22:15 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
          Category:dropped
          Size (bytes):2679
          Entropy (8bit):3.9989526149675836
          Encrypted:false
          SSDEEP:
          MD5:C5E75A4E29099A24545B1D07A3411F75
          SHA1:2A9414E08EF61D13C1CA6955AEA392C19B030109
          SHA-256:8AD22EB244E240C5EF405DAD3D7AC48543CB7BCF6F1D9E485B8F17372F90E16A
          SHA-512:1328E9AEF836434F8C8D43D8308A31E0247F61A126CCFEF957A46990D4E36AFD9612D44EAE7BB173B31A91410BD562CFE8803FE804C2C8255916C13A8189B08A
          Malicious:false
          Reputation:unknown
          Preview:L..................F.@.. ...$+.,.........;..N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IuY.J....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VuY.J....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VuY.J....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VuY.J..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VuY.J...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i............tu......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

          C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:Microsoft Outlook email folder (>=2003)
          Category:dropped
          Size (bytes):271360
          Entropy (8bit):3.043879828500727
          Encrypted:false
          SSDEEP:
          MD5:9FA2A8200829024FF988126E29D33F4B
          SHA1:271FE78CB8D89EFE36B27E2B4C9CEBA8004FACD8
          SHA-256:3467C80BF5221E95D2D9B4FC6B4625B7E339A1FC2FDA105B72E039421B4FCC1A
          SHA-512:ADF320FC543B34EF499F2894919CB20D9EB6B62010705AB49479083F2E9A3C147CD03813475AEB3B8C6A028B4BA9260F7C7B84C8F869ACE289A9B446A7675C78
          Malicious:true
          Reputation:unknown
          Preview:!BDN..f.SM......\...............J.......h................@...........@...@...................................@...........................................................................$.......D......................C...............F........x...............................................................................................................................................................................................................................................................................................)R.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:data
          Category:dropped
          Size (bytes):131072
          Entropy (8bit):3.7192176956035365
          Encrypted:false
          SSDEEP:
          MD5:7FEAE7C534B60EC2324AD09EAE498573
          SHA1:04BE02436FF5E22CB0C4168EE0EA7771B125B325
          SHA-256:E67D5687A0FD8A1E692FD6C6BFD4AACC6F8C08F4FE9CECABF4B44DC50EF97067
          SHA-512:B08E80DDF269B279F687AB179DD2D77BA81ACF85F4936091983C68AB76EAC833132AEB7A83BDABBB212E48FD233316B727837D39EF77644B10BD03CB899AAF13
          Malicious:true
          Reputation:unknown
          Preview:...10...p...............;.......D............#...\........................?.................................|..............................................................................................................~?..............?..........................................................................................................................................................................................................................................................................................................................~.D..........0...q...............;.......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

          Static File Info

          General

          File type:RFC 822 mail, ASCII text, with CRLF line terminators
          Entropy (8bit):5.347513042718378
          TrID:
          • E-Mail message (Var. 5) (54515/1) 100.00%
          File name:96c27caf-3816-d26f-4af5-19e1d76e6c15.eml
          File size:29'205 bytes
          MD5:4da7ecd4816e136809a84b0f99d5783a
          SHA1:bbb47156a5400b63989ae890e9ef38cbb51db5d9
          SHA256:198320cfe4f29fe98d87798c9dc681a5f6f44d659f9c9b7dadfbebfeab085ce7
          SHA512:38bda374fab55340d357857db25495fa83e3a13b13eee0f5f06ebd320d23d9bb55f6353ac17120428a53db0b9e927abfdb8abb6ced5d0455493b878068414c9f
          SSDEEP:384:SttPZT4flv3nLHPs3up2Wk1DH8fqge3gpOpg4nB4i3StFM8H:KT4Nv3D4upPfqgHpO24nB4iCcS
          TLSH:4AD2B45757C2952D15336098B9117ECEDBA34DAF5303AAA0B42E22375F6CCBC174728E
          File Content Preview:Received: from DU7PR01CA0020.eurprd01.prod.exchangelabs.com.. (2603:10a6:10:50f::25) by PAVP189MB2385.EURP189.PROD.OUTLOOK.COM.. (2603:10a6:102:30e::7) with Microsoft SMTP Server (version=TLS1_2,.. cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.81

          Static Mail

          General

          Subject:Mail delivery failed: returning message to sender
          From:Mail Delivery System <Mailer-Daemon@baal.hawdweb.com>
          To:com_agarcia@ahorramas.com
          Cc:
          BCC:
          Date:Wed, 20 Nov 2024 14:58:53 +0300
          Communications:
          • This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: com_agarcia@ahorramas.com Domain sohda.so has exceeded the max emails per hour (125/100 (125%)) allowed. Message discarded.
          Attachments:

