Edit tour

Windows Analysis Report
message__20250324021254_635CB2FE009599FD_quiltercheviot_com_.eml

Overview

General Information

Sample name:message__20250324021254_635CB2FE009599FD_quiltercheviot_com_.eml
Analysis ID:1646898
MD5:153dbbe651e31f65dd0b8754407ada13
SHA1:f94f6cd285c4e564d2fbb46fb1db12bc0ff7df37
SHA256:60b3fa9d8f0ca60138b0c4818cbf48ac65b5f45995c803418304995501ec28a2
Infos:

Detection

HTMLPhisher
Score:68
Range:0 - 100
Confidence:100%

Signatures

AI detected phishing page
Yara detected HtmlPhish10
AI detected suspicious Javascript
AI detected suspicious elements in Email content
AI detected suspicious elements in Email header
Creates a window with clipboard capturing capabilities
HTML body contains low number of good links
HTML body contains password input but no form action
HTML title does not match URL
None HTTPS page querying sensitive user data (password, username or email)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Outlook Security Settings Updated - Registry
Sigma detected: Suspicious Office Outbound Connections
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 6304 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\message__20250324021254_635CB2FE009599FD_quiltercheviot_com_.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 6432 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "F287058E-A9AF-4D50-BD2A-713F2D52A5F5" "721007E7-8671-47F3-82C0-AFE505B48382" "6304" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
    • chrome.exe (PID: 6540 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\TCK4PUFU\Invoice_charles.mesquita_PaymentUpdate.html MD5: E81F54E6C1129887AEA47E7D092680BF)
      • chrome.exe (PID: 528 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1928,i,2471821355851726699,8967163506001216818,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2244 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • rundll32.exe (PID: 3768 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • OUTLOOK.EXE (PID: 6324 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\message__20250324021037_0E354FA6FF238B83_quilter_com_.eml" MD5: 91A5292942864110ED734005B7E005C0)
  • OUTLOOK.EXE (PID: 2532 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\message__20250324021254_635CB2FE009599FD_quiltercheviot_com_.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 5940 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "331ECB5A-2AA1-4CA8-B337-D07531EFD81B" "4763F35A-AB69-44ED-AB3A-19976D854FBF" "2532" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • OUTLOOK.EXE (PID: 1748 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\message__20250324021037_0E354FA6FF238B83_quilter_com_.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 984 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "7556F122-B20F-4758-8F3F-C654A1C68869" "FAA2C747-6928-4B38-B14C-3FEF91E10586" "1748" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
    • chrome.exe (PID: 3328 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\TCK4PUFU\Invoice_celine.tournette_PaymentUpdate.html MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 5440 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\TCK4PUFU\Invoice_celine.tournette_PaymentUpdate.html MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup
SourceRuleDescriptionAuthorStrings
0.1.pages.csvJoeSecurity_HtmlPhish_10Yara detected HtmlPhish_10Joe Security
    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6304, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
    Source: Registry Key setAuthor: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\TCK4PUFU\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6304, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder
    Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.16, DestinationIsIpv6: false, DestinationPort: 49728, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, Initiated: true, ProcessId: 2532, Protocol: tcp, SourceIp: 13.107.246.40, SourceIsIpv6: false, SourcePort: 443
    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
    2025-03-24T12:16:57.233028+010020283713Unknown Traffic192.168.2.164972813.107.246.40443TCP
    2025-03-24T12:17:02.928249+010020283713Unknown Traffic192.168.2.164972913.107.246.40443TCP
    2025-03-24T12:17:12.582502+010020283713Unknown Traffic192.168.2.164973013.107.246.40443TCP
    2025-03-24T12:17:12.595329+010020283713Unknown Traffic192.168.2.164973113.107.246.40443TCP

    Click to jump to signature section

    Show All Signature Results

    Phishing

    barindex
    Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/TCK4PUFU/Invoice_charles.mesquita_PaymentUpdate.htmlJoe Sandbox AI: Score: 10 Reasons: HTML file with login form DOM: 0.0.pages.csv
    Source: Yara matchFile source: 0.1.pages.csv, type: HTML
    Source: 0.0..script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: file:///C:/Users/user/AppData/Local/Microsoft/Wind... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. It appears to be a malicious script designed to steal user information and credentials. The script interacts with suspicious domains, further indicating malicious intent. Overall, this script poses a significant security risk and should be treated with caution.
