Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
FW_ FW_ DirectDeposit# 952759 _ Payment_ HSAAZDIXHI [ID_0024087].eml

Overview

General Information

Sample name:FW_ FW_ DirectDeposit# 952759 _ Payment_ HSAAZDIXHI [ID_0024087].eml
Analysis ID:1649382
MD5:53b7baf9b9bf42279069eff706017cc8
SHA1:5bf1175b21d2f1fd4c9f3207da84285e9d5d915a
SHA256:ffea77a1059e7ca5766636b36971f3f326d7207200c15c7e3824d2e67037c8ba
Infos:

Detection

Invisible JS, Tycoon2FA
Score:84
Range:0 - 100
Confidence:100%

Signatures

Yara detected AntiDebug via timestamp check
Yara detected Invisible JS
Yara detected Obfuscation Via HangulCharacter
Yara detected Tycoon 2FA PaaS
AI detected suspicious Javascript
AI detected suspicious elements in Email content
HTML page contains suspicious javascript code
Creates files inside the system directory
Deletes files inside the Windows folder
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Outlook Security Settings Updated - Registry
Stores large binary data to the registry

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 7124 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\FW_ FW_ DirectDeposit# 952759 _ Payment_ HSAAZDIXHI [ID_0024087].eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 6420 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "5508DC6E-7460-4733-A59E-1349AC6BE65D" "06C777C9-E586-42C6-B1FC-A12EFEEDA03D" "7124" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
    • chrome.exe (PID: 6180 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\RYTKI0S4\RemitReports_Rsalinas_PaymentAdviceXHOIOD_PDF.SVG MD5: E81F54E6C1129887AEA47E7D092680BF)
      • chrome.exe (PID: 6880 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2008,i,12362316746177149109,1949792878988641487,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2140 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
    • chrome.exe (PID: 1108 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\RYTKI0S4\RemitReports_Rsalinas_PaymentAdviceXHOIOD_PDF.SVG MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup

Yara Signatures

HTML

SourceRuleDescriptionAuthorStrings
1.2.d.script.csvJoeSecurity_Tycoon2FA_1Yara detected Tycoon 2FA PaaSJoe Security
    1.2.d.script.csvJoeSecurity_AntiDebugBrowserYara detected AntiDebug via timestamp checkJoe Security
      1.7.d.script.csvJoeSecurity_Tycoon2FA_1Yara detected Tycoon 2FA PaaSJoe Security
        1.3.d.script.csvJoeSecurity_HangulCharacterYara detected Obfuscation Via HangulCharacterJoe Security
          1.3.d.script.csvJoeSecurity_InvisibleJSYara detected Invisible JSJoe Security
            Click to see the 3 entries

            Sigma Signatures

            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7124, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
            Source: Registry Key setAuthor: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\RYTKI0S4\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7124, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            • Phishing
            • Compliance
            • Software Vulnerabilities
            • Networking
            • System Summary
            • Hooking and other Techniques for Hiding and Protection
            • Malware Analysis System Evasion
            • Language, Device and Operating System Detection