          Headers

          Key Value
          Receivedfrom mailnull by baal.hawdweb.com with local (Exim 4.98) id 1tDjMD-00000003usB-0NM0 for com_agarcia@ahorramas.com; Wed, 20 Nov 2024 14:58:53 +0300
          Authentication-Resultsspf=pass (sender IP is 65.108.230.52) smtp.helo=baal.hawdweb.com; dkim=none (message not signed) header.d=none;dmarc=bestguesspass action=none header.from=baal.hawdweb.com;compauth=pass reason=109
          Received-SPFPass (protection.outlook.com: domain of baal.hawdweb.com designates 65.108.230.52 as permitted sender) receiver=protection.outlook.com; client-ip=65.108.230.52; helo=baal.hawdweb.com; pr=C
          X-Failed-Recipientscom_agarcia@ahorramas.com
          Auto-Submittedauto-replied
          FromMail Delivery System <Mailer-Daemon@baal.hawdweb.com>
          Tocom_agarcia@ahorramas.com
          References<20241120115852.6395F652C220AA19@ahorramas.com>
          Content-Typemultipart/report; report-type="delivery-status"; boundary="1732103933-eximdsn-657998627"
          MIME-Version1.0
          SubjectMail delivery failed: returning message to sender
          Message-Id<E1tDjMD-00000003usB-0NM0@baal.hawdweb.com>
          DateWed, 20 Nov 2024 14:58:53 +0300
          X-AntiAbuseSender Address Domain -
          X-Get-Message-Sender-Viabaal.hawdweb.com: sender_ident via received_protocol == local: mailnull/primary_hostname/system user
          X-Authenticated-Senderbaal.hawdweb.com: mailnull
          X-Source
          X-Source-Args
          X-Source-Dir
          Return-Path<>
          X-EOPAttributedMessage0
          X-EOPTenantAttributedMessage4eb911de-063e-41cb-bcf9-71aabf223544:0
          X-MS-PublicTrafficTypeEmail
          X-MS-TrafficTypeDiagnosticDB3PEPF0000885D:EE_|PAVP189MB2385:EE_
          X-MS-Office365-Filtering-Correlation-Ida7854831-de56-4fa2-0de5-08dd095ab59e
          X-MS-Exchange-AtpMessagePropertiesSA|SL
          X-CustomSpamBackscatter NDR
          X-Forefront-Antispam-Report CIP:65.108.230.52;CTRY:FI;LANG:en;SCL:9;SRV:;IPV:NLI;SFV:SPM;H:baal.hawdweb.com;PTR:baal.hawdweb.com;CAT:HPHISH;SFTY:9.25;SFS:(13230040)(1930700014);DIR:INB;
          X-Microsoft-AntispamBCL:0;ARA:13230040|1930700014;