    Source: EmailJoe Sandbox AI: Detected potential phishing email: Sender email matches recipient email which is highly suspicious. Generic 'Accounts Payable' signature without specific company details. Contains suspicious HTML attachment with payment/invoice theme, a common phishing tactic
    Source: EmailJoe Sandbox AI: Detected suspicious elements in Email header: Proofpoint detected this as phishing with a very high phishscore=100. Authentication score indicates likely spam (authscore=99, authtc=spam). Suspicious localhost IPv6 sending address despite coming from external IP 147.78.240.105. Message claims to be from quiltercheviot.com but sent via suspicious routing. Boundary string format matches common phishing patterns. Multiple strong indicators of malicious intent including Proofpoint phish classification and suspicious routing
    Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/TCK4PUFU/Invoice_charles.mesquita_PaymentUpdate.htmlHTTP Parser: Number of links: 0
    Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/TCK4PUFU/Invoice_charles.mesquita_PaymentUpdate.htmlHTTP Parser: <input type="password" .../> found but no <form action="...
    Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/TCK4PUFU/Invoice_charles.mesquita_PaymentUpdate.htmlHTTP Parser: Title: Login does not match URL
    Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/TCK4PUFU/Invoice_charles.mesquita_PaymentUpdate.htmlHTTP Parser: Has password / email / username input fields
    Source: EmailClassification: Invoice Scam
    Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/TCK4PUFU/Invoice_charles.mesquita_PaymentUpdate.htmlHTTP Parser: <input type="password" .../> found
    Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/TCK4PUFU/Invoice_charles.mesquita_PaymentUpdate.htmlHTTP Parser: No favicon
    Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/TCK4PUFU/Invoice_charles.mesquita_PaymentUpdate.htmlHTTP Parser: No favicon
    Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/TCK4PUFU/Invoice_charles.mesquita_PaymentUpdate.htmlHTTP Parser: No <meta name="author".. found
    Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/TCK4PUFU/Invoice_charles.mesquita_PaymentUpdate.htmlHTTP Parser: No <meta name="author".. found
    Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/TCK4PUFU/Invoice_charles.mesquita_PaymentUpdate.htmlHTTP Parser: No <meta name="copyright".. found
    Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/TCK4PUFU/Invoice_charles.mesquita_PaymentUpdate.htmlHTTP Parser: No <meta name="copyright".. found
    Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.16:49713 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.16:49720 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 217.114.85.70:443 -> 192.168.2.16:49714 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 217.114.85.70:443 -> 192.168.2.16:49719 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.16:49722 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 217.114.85.70:443 -> 192.168.2.16:49721 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 108.138.106.84:443 -> 192.168.2.16:49724 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 108.138.106.26:443 -> 192.168.2.16:49725 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.251.40.228:443 -> 192.168.2.16:49726 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.16:49728 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.16:49729 version: TLS 1.2
    Source: chrome.exeMemory has grown: Private usage: 24MB later: 37MB
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49728 -> 13.107.246.40:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49729 -> 13.107.246.40:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49731 -> 13.107.246.40:443
    Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.16:49730 -> 13.107.246.40:443
    Source: unknownTCP traffic detected without corresponding DNS query: 142.251.41.3
    Source: unknownTCP traffic detected without corresponding DNS query: 142.251.41.3
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Origin: nullSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /json HTTP/1.1Host: ipinfo.ioConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: quiltercheviot.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Origin: nullSec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /quiltercheviot.com?size=800 HTTP/1.1Host: logo.clearbit.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /quiltercheviot.com?size=800 HTTP/1.1Host: logo.clearbit.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /rules/outlook.exe-Production-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
    Source: global trafficHTTP traffic detected: GET /rules/outlook.exe-Production-v19.bundle HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
    Source: global trafficHTTP traffic detected: GET /rules/rule120607v1s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
    Source: global trafficHTTP traffic detected: GET /rules/rule120603v8s19.xml HTTP/1.1Connection: Keep-AliveAccept-Encoding: gzipUser-Agent: Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.16827; Pro)Host: otelrules.svc.static.microsoft
    Source: global trafficDNS traffic detected: DNS query: quiltercheviot.com
    Source: global trafficDNS traffic detected: DNS query: ipinfo.io
    Source: global trafficDNS traffic detected: DNS query: logo.clearbit.com
    Source: global trafficDNS traffic detected: DNS query: www.google.com
    Source: global trafficDNS traffic detected: DNS query: otelrules.svc.static.microsoft
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
    Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.16:49713 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.16:49720 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 217.114.85.70:443 -> 192.168.2.16:49714 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 217.114.85.70:443 -> 192.168.2.16:49719 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 34.117.59.81:443 -> 192.168.2.16:49722 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 217.114.85.70:443 -> 192.168.2.16:49721 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 108.138.106.84:443 -> 192.168.2.16:49724 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 108.138.106.26:443 -> 192.168.2.16:49725 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 142.251.40.228:443 -> 192.168.2.16:49726 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.16:49728 version: TLS 1.2