            Click to jump to signature section

            Show All Signature Results

            Phishing

            barindex
            Source: Yara matchFile source: 1.3.d.script.csv, type: HTML
            Source: Yara matchFile source: 1.0.pages.csv, type: HTML
            Source: Yara matchFile source: 1.3.d.script.csv, type: HTML
            Source: Yara matchFile source: 1.8..script.csv, type: HTML
            Source: Yara matchFile source: 1.0.pages.csv, type: HTML
            Source: Yara matchFile source: 1.2.d.script.csv, type: HTML
            Source: Yara matchFile source: 1.7.d.script.csv, type: HTML
            Source: 1.4..script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: https://y5.oexkcgdv.ru/ehzFSBIt/$rsalinas@wcctxlaw... This script demonstrates several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. The use of `atob` and `decodeURIComponent` to decode and execute remote code is a clear indicator of malicious intent. Additionally, the script appears to be sending user data to an untrusted domain, which poses a significant risk of data theft or other malicious activities. Overall, this script exhibits a high level of suspicion and should be treated as a potential security threat.
            Source: 1.8..script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: https://y5.oexkcgdv.ru/ehzFSBIt/$rsalinas@wcctxlaw... This script demonstrates high-risk behaviors, including dynamic code execution through the use of a Proxy object that evaluates decoded strings. The obfuscated nature of the code and the potential for remote code execution make this a high-risk script.
            Source: EmailJoe Sandbox AI: Detected potential phishing email: The email originates from an unusual sender address (info@fahr-mit-jan.de) that does not match the expected domain for a financial transaction or a known business entity.. The email subject and content reference a direct deposit and a fax service, which are unrelated topics, suggesting an attempt to confuse or mislead the recipient.. The email includes a suspicious attachment with a misleading file extension (.SVG), which is commonly used in phishing attempts to disguise malicious content.
            Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/RYTKI0S4/RemitReports_Rsalinas_PaymentAdviceXHOIOD_PDF.SVGHTTP Parser: window.location.href = atob(
            Source: EmailClassification: Payroll Fraud
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.16:49713 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.16:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.16:49717 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.64.68:443 -> 192.168.2.16:49721 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.2.137:443 -> 192.168.2.16:49741 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.17.25.14:443 -> 192.168.2.16:49742 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.16.4.189:443 -> 192.168.2.16:49743 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.16.5.189:443 -> 192.168.2.16:49744 version: TLS 1.2
            Source: chrome.exeMemory has grown: Private usage: 23MB later: 32MB
            Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownTCP traffic detected without corresponding DNS query: 142.250.80.67
            Source: unknownTCP traffic detected without corresponding DNS query: 199.232.90.172
            Source: unknownTCP traffic detected without corresponding DNS query: 142.250.80.67
            Source: unknownTCP traffic detected without corresponding DNS query: 199.232.90.172
            Source: unknownTCP traffic detected without corresponding DNS query: 3.168.96.117
            Source: unknownTCP traffic detected without corresponding DNS query: 3.168.96.117
            Source: unknownTCP traffic detected without corresponding DNS query: 3.168.96.117
            Source: unknownTCP traffic detected without corresponding DNS query: 3.168.96.117
            Source: unknownTCP traffic detected without corresponding DNS query: 40.126.62.132
            Source: unknownTCP traffic detected without corresponding DNS query: 184.31.68.248
            Source: unknownTCP traffic detected without corresponding DNS query: 184.31.68.248
            Source: unknownTCP traffic detected without corresponding DNS query: 40.126.62.132
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /ehzFSBIt/$rsalinas@wcctxlaw.com HTTP/1.1Host: y5.oexkcgdv.ruConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /ehzFSBIt/$rsalinas@wcctxlaw.com HTTP/1.1Host: y5.oexkcgdv.ruConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /jquery-3.6.0.min.js HTTP/1.1Host: code.jquery.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://y5.oexkcgdv.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /ajax/libs/crypto-js/4.1.1/crypto-js.min.js HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptSec-Fetch-Storage-Access: activeReferer: https://y5.oexkcgdv.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /favicon.png HTTP/1.1Host: developers.cloudflare.comConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageSec-Fetch-Storage-Access: activeReferer: https://y5.oexkcgdv.ru/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
            Source: global trafficHTTP traffic detected: GET /favicon.png HTTP/1.1Host: developers.cloudflare.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=lYakKLSJ2AUjf2VPCUEqbgqio8d.wwDQvUFktp_p3nM-1743010005-1.0.1.1-.wr0KGWWCoPPxTzTKj5nHBAtgH7AAJQGG9gZUy_onfRalBsNTR0ZNiMSLAkU5NobOAXQrFwAyHEYx9Jn_I0Np_0wz7aaSoQIi3ozU1A5YFk
            Source: global trafficDNS traffic detected: DNS query: y5.oexkcgdv.ru
            Source: global trafficDNS traffic detected: DNS query: www.google.com
            Source: global trafficDNS traffic detected: DNS query: code.jquery.com
            Source: global trafficDNS traffic detected: DNS query: cdnjs.cloudflare.com
            Source: global trafficDNS traffic detected: DNS query: developers.cloudflare.com
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49687
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49686
            Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49686 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
            Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
            Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49687 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
            Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.16:49713 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.16:49714 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.16:49717 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 142.250.64.68:443 -> 192.168.2.16:49721 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 151.101.2.137:443 -> 192.168.2.16:49741 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.17.25.14:443 -> 192.168.2.16:49742 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.16.4.189:443 -> 192.168.2.16:49743 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.16.5.189:443 -> 192.168.2.16:49744 version: TLS 1.2
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir6180_333202738
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir6180_333202738
            Source: classification engineClassification label: mal84.phis.evad.winEML@29/3@12/115
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250326T1324350946-7124.etl
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\desktop.ini
            Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\FW_ FW_ DirectDeposit# 952759 _ Payment_ HSAAZDIXHI [ID_0024087].eml"
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "5508DC6E-7460-4733-A59E-1349AC6BE65D" "06C777C9-E586-42C6-B1FC-A12EFEEDA03D" "7124" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "5508DC6E-7460-4733-A59E-1349AC6BE65D" "06C777C9-E586-42C6-B1FC-A12EFEEDA03D" "7124" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\RYTKI0S4\RemitReports_Rsalinas_PaymentAdviceXHOIOD_PDF.SVG
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2008,i,12362316746177149109,1949792878988641487,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2140 /prefetch:3
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\RYTKI0S4\RemitReports_Rsalinas_PaymentAdviceXHOIOD_PDF.SVG
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2008,i,12362316746177149109,1949792878988641487,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2140 /prefetch:3
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\RYTKI0S4\RemitReports_Rsalinas_PaymentAdviceXHOIOD_PDF.SVG
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\RYTKI0S4\RemitReports_Rsalinas_PaymentAdviceXHOIOD_PDF.SVG
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dll
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dll
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dll
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dll
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dll
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dll
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dll
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dll
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dll
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile opened: C:\Windows\SysWOW64\MsftEdit.dll
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 14
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} DeviceTicket
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Source: Yara matchFile source: 1.2.d.script.csv, type: HTML
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformation
            Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformation
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
            Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation21
            Browser Extensions            		1
            Process Injection            		11
            Masquerading            		OS Credential Dumping1
            Process Discovery            		Remote ServicesData from Local System1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault AccountsScheduled Task/Job1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Modify Registry            		LSASS Memory1
            File and Directory Discovery            		Remote Desktop ProtocolData from Removable Media1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            Extra Window Memory Injection            		1
            Process Injection            		Security Account Manager13
            System Information Discovery            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
            DLL Side-Loading            		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture3
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            File Deletion            		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Extra Window Memory Injection            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Screenshots