          X-Microsoft-Antispam-Message-Info RjDVt/cGIZJJjARhHI3sZpjTfl9LWOXmeEokYawdNxyvkiFtGgn55jAqriQt/wtNfyXGs4Ij6rUZLTR6FRSWX90tR3WGMcOcIQSYBaEPyHiS2LxLUQLMd5fdkTp5p1UqWQdJwRcZ2rvn5JZDxBE5nE0YGDorcU684HszonFVtjVWPlMgHEOaKKOeZBrP9CA41B3rPzU+NYVc2yS71pHisfExpnQhShoHkIY9NZojYLwE8wo4v29V3jOlMLqjkwPC42PrZ0BzEt+aNKHSxrStQ8qutIfx7fwl1EtKjyOjTvQmcUn8pz5O3rr8Rj2+VSms1D4B6gMB/5T64JfWTI6lBYTsZANEg2Jy6JMiikhk5QyI2DQfPqGqyWDi+lUg26+6YZubL1l5zbS0i4JnSgSGVuS2nSwPfL8ZgaOnyb2/nzWO27B+gaB4N8CDOREXJ3BuJAgLRbxM4aDiZvXGuhb7I6RxQnMnJf2urN79izJ1iAUwKyDOeFvVUIVntBxBQfZzypE8+Q9ZZXuzzWD/ak8QWwhXHHnbvECzULOXOw1OXKbO+NCgUcluKPPqSiNs3KqRZzc5YJk0QhJ6CNEvPKGFDWhtehpBVaTJ2DqEjoF8IhGqRFnvq7rQtOvy1RzcP5/4jxJdd7g+EW+VbRaPN86YKicirNUAnLNf+rg4N+obYO9cRsIKjqymCGHZOFraGgMbPNE8TtUp3viAyet5DaSpcZki6Oit/sI+h/cAJQXiobCr6E4hQhQyNv7nuDX9IxKsZDHljmgzvecIiWtsfH1PTT2W69CH8Rs9Y0j1MwdFkd+2HgaguutSkRMuqqL5KUE9yfHqth5/su4ZsAG+TtY9lJohnwh2uYfUNyDpaUHphsqihewDVuHNxdzNt8KEClOvzd8fLL7LQJQ264/evf9cghxdxtAW/WkbroUr5K5MtIQZm6K8ExsHuJz7RQGm1gU6PqcHFuOVAM/vkhzCKnb21AZQxC6b/E5AQeu9TxqRU1ynZ/BPke49qkwFhp5uvXx3MBMG2yPc9xbLGe7TbPiCml7d3g/69M965IJXin/n1w0wyHoxvJ1EuYRFaAqK6qx+8SX+1KrXDGUO1GVdEV2wFQ6PDIe2B5CHiR2bKhWR5D7IIwQKfwRm2wuoEDvSgO3g/l10Mc8VuH4MurLuJgFALdhgu1PKLtU1eK313HUr1nUxOgr4CbOL89Z3ruuL1tcepJZcCOy7jlcnaIFjMJDKpqPVLG5h6kOOURlm2UGG1rp/bdzclsLFCt1Fx/0Ps1KglV3TUj8y+5NwX2GftSit/bMH8WhJ7GGny9pYj72s9eSpzoVIkgseqqFSLgEVK7tktE1NqqX4Te1YRDYXidRSVBUbbZ8UxbUpUU/DBa62Ya0iLVRoZlT2Jjgp/SP/VYdICc8xMWS75h/0VzZU7qVi6ploYQxqwn7Pj++rJ3ofOW/YFp3iLG5jhJrpQnakA64twgjuPIcpwlGnoNOV0h1lDSIMp8RUE6eF/MSafz6fjrDiC5fwFk0xfqauSISZ0aVelLncGx5+jq2o9FLVO+CZdA5NwoYMQ57btnRMns7iVcdQzgjNTBAE4+s7SNqp4t15AvQXbq/IVKncoT8/jFkHvpxqDKs/IILYQCIXcBKv5g23jC61RjrA9WpTCI46qPMQYeAYSPpMsmQUCLgQoOIWc69SAPOyLjzsyZNpl2M6TxnSk4JoLqu7TfRSAFRU8d6Ic9IBeaKfmmUcvYOjY03ZkAr3OSGUrhAwK0zPefpDoaVUoIYrl/WUuRI5W4d/MqgW7i2RQ7eiRCun9+9JYNlqoUjKwxLA3l6BmXX3EI4smoGjQsQmsYzhXrpQfITuri4nmUajOEnVAqG6GlNYg6+wsJLk0nS3US1Jk4qJLEKH7ahW9+B+xhPj6yXsyiqL2jFIbtQET5AHPNXNv3gGLpjy1itQFy1lntxLxa/72s4Wxf8pY4n+KGuAXNrHCCFbL+KQ5Ve/k1z5QQqZjR6Rwv/Wtco7mxtGJUcL8OowgMKIJWerf2Rxe9JQppojeUR7RnKZycMmLmhC0ccc9/bSztshwBKSavp2TGF6DRjxkVEg/9L4drrErfU8ApenvZ1w/wS4Gc5bEkiHb6D4cJ+07plJ4bD6exRqJ4tGvQeYMA+gwv2UPXgtueopTEUPUm5/BCeV0F+hFAzpZGZpFFxU350t3C9lTKryrh6qmaz9x8PtjGGqTQ53HtfZYoJG+PD+TR899NMqEgxub/S6nGzLeSoE/tKYpxc2/vsCIp9m4khYM+lJ1RS5IafM4AHWhiyUvJXz8UKmr3qwwIprHh5cIxDOKrZqUEqHTXhiZGXNGedKf/blGuskB1DNs3RrTrwabPJux5uGQyfAuk1x0HgwlrSxvvYP5x1euJYPJ/gexV8WYT5+AburxCrgTgaWQ+sKlXUcy4+nBPQLUC6X9PVJU8Jf55ilTrPrwccnsjFZMjBuqSRk5XPgSNQymVx+COaM5Te7aIHZcDxTl7whAFfhebm7xTG45989Kg1TJh5Z/Z3uLeC1UPYoeL8FvPFf0QpDYH5rs6VlNJRxgAbpjWAHBShNEmH4O7hnGwN43DmSFW+Vza/v7wOJnDo8eXY9Sdd78W2VP+qsivQviiXzQ7vZWxMzcJIGkERzdZgemIjCL9/RydJWitGaZ4uVeaTm7px2b/gAOFeWbvfDAMyyHXakGXSKqDACpFiKC0GPW31+6KpyO2uNTQs8fWZfy6P+/xf6mGSeL6mrNnL/sTGMB/0GRkaKWpwrJrPl8smjeg4E8qyNJHX5cn9Eo8fajdWGZH36Ugmo65OPe7zMRovM01VazDkiZxqPJNNkGtp9MF+FpaoPDR0=

          File Icon

          Icon Hash:46070c0a8e0c67d6