    Source: unknownHTTPS traffic detected: 13.107.246.40:443 -> 192.168.2.16:49729 version: TLS 1.2
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow created: window name: CLIPBRDWNDCLASS
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow created: window name: CLIPBRDWNDCLASS
    Source: classification engineClassification label: mal68.phis.winEML@36/7@13/79
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250324T0715230317-6304.etl
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\desktop.ini
    Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\message__20250324021254_635CB2FE009599FD_quiltercheviot_com_.eml"
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "F287058E-A9AF-4D50-BD2A-713F2D52A5F5" "721007E7-8671-47F3-82C0-AFE505B48382" "6304" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "F287058E-A9AF-4D50-BD2A-713F2D52A5F5" "721007E7-8671-47F3-82C0-AFE505B48382" "6304" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\TCK4PUFU\Invoice_charles.mesquita_PaymentUpdate.html
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1928,i,2471821355851726699,8967163506001216818,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2244 /prefetch:3
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\TCK4PUFU\Invoice_charles.mesquita_PaymentUpdate.html
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1928,i,2471821355851726699,8967163506001216818,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2244 /prefetch:3
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\message__20250324021037_0E354FA6FF238B83_quilter_com_.eml"
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\message__20250324021254_635CB2FE009599FD_quiltercheviot_com_.eml"
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "331ECB5A-2AA1-4CA8-B337-D07531EFD81B" "4763F35A-AB69-44ED-AB3A-19976D854FBF" "2532" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\message__20250324021037_0E354FA6FF238B83_quilter_com_.eml"
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "7556F122-B20F-4758-8F3F-C654A1C68869" "FAA2C747-6928-4B38-B14C-3FEF91E10586" "1748" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\TCK4PUFU\Invoice_celine.tournette_PaymentUpdate.html
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "331ECB5A-2AA1-4CA8-B337-D07531EFD81B" "4763F35A-AB69-44ED-AB3A-19976D854FBF" "2532" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\TCK4PUFU\Invoice_celine.tournette_PaymentUpdate.html
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "7556F122-B20F-4758-8F3F-C654A1C68869" "FAA2C747-6928-4B38-B14C-3FEF91E10586" "1748" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\TCK4PUFU\Invoice_celine.tournette_PaymentUpdate.html
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\TCK4PUFU\Invoice_celine.tournette_PaymentUpdate.html
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dll
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} DeviceTicket
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformation
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformation
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation21
    Browser Extensions
    1
    Process Injection
    1
    Masquerading
    OS Credential Dumping1
    Process Discovery
    Remote Services1
    Clipboard Data
    1
    Encrypted Channel
    Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/Job1
    DLL Side-Loading
    1
    DLL Side-Loading
    1
    Modify Registry
    LSASS Memory1
    File and Directory Discovery
    Remote Desktop ProtocolData from Removable Media1
    Ingress Tool Transfer
    Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
    Extra Window Memory Injection
    1
    Process Injection
    Security Account Manager14
    System Information Discovery
    SMB/Windows Admin SharesData from Network Shared Drive2
    Non-Application Layer Protocol
    Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    Rundll32
    NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture3
    Application Layer Protocol
    Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading
    LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
    Extra Window Memory Injection
    Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


    windows-stand
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    No Antivirus matches
    SourceDetectionScannerLabelLink
    file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/TCK4PUFU/Invoice_charles.mesquita_PaymentUpdate.html0%Avira URL Cloudsafe
    https://logo.clearbit.com/quiltercheviot.com?size=8000%Avira URL Cloudsafe
    https://quiltercheviot.com/0%Avira URL Cloudsafe
    https://otelrules.svc.static.microsoft/rules/outlook.exe-Production-v19.bundle0%Avira URL Cloudsafe
    NameIPActiveMaliciousAntivirus DetectionReputation
    s-part-0012.t-0009.t-msedge.net
    13.107.246.40
    truefalse
      high
      d26p066pn2w0s0.cloudfront.net
      108.138.106.84
      truefalse
        high
        ipinfo.io
        34.117.59.81
        truefalse
          high
          www.google.com
          142.251.40.228
          truefalse
            high
            quiltercheviot.com
            217.114.85.70
            truetrue
              unknown
              s-0005.dual-s-msedge.net
              52.123.128.14
              truefalse
                high
                otelrules.svc.static.microsoft
                unknown
                unknownfalse
                  high
                  logo.clearbit.com
                  unknown
                  unknownfalse
                    high
                    NameMaliciousAntivirus DetectionReputation
                    https://logo.clearbit.com/quiltercheviot.com?size=800false
                    • Avira URL Cloud: safe
                    unknown
                    file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/TCK4PUFU/Invoice_charles.mesquita_PaymentUpdate.htmltrue
                    • Avira URL Cloud: safe