            Download Video

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            FW_ FW_ DirectDeposit# 952759 _ Payment_ HSAAZDIXHI [ID_0024087].eml0%VirustotalBrowse

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://y5.oexkcgdv.ru/ehzFSBIt/$rsalinas@wcctxlaw.com0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            code.jquery.com
            		151.101.2.137
            		truefalse
              		high
              developers.cloudflare.com
              		104.16.4.189
              		truefalse
                		high
                cdnjs.cloudflare.com
                		104.17.25.14
                		truefalse
                  		high
                  y5.oexkcgdv.ru
                  		104.21.48.1
                  		truetrue
                    		unknown
                    www.google.com
                    		142.250.64.68
                    		truefalse
                      		high
                      s-0005.dual-s-msedge.net
                      		52.123.128.14
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://y5.oexkcgdv.ru/ehzFSBIt/$rsalinas@wcctxlaw.comfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://code.jquery.com/jquery-3.6.0.min.jsfalse
                          		high
                          https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.jsfalse
                            		high
                            https://developers.cloudflare.com/favicon.pngfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              104.21.48.1
                              		y5.oexkcgdv.ruUnited States
                              		13335CLOUDFLARENETUStrue
                              1.1.1.1
                              		unknownAustralia
                              		13335CLOUDFLARENETUSfalse
                              52.109.16.52
                              		unknownUnited States
                              		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                              172.253.63.84
                              		unknownUnited States
                              		15169GOOGLEUSfalse
                              142.251.40.227
                              		unknownUnited States
                              		15169GOOGLEUSfalse
                              142.251.40.238
                              		unknownUnited States
                              		15169GOOGLEUSfalse
                              142.250.64.68
                              		www.google.comUnited States
                              		15169GOOGLEUSfalse
                              52.123.128.14
                              		s-0005.dual-s-msedge.netUnited States
                              		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                              23.9.183.29
                              		unknownUnited States
                              		16625AKAMAI-ASUSfalse
                              142.250.80.3
                              		unknownUnited States
                              		15169GOOGLEUSfalse
                              142.251.40.99
                              		unknownUnited States
                              		15169GOOGLEUSfalse
                              20.189.173.18
                              		unknownUnited States
                              		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                              Private