                    unknown
                    https://quiltercheviot.com/false
                    • Avira URL Cloud: safe
                    unknown
                    https://otelrules.svc.static.microsoft/rules/outlook.exe-Production-v19.bundlefalse
                    • Avira URL Cloud: safe
                    unknown
                    https://otelrules.svc.static.microsoft/rules/rule120607v1s19.xmlfalse
                      high
                      https://otelrules.svc.static.microsoft/rules/rule120603v8s19.xmlfalse
                        high
                        https://ipinfo.io/jsonfalse
                          high
                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs
                          IPDomainCountryFlagASNASN NameMalicious
                          142.250.80.46
                          unknownUnited States
                          15169GOOGLEUSfalse
                          52.109.4.7
                          unknownUnited States
                          8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                          13.107.246.40
                          s-part-0012.t-0009.t-msedge.netUnited States
                          8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                          108.138.106.84
                          d26p066pn2w0s0.cloudfront.netUnited States
                          16509AMAZON-02USfalse
                          142.251.111.84
                          unknownUnited States
                          15169GOOGLEUSfalse
                          34.117.59.81
                          ipinfo.ioUnited States
                          139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                          142.251.40.228
                          www.google.comUnited States
                          15169GOOGLEUSfalse
                          217.114.85.70
                          quiltercheviot.comSweden
                          30811EPISERVER_ASSEtrue
                          20.42.65.84
                          unknownUnited States
                          8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                          108.138.106.26
                          unknownUnited States
                          16509AMAZON-02USfalse
                          52.123.128.14
                          s-0005.dual-s-msedge.netUnited States
                          8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                          23.219.161.148
                          unknownUnited States
                          20940AKAMAI-ASN1EUfalse
                          52.178.17.234
                          unknownUnited States
                          8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                          52.109.20.38
                          unknownUnited States
                          8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                          142.251.35.174
                          unknownUnited States
                          15169GOOGLEUSfalse
                          IP
                          192.168.2.16
                          Joe Sandbox version:42.0.0 Malachite
                          Analysis ID:1646898
                          Start date and time:2025-03-24 12:14:52 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:defaultwindowsinteractivecookbook.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:27
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • EGA enabled
                          Analysis Mode:stream
                          Analysis stop reason:Timeout
                          Sample name:message__20250324021254_635CB2FE009599FD_quiltercheviot_com_.eml
                          Detection:MAL
                          Classification:mal68.phis.winEML@36/7@13/79
                          Cookbook Comments:
                          • Found application associated with file extension: .eml
                          • Exclude process from analysis (whitelisted): svchost.exe
                          • Excluded IPs from analysis (whitelisted): 23.219.161.148, 52.123.128.14
                          • Excluded domains from analysis (whitelisted): ecs.office.com, omex.cdn.office.net, dual-s-0005-office.config.skype.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, a1864.dscd.akamai.net
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtOpenFile calls found.
                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtSetValueKey calls found.
                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                          • VT rate limit hit for: quiltercheviot.com
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          File Type:data
                          Category:modified
                          Size (bytes):118784
                          Entropy (8bit):4.530883280386982
                          Encrypted:false
                          SSDEEP:
                          MD5:329259B5D41FDF95932EF5F1126BDC66
                          SHA1:7FF9136DAB8E0DADCBF1458B5BB7D822279BF3D3
                          SHA-256:A7D09FD3BC9B5DF7A87A389D95E9AFC5774A985924C685C9A8B81EFC20F64369
                          SHA-512:A7BEDD3236319955F580763EA0568D1D9BCE6AE48D0A79AE33117AB7E8041111E978BCFEE2CE4ECCA914F12FF714DF226E6FD4DAB21181EE89DB8EE129ED75CD
                          Malicious:false
                          Reputation:unknown
                          Preview:............................................................................`............;a.....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................p.^3............;a.............v.2._.O.U.T.L.O.O.K.:.1.8.a.0.:.c.8.5.b.b.8.3.c.5.1.5.9.4.d.6.6.b.0.1.0.1.c.5.a.f.9.4.6.7.9.9.4...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.3.2.4.T.0.7.1.5.2.3.0.3.1.7.-.6.3.0.4...e.t.l.......P.P..........;a.............................................................................................................................................................................................................................................................................................................
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          File Type:data
                          Category:modified
                          Size (bytes):16384
                          Entropy (8bit):3.642104170521157
                          Encrypted:false
                          SSDEEP:
                          MD5:3D05CDDCD9B7734E7DE6D2768D49C437
                          SHA1:89F644A5A6E751846E0BA553B3BA1A53002417E2
                          SHA-256:2F1350E14D775C11724018D44E30A010DCEB432D6D2A135737BBB3B8CF815A84
                          SHA-512:602601D1DB7A09854EAAC4058935BD7B86DF268980D7C1D8451374302038E4254D9FDE7A363BE1A28F6A2A486DA60BF61CD13CA120063F7B24714C59758B1DAC
                          Malicious:false
                          Reputation:unknown
                          Preview:............................................................................`.............$;....................eJ.......%.<....Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................p.^3.............$;............v.2._.O.U.T.L.O.O.K.:.1.8.b.4.:.9.6.5.2.8.9.d.2.0.0.2.0.4.f.9.9.8.1.1.1.4.8.7.a.1.9.5.8.0.e.9.f...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.3.2.4.T.0.7.1.6.4.6.0.8.0.8.-.6.3.2.4...e.t.l.......P.P...........$;............................................................................................................................................................................................................................................................................................................
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):90112
                          Entropy (8bit):4.425435753111824
                          Encrypted:false
                          SSDEEP:
                          MD5:75F7B646404B9547BCF5B47F6FE14169
                          SHA1:B8F42383895373A88AF591F3C91DCC244F9F4279
                          SHA-256:D508ED055B35BF8F7AE6A414DBD8844CD1C5EBF0B791F497876DC2C5BC8D7F56
                          SHA-512:100699A299E7B9B0063E89C777FF2462CF2B18DFF3586B51323A25E3D7CEB3BFC3A1AB49EA5F75FF76636E6BD8F259E5EB2B18029354226F76FB86FD3D0AB761
                          Malicious:false
                          Reputation:unknown
                          Preview:............................................................................^...P.......aI.C....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................p.^3...........aI.C............v.2._.O.U.T.L.O.O.K.:.6.d.4.:.6.e.8.2.d.4.1.e.b.0.5.f.4.d.9.0.a.5.5.0.4.1.d.d.1.d.0.9.e.f.c.a...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.3.2.4.T.0.7.1.7.0.1.0.3.2.6.-.1.7.4.8...e.t.l.........P.P.P.......aI.C............................................................................................................................................................................................................................................................................................................
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          File Type:Microsoft Outlook email folder (>=2003)
                          Category:dropped
                          Size (bytes):271360
                          Entropy (8bit):2.8228240802834463
                          Encrypted:false
                          SSDEEP:
                          MD5:B45BBF577C749DEA1DB5A8D6B0C4E3AE
                          SHA1:0D87B97B49B0689E9CBBB7E931ED70665C5A775D
                          SHA-256:F868C4A9CA5C068F43E7B9CAA7479587EF936979A5AC0281A81DE64CEF6B48ED
                          SHA-512:54DD7F1BAF3D3B20A3431EC3AE582BADC91C604BC3740041E0C259FCF774F92C97286B7784BC43E9463C7ED56C314EB953892FE6D5554D2F87F4AF9B1CDCCB5A
                          Malicious:true
                          Reputation:unknown
                          Preview:!BDN.O.qSM......\.......................o................@...........@...@...................................@...........................................................................$.......D...............................V..........................................................................................................................................................................................................................................................................................................0..tNHW.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          File Type:data