                              IP
                              192.168.2.16
                              192.168.2.5

                              General Information

                              Joe Sandbox version:42.0.0 Malachite
                              Analysis ID:1649382
                              Start date and time:2025-03-26 18:24:05 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:defaultwindowsinteractivecookbook.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:17
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • EGA enabled
                              Analysis Mode:stream
                              Analysis stop reason:Timeout
                              Sample name:FW_ FW_ DirectDeposit# 952759 _ Payment_ HSAAZDIXHI [ID_0024087].eml
                              Detection:MAL
                              Classification:mal84.phis.evad.winEML@29/3@12/115
                              Cookbook Comments:
                              • Found application associated with file extension: .eml
                              • Exclude process from analysis (whitelisted): SIHClient.exe, svchost.exe
                              • Excluded IPs from analysis (whitelisted): 23.9.183.29, 52.123.128.14
                              • Excluded domains from analysis (whitelisted): ecs.office.com, dual-s-0005-office.config.skype.com, fs.microsoft.com, ecs.office.trafficmanager.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, e16604.dscf.akamaiedge.net
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                              • Report size getting too big, too many NtSetValueKey calls found.
                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                              • VT rate limit hit for: y5.oexkcgdv.ru

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250326T1324350946-7124.etl

                              Download File
                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                              File Type:data
                              Category:modified
                              Size (bytes):106496
                              Entropy (8bit):4.481838839441162
                              Encrypted:false
                              SSDEEP:
                              MD5:BBB57EF6E43165701426919069BD9B8A
                              SHA1:66EFABD9A4D7755E0D02786FEE962DE7F166A726
                              SHA-256:7009F95F254E77F0B335E25F3B5408B87592646B0A9744E840B5561B979992FA
                              SHA-512:13314D5010806542581387BD7D70F61EF439DE421A4BFF6DD0F555C1D09BBFEA66517361CFAD9CAF5F67B948F93AC697832CD570243E26C62BD72B45E77EEB76
                              Malicious:false
                              Reputation:unknown
                              Preview:............................................................................`...........z.3.s...................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1.............................................................UZ2...........z.3.s...........v.2._.O.U.T.L.O.O.K.:.1.b.d.4.:.d.b.d.1.1.0.a.4.1.c.8.e.4.0.5.7.9.4.3.d.f.d.b.8.c.7.0.2.e.5.6.e...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.3.2.6.T.1.3.2.4.3.5.0.9.4.6.-.7.1.2.4...e.t.l.......P.P.........z.3.s...........................................................................................................................................................................................................................................................................................................

                              C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                              Download File
                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                              File Type:Microsoft Outlook email folder (>=2003)
                              Category:dropped
                              Size (bytes):271360
                              Entropy (8bit):2.662228690864373
                              Encrypted:false
                              SSDEEP:
                              MD5:55121C7133ADC52ED85F7F7021D43603
                              SHA1:EDD269449A2B9DCE215CFEB43A4622AB0E304549
                              SHA-256:45E9B0595652211C348A7A1BB5D883F8122E58829EA3B553DAFF6CCC3B9A25F2
                              SHA-512:F72F09B679D2540F066629689668B6D5B3A6CF393128BCCE467C3C90A4DFF19B339BA5527F70F0592E9D20DE4A5410F9645E6A768FB281D54BA00F918E9A0B42
                              Malicious:true
                              Reputation:unknown
                              Preview:!BDN....SM......\........O..............[................@...........@...@...................................@...........................................................................$.......D......._.......................V...........................................................................................................................................................................................................................................................................................................H$r4/u.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                              Download File
                              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                              File Type:data
                              Category:dropped
                              Size (bytes):131072
                              Entropy (8bit):3.4122602547510668
                              Encrypted:false
                              SSDEEP:
                              MD5:71992C39B9D6573EBAE064D8ABC63CD9
                              SHA1:DE0D4692437584D455EAD3B392379E508D14CF55
                              SHA-256:DECFF051BC3CE85378710C993FAFA457A7703F3E2E1F1A2B72316C5F128BCAE4
                              SHA-512:B704F72776BD5747B28F9C7239FA9144F29399B53CFC0E3127B905FF183ACE7F9700B1A95FD33C012FCC232A6ED4ACC4771ED88EA97F876A4E969F975593463E
                              Malicious:true
                              Reputation:unknown
                              Preview:I$.0...u...............s........D............#...........o......o.............................................................................................................................?....................................................................................................................................................................................................................................................................................................................................................................SV..D.......|=<0...v...............s........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