                          Category:dropped
                          Size (bytes):131072
                          Entropy (8bit):0.4711505883466448
                          Encrypted:false
                          SSDEEP:
                          MD5:9B3050F9687CC3DA942C1C98DF270B83
                          SHA1:AD85FCBEDF7D3C768134A3908AFC54C103064E2E
                          SHA-256:29C3365E0501944F9531D07E161CB95DAAA4649280D6D0D89C6992412AA03656
                          SHA-512:C88E706B061B40494F90CC345BE66E99B3C0251CF9D46CE85A8888CE1F24A0A72A9B44C58925534670D0314AEA2BB18EC0C15AA34E2A2C0BE2747FED2F7FD874
                          Malicious:true
                          Reputation:unknown
                          Preview:?...0...............J.?.........D............#...\.........................................................................................................................................................?...........................................................................................................................................................................................................................................................................................................................................................D......1;J.0...............J.?.........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:JSON data
                          Category:dropped
                          Size (bytes):280
                          Entropy (8bit):5.112566274550182
                          Encrypted:false
                          SSDEEP:
                          MD5:925C784851E5EE48E9F034CFD3CCC115
                          SHA1:3BC5F389943EA5AFF747A9804C400F5CC0A83AF8
                          SHA-256:AAF804CAC438DCA38D46479C55D9895F4C899C3B13EE2FAA563F4509C199D883
                          SHA-512:316B17634829177A353C45A344483426AB021F07A995AA7BEAD57F46EFD14F7A47E8295456A486B8DD2FF1A075D4BB871D6BCB8A40F2A7DEDFDB0E27DD932D35
                          Malicious:false
                          Reputation:unknown
                          Preview:{. "ip": "161.77.13.2",. "city": "New York City",. "region": "New York",. "country": "US",. "loc": "40.7143,-74.0060",. "org": "AS7849 CROCKER COMMUNICATIONS, INCORPORATED",. "postal": "10001",. "timezone": "America/New_York",. "readme": "https://ipinfo.io/missingauth".}
                          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                          File Type:PNG image data, 200 x 200, 8-bit/color RGB, non-interlaced
                          Category:downloaded
                          Size (bytes):47672
                          Entropy (8bit):7.9861123749420555
                          Encrypted:false
                          SSDEEP:
                          MD5:D8DBFB5F851ED41D7A6E226A7C69F2FE
                          SHA1:62EE288854A69C16C83B96CA7EC90314FB07CBFA
                          SHA-256:439936D8CB3E181EBA6AE29C43C2108066200CB25AF0001F146E36BEA143B602
                          SHA-512:61BEB2706A68A71810259957393561D48F94DEBD5BFCAE87976321E0493DE9A642765F73ECD152CD8C97B9951BA4F0D0C490262C7E8DD3EC7E8F39923C82A031
                          Malicious:false
                          Reputation:unknown
                          URL:https://logo.clearbit.com/quiltercheviot.com?size=800
                          Preview:.PNG........IHDR.............":9.....IDATx..}..\U.....93s{...'.R !...j....TP@...K.A...DQ..*`..Q.BB.@.......oo3s.]...g.\..{.D...f.....9......ZkS4......B.B....H..#.W..S...y.79.8.^b.......{].......|..R.^.G...4y.<.D..<z..R.7..\?p+|..Q.rd..y..*I..6P...'..1:...GT..Q>..p....7.%..y..r...r\...w.......)...xyG.q.:^.r\...w.......)...xyG.q.:^.r\...w.......)...xyG.q.:^.r\...w.......)......CUJ....*.l.v..W.........B(V..p.....&FR..|...RX.e.8..e(.\.m...BJ..}..0|b.<..iF......(...e.S...z@h...\@.T.}.U%,S....q.A...,...! .!....2.[..I.K-....S...JK...p....G...o=.......B..k....p.?N....B..J 8.B. ..)%"$.c5....!.0..m...qL.Qw.<."j. %M...!........m1...&.\Ji.65.......cJ..-c...Zq.-..r.!.D..?...(U.......(.LU...P.9.c.0...J#D8. $..D......$.c..N.qQ..%...$O..=...g.(....b.6B.-.s.....Jvm.E*."..".-..8... ..R.?D.bb(....H...D..T.E..zz...#...H...(.d..H..{.....K"z.....$@.d.s.E.cbRjPf... 9.. ... .Gy%.&...f..m{)..<.\.=...bY.q.T*..>!..+....zzz.{s.\... .s2.....>..UU..8..i.P+.dB..F.z...7.n.j.......