                              Static File Info

                              General

                              File type:RFC 822 mail, ASCII text, with very long lines (857), with CRLF line terminators
                              Entropy (8bit):5.752153383414451
                              TrID:
                              • E-Mail message (Var. 5) (54515/1) 100.00%
                              File name:FW_ FW_ DirectDeposit# 952759 _ Payment_ HSAAZDIXHI [ID_0024087].eml
                              File size:24'517 bytes
                              MD5:53b7baf9b9bf42279069eff706017cc8
                              SHA1:5bf1175b21d2f1fd4c9f3207da84285e9d5d915a
                              SHA256:ffea77a1059e7ca5766636b36971f3f326d7207200c15c7e3824d2e67037c8ba
                              SHA512:eec5ce9efaae26905ab2e29e07ee117af1f2ae49c7d97844527560bfb92aa1412a9858f8bc1df608a3869f8ddfe25d1ee74083d129f28304ef702d1bde0836a9
                              SSDEEP:384:uCDoOvayIaFJkPaG0iR9FMx/DRLR9vgsBer2mCuto1KzpOHUYI2aP5UJu:ug/Ot049oErXQ0zr
                              TLSH:D7B27403D256084764BBB1F5A01B176DA1B18ACCE7129AB071BFB3FE5F8DC4162A538C
                              File Content Preview:Received: from LV8PR11MB8558.namprd11.prod.outlook.com (2603:10b6:408:1ed::13).. by DM3PR11MB8713.namprd11.prod.outlook.com with HTTPS; Wed, 26 Mar 2025.. 17:19:34 +0000..Received: from BLAP220CA0015.NAMP220.PROD.OUTLOOK.COM (2603:10b6:208:32c::20).. by L