                          File type:ASCII text, with CRLF line terminators
                          Entropy (8bit):5.947565672146383
                          TrID:
                            File name:message__20250324021254_635CB2FE009599FD_quiltercheviot_com_.eml
                            File size:29'397 bytes
                            MD5:153dbbe651e31f65dd0b8754407ada13
                            SHA1:f94f6cd285c4e564d2fbb46fb1db12bc0ff7df37
                            SHA256:60b3fa9d8f0ca60138b0c4818cbf48ac65b5f45995c803418304995501ec28a2
                            SHA512:e49412de8e257ef1fc0b82f03c3b1054d570d4892764a6c0b2ae55ef090a7eeaf56e92e8771a528cb5a84fcb4c8d3cce293d09c677ec63b72173607c368c9f87
                            SSDEEP:768:VlW+Iy8seiacL2dBfzjvDfCPeFBXWxSJ8gK5eBKhy7I8TPJVG8A:VYhy8seiacSdB/QaGxSJhK5eBKh6IQPs
                            TLSH:C5D28E722DD11AD75738FE66ACFD6389431CFBF244611AC5864B9ACC332832E74D0566
                            File Content Preview:X-Proofpoint-Sentinel: stfjSemHaWLKwmS7nbtGkdFazaSR690FPTGL0QKvBTHL3apTYWx0ZWRfXyG.. 4vB9Zt86OtGbREGHkWBmvhEwGIyaZwtCWbj18GM00ZfuFVW55BElbqShTnIyZF6UO8DdTP4c4Oz3.. xVGp5oL8vyTVVqi5nfNqlJ9VY0yVJgkojxYUliQp9/YhZaZC9RhCn35+H9eKkV3bS4UerAiyVz0O.. YEkUILDvwh8Y
                            Subject:[External] Invoice
                            From:Quiltercheviot <charles.mesquita@quiltercheviot.com>
                            To:charles.mesquita@quiltercheviot.com
                            Cc:
                            BCC:
                            Date:Mon, 24 Mar 2025 02:12:54 -0700
                            Communications:
                            • Dear charles.mesquita I hope this message finds you well. We are writing to inform you that payment for your invoice is scheduled. If you require additional time to process this payment, kindly let us know, and we will be happy to accommodate your request. Thank you for your attention to this matter. Should you need any further details or assistance, feel free to contact us Best regards, Accounts Payable
                            Attachments:
                            • Invoice_charles.mesquita_PaymentUpdate.html
                            Key Value
                            X-Proofpoint-SentinelstfjSemHaWLKwmS7nbtGkdFazaSR690FPTGL0QKvBTHL3apTYWx0ZWRfXyG 4vB9Zt86OtGbREGHkWBmvhEwGIyaZwtCWbj18GM00ZfuFVW55BElbqShTnIyZF6UO8DdTP4c4Oz3 xVGp5oL8vyTVVqi5nfNqlJ9VY0yVJgkojxYUliQp9/YhZaZC9RhCn35+H9eKkV3bS4UerAiyVz0O YEkUILDvwh8YkcDp+sEdGUSaqir2eKmY6IkyB9WT/ZZxDg6U8wEMs0O/j/NkvrvJJpVZmQtnWozD ux4ztgYoiPC8sfQ8MiVVQgBNEY4PLZ1w2l1KhWoWsEF7Ptyau/kOliWrlhmc+XNR9Bfn+/Hr8aTu cNDztXKA9k4mG1YggEIEn6hdSvHJ/5GGDr26JT4REdmZ4/rxf7GUqdwpUYf8Q/fRSDNVYtZI/50s ttPwZH4w2CGoCrmUJOBjjx0mu39zIFhfHIEka+CbnnkwuelWFGZGEZ+0mrjN9rt7WtSli0V2O7A/ ursRFKGdnSqI3dnJNe90UCEejhfL55pgT0QuM4gdtwwrgc5/q1y6LqUgzyearGFiSDhO65Rvz3fV tHAvJZo+PfENBxGjqdCJigtg/shM2WiVDDpjjgEF354SQdAWMFMTSTaHOvd+QMYwqFPMsgnYYyrr JZkwI+iuuCeAefasVG/hrFP/lUQXPtqSy1oZBuBXeAzYkRx1HADyVdo9Q09baon7qv8EbZ153YBt A4+2SI+F+uonUcCvFmiEPOfw/fhE36rfR41gOEM0hCjWfcKFSFRklXTWko/Ntfcp59sPczxzNLqm sDc/osVL8NvVhR/KqZ7Dc/Mkg5AS49QSkvUHhdXtWlv9xd7dpZB5qNnzSoldt9Zd0v/RidBHK6vb 7L002+VGXL8ffrq/m945ry2C89w==