                              Static Mail

                              General

                              Subject:FW: FW: DirectDeposit# 952759 : Payment: HSAAZDIXHI [ID:0024087]
                              From:CoreRecon Support <support@corerecon.com>
                              To:Karan Singh <Karan@corerecon.com>
                              Cc:
                              BCC:
                              Date:Wed, 26 Mar 2025 17:19:25 +0000
                              Communications:
                              • Karan Singh Security Engineer ________________________________ From: rsalinas@wcctxlaw.com Sent: 3/26/2025 10:48:40 AM To: support@corerecon.com Subject: FW: DirectDeposit# 952759 : Payment: HSAAZDIXHI Is it safe to open. I do not recognize this email. Best Regards, Rosie Salinas Legal Assistant WEBB, CASON & MANNING 710 Mesquite Street Corpus Christi, TX 78401 361.887.1031 (Telephone) 361.887.0903 (Fax) 361.443.0414 (Cell) rsalinas@wcctxlaw.com <mailto:rsalinas@wcctxlaw.com>
                              • From: Accounting-AP <info@fahr-mit-jan.de> Sent: Wednesday, March 26, 2025 10:25 AM To: Rosemary Salinas <rsalinas@wcctxlaw.com> Subject: DirectDeposit# 952759 : Payment: HSAAZDIXHI You don't often get email from info@fahr-mit-jan.de<mailto:info@fahr-mit-jan.de>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> ________________________________ [https://d25belsjtc52s.cloudfront.net/4.4.5/g2Logo.png] New fax [https://d25belsjtc52s.cloudfront.net/4.4.5/infoinactive.png] Fax received You've received a fax from ASBURY PARK, NEW JERSEY at +1 (595) 955-3700 at 15:25:13 PM EDT. ________________________________ Time March 26, 2025 at 15:25:13 PM EDT ________________________________ From ASBURY PARK, NEW JERSEY +1 (595) 955-3700<tel:+1%20757-842-6321> ________________________________ To rsalinas@wcctxlaw.com <tel:+1%20757-821-0244> Rsalinas ________________________________ Fax Document fax-in_17578426321_on20230523.pdf ________________________________ Pages 7 (309.6 KB) ________________________________ ________________________________ Thank you for using our fax service! ________________________________ 2023 GoTo Group, Inc. 333 Summer St, Boston, MA 02210, United States Follow us on Twitter<https://twitter.com/GoTo>, LinkedIn<https://www.linkedin.com/company/GoTo> or Facebook<https://www.facebook.com/GoTo>
                              Attachments:
                              • RemitReports_Rsalinas_PaymentAdviceXHOIOD_PDF.SVG
                              Key Value
                              Receivedfrom IA1PR11MB6291.namprd11.prod.outlook.com ([fe80::7e2f:fa0:6cbb:438b]) by IA1PR11MB6291.namprd11.prod.outlook.com ([fe80::7e2f:fa0:6cbb:438b%5]) with mapi id 15.20.8534.042; Wed, 26 Mar 2025 17:19:25 +0000
                              FromCoreRecon Support <support@corerecon.com>
                              ToKaran Singh <Karan@corerecon.com>
                              SubjectFW: FW: DirectDeposit# 952759 : Payment: HSAAZDIXHI [ID:0024087]
                              Thread-TopicFW: DirectDeposit# 952759 : Payment: HSAAZDIXHI [ID:0024087]
                              Thread-IndexAQHbnnM4i3cLFUCaV0i3wyYeMHSQ7g==
                              DateWed, 26 Mar 2025 17:19:25 +0000
                              Message-ID <IA1PR11MB629132492C8EDB695C921303B4A62@IA1PR11MB6291.namprd11.prod.outlook.com>
                              Reply-ToCoreRecon Support <support@corerecon.com>
                              Accept-Languageen-US
                              Content-Languageen-US
                              X-MS-Exchange-Organization-AuthAsInternal
                              X-MS-Exchange-Organization-AuthMechanism04
                              X-MS-Exchange-Organization-AuthSourceIA1PR11MB6291.namprd11.prod.outlook.com
                              X-MS-Has-Attachyes
                              X-MS-Exchange-Organization-Network-Message-Id 7d445927-f5a5-46ba-4740-08dd6c8a5f84
                              X-MS-Exchange-Organization-SCL1
                              X-MS-TNEF-Correlator
                              X-MS-Exchange-Organization-RecordReviewCfmType0
                              x-ms-publictraffictypeEmail
                              received-spfPass (protection.outlook.com: domain of corerecon.com designates 20.98.2.159 as permitted sender) receiver=protection.outlook.com; client-ip=20.98.2.159; helo=us1-emailsignatures-cloud.codetwo.com; pr=C
                              X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910005)(944506478)(944626604)(920097)(425001)(930097)(140003);
                              X-Microsoft-Antispam-Message-Info 9+V5TMoNo/6zGDaBmDSEfpXfH+sARih8tlW/TMDJYYSs40/kTvXeDmtO6eWbJ6KxrYFiU56HvDoOuu/chtnWcCUFPYrreUdD3jK9TYB4WG12nBEBCIOXUXuOgKcPVIZCpmPrK8FKAqtujsKn2DchWEn559Oy25CLSaEIev34QsqFhTwQnnmFsYkpVfGFU8BAYkv1+CKvXoNK4+xV78Q5ZzYXHuIjT9XIyMYrE0znOdIfitPfdDzqbaEwL9FpScJfOOwRTSiyQiIvZW0PA5rYSesqfe9bK/CiD+TuFAE605P55waJilsY/5CG+RX7/px1SpxoWxAcpc4H+HmsPI7k1CuF1OyHZw/5RcBey7mnP6wqOrXmNUOPF6wNOWwilh1nIRP15rOV3qLxs9vgZg+rYpKoAS6fFbyD+u/HN7UNeLjDtlRllIz/TD5tLwK1U7DqyhdV/2XB6UVgJnC4T8fFLju1fIf0Lu9p6zouh/v8rRCOKMNBI8dCU6cWAojaki1AWPcLydRiEfwzL/CKTMvusTwkKJwvPU0Ex6IpbTUe1U7dgvIuGWmo+ctzLuSfOGROWCgxlpBcjRyepKCrPUd5iGlXNqV5UEL0MPPqL0RnA4mINx8zT0b8soYDH8lXQhxRGxE/LSvPRK83UZsHZbuWIbMqMXJZxXBF4Yb8vUd2AogtMBJNNAipeid3iO14XRUWMgT7NYf4kFqkmUi0cYvr5x9mL8WMUSphrXkKTB6fzMMAtlIHIesZG2vJlAOQRQqSkfe4UykvRfq4LhGNKLG//jaVqXkip8Nn0n7EsNzdEbwzEC0n+agjdRFVmcs52NWIHMkfQMKbOy7k+bxROce3rQ==
                              Content-Typemultipart/mixed; boundary="_004_IA1PR11MB629132492C8EDB695C921303B4A62IA1PR11MB6291namp_"
                              MIME-Version1.0

                              File Icon

                              Icon Hash:46070c0a8e0c67d6