                            Authentication-Resultsppops.net; spf=fail smtp.mailfrom=charles.mesquita@quiltercheviot.com; dmarc=fail header.from=quiltercheviot.com
                            Receivedfrom [147.78.240.105] (localhost [IPv6:::1]) by test.example.com (Postfix) with ESMTP id D414A809A57 for <charles.mesquita@quiltercheviot.com>; Mon, 24 Mar 2025 12:12:54 +0300 (MSK)
                            FromQuiltercheviot <charles.mesquita@quiltercheviot.com>
                            Tocharles.mesquita@quiltercheviot.com
                            DateMon, 24 Mar 2025 02:12:54 -0700
                            Message-ID<20250324021254.635CB2FE009599FD@quiltercheviot.com>
                            MIME-Version1.0
                            Content-Typemultipart/mixed; boundary="----=_NextPart_000_0012_E5AA8E65.597A7546"
                            X-CLX-Response1TFkXBxsaGhgRCllEF2xrfVNkEkNvaU9mEQpYWBdsQRt5cx5OSFtyehEKeE4 XYUR5S0dZaHJJXkMRCkNIFx8bEQpDWRcHGRoRCkNJFxoEGhoaEQpZTRdgX0RBEQpfWRcHHhkTEQ pfTRdgX0RBEQpZSRcacRoQGncGGxwfcR4eEBp3BgcYGgYaEQpZXhdoY3kRCklGF1tfQ0ZeT1hFR 111QkVZXk9OEQpJRxd4T00RCkNOF21IGE1JQR0YE2BNYxNeRH4TaHB5GUF6YWRIchNCSRJyEQpY XBcfBBoEGRMcBRsaBBIaBBsZHgQZGRAbHhofGhEKXlkXTGxZTkgRCk1cFxsZGBEKTFoXaEFpQl1 pEQpNThdpexEKQk8XaXhHHUVOWmhIBWkRCkNaFxsSHwQbGB8EGBsTBBIeEQpCXhcbEQpCRRdlX0 dYE2ATfGl5XREKQk4XYUR5S0dZaHJJXkMRCkJMF2xBG3lzHk5IW3J6EQpCbBdlGgF5HUgYf30fW BEKQkAXaFoTT3loAVtAEl8RCkJYF2xBG3lzHk5IW3J6EQpNXhcbEQpaWBcbEQp5QxdoWhNPeWgB W0ASXxEKWUsXHh8ZGBEKcGgXb2AZfWlmGmRbf0UQBx4YEQpwaBdpSEFeE2dzGkYdYBAHHhgRCnB oF2ZoQWxnWH5HaX58EAceGBEKcGgXZmZYXGRvTE9JeWUQBx4YEQpwaBdoG0RsSxwabmFafRAHHh gRCnBoF21IeRNbZ00FHVtwEAceGBEKcGgXYmJ8flseeX5bfgEQBx4YEQpwaBdhGWlTWWBdHUNEG RAHHhgRCnBsF2IYRk1zR2hkZh18EBkaEQpwQxdtRF1+WmdAR1JiGRAHHhkRCm1+FxsRClhNF0sR IA==
                            X-Proofpoint-GUIDX-oPhQxoxF3yKoJWtJfrG6rcpv7agAWd
                            X-Authority-Analysisv=2.4 cv=EJcG00ZC c=1 sm=1 tr=0 ts=67e122c0 cx=c_pps p=Txo3izc_X64U5HS5R0YA:9 p=RWIjjz5wXUesFk_GHCIA:9 a=jE2/KaANk+G3Rf6XQLEZ/w==:117 a=jE2/KaANk+G3Rf6XQLEZ/w==:17 a=xqWC_Br6kY4A:10 a=Vs1iUdzkB0EA:10 a=r77TgQKjGQsHNAKrUKIA:9 a=QEXdDO2ut3YA:10 a=zgiPjhLxNE0A:10 a=JZZLUqjyAAAA:8 a=pGLkceISAAAA:8 a=mVPPPBdZLWwj4tNM:21 a=_W_S_7VecoQA:10 a=L03L2QfmqWoA:10 a=1WNtSb5ECZgA:10 a=_C6zaqPeZVUA:10 a=xo5jKAKm-U-Zyk2_beg_:22 a=tDTIrp_YVeGTO7gPfFWI:22
                            X-CLX-ShadesJunk
                            X-Proofpoint-ORIG-GUIDGb2gck729JgI9tnT9BZS3kPKNbX9hc8X
                            Subject[External] Invoice
                            X-Proofpoint-Virus-Versionvendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1093,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-03-24_04,2025-03-21_01,2024-11-22_01
                            X-Proofpoint-Spam-Detailsrule=inbound_phish policy=inbound score=0 lowpriorityscore=0 priorityscore=1501 suspectscore=0 impostorscore=0 mlxscore=0 adultscore=0 snscore=4 malwarescore=0 phishscore=100 spamscore=0 bulkscore=0 clxscore=-1002 classifier=phish authscore=99 authtc=spam authcc= route=inbound adjust=0 reason=safe scancount=2 engine=8.19.0-2502280000 definitions=main-2503240066 domainage_hfrom=4532

                            Icon Hash:46070c0a8e0c67d6