Edit tour

Windows Analysis Report
attachment (5).eml

Overview

General Information

Sample Name:attachment (5).eml
Analysis ID:838281
MD5:165818089d440f4401ca2c6f474d141c
SHA1:f1afe08f8319422addc598c6a3f7841c2b88cd82
SHA256:4f1f650d513c99627917b759787d2a91bec971ec0cc052b07944a6c8ef6e258c

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Injects files into Windows application
Sets file extension default program settings to executables
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Queries disk information (often used to detect virtual machines)
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 6552 cmdline: C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\attachment (5).eml MD5: CA3FDE8329DE07C95897DB0D828545CD)
  • OpenWith.exe (PID: 6184 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: 5D37A62943F1071FFFFE1DE74B8F2778)
  • OpenWith.exe (PID: 4996 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: 5D37A62943F1071FFFFE1DE74B8F2778)
  • 7zFM.exe (PID: 6728 cmdline: C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\Desktop\message_v2.rpmsg MD5: C8F40F25F783A52262BDAEDEB5555427)
  • OpenWith.exe (PID: 3824 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: 5D37A62943F1071FFFFE1DE74B8F2778)
    • notepad.exe (PID: 2912 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\message_v2.rpmsg MD5: F1139811BBF61362915958806AD30211)
  • cleanup
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownTCP traffic detected without corresponding DNS query: 52.109.8.86
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownTCP traffic detected without corresponding DNS query: 52.109.32.24
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownTCP traffic detected without corresponding DNS query: 52.109.32.24
Source: unknownTCP traffic detected without corresponding DNS query: 52.109.8.86
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownDNS traffic detected: queries for: 813e5ad8-847c-41d7-bc50-b77f91b3039c.rms.na.aadrm.com
Source: C:\Windows\System32\OpenWith.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\attachment (5).eml
Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: unknownProcess created: C:\Program Files\7-Zip\7zFM.exe C:\Program Files\7-Zip\7zFM.exe" "C:\Users\user\Desktop\message_v2.rpmsg
Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\message_v2.rpmsg
Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\message_v2.rpmsg
Source: C:\Windows\System32\OpenWith.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3824:120:WilError_02
Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6184:120:WilError_02
Source: C:\Windows\System32\OpenWith.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_02
Source: C:\Windows\System32\notepad.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2912:304:WilStaging_02
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\olk3B2B.tmp
Source: classification engineClassification label: mal48.evad.winEML@7/16@4/38
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\user\Searches\desktop.ini
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile opened: C:\Windows\SYSTEM32\MsftEdit.dll
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 11
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 11
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 11
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 11
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 11
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 11
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 11
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 11
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 11
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 11
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 11
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 11
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 16
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 11
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 11
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 16
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 11
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 11
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 16
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 11
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 11
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 16
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 11
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 11
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 16
Source: attachment (5).emlStatic file information: File size 1823701 > 1048576
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Boot Survival

barindex
Source: C:\Windows\System32\OpenWith.exeRegistry value created: HKEY_CURRENT_USER_Classes\.rpmsg_auto_file\shell\open\command %SystemRoot%\system32\NOTEPAD.EXE %1
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe TID: 6224Thread sleep count: 125 > 30
Source: C:\Windows\System32\OpenWith.exe TID: 3804Thread sleep count: 123 > 30
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEFile opened: PhysicalDrive0
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformation

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\System32\notepad.exeInjected file: C:\Users\user\Desktop\message_v2.rpmsg was created by C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
Source: C:\Windows\System32\notepad.exeInjected file: C:\Users\user\Desktop\message_v2.rpmsg was created by C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
Source: C:\Windows\System32\OpenWith.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\Desktop\message_v2.rpmsg
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\Desktop\message_v2.rpmsg VolumeInformation
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Shared Modules
Path Interception111
Process Injection
11
Masquerading
OS Credential Dumping1
Security Software Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network Medium2
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts2
Virtualization/Sandbox Evasion
LSASS Memory2
Virtualization/Sandbox Evasion
Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
Non-Application Layer Protocol
Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)111
Process Injection
Security Account Manager1
Process Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
Application Layer Protocol
Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDS1
File and Directory Discovery
Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets22
System Information Discovery
SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain Credentials1
Remote System Discovery
VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version
No bigger version

windows-stand
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
No Antivirus matches
NameIPActiveMaliciousAntivirus DetectionReputation
813e5ad8-847c-41d7-bc50-b77f91b3039c.rms.na.aadrm.com
unknown
unknownfalse
    unknown
    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs
    IPDomainCountryFlagASNASN NameMalicious
    52.109.8.86
    unknownUnited States
    8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    52.109.32.24
    unknownUnited States
    8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    13.107.6.181
    unknownUnited States
    8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    52.109.88.193
    unknownUnited States
    8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    192.229.221.95
    unknownUnited States
    15133EDGECASTUSfalse
    Joe Sandbox Version:37.0.0 Beryl
    Analysis ID:838281
    Start date and time:2023-03-30 18:18:34 +02:00
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsinteractivecookbook.jbs
    Analysis system description:Windows 10 64 bit version 1909 (MS Office 2019, IE 11, Chrome 104, Firefox 88, Adobe Reader DC 21, Java 8 u291, 7-Zip)
    Number of analysed new started processes analysed:13
    Number of new started drivers analysed:0
    Number of existing processes analysed:1
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    Analysis Mode:stream
    Analysis stop reason:Timeout
    Sample file name:attachment (5).eml
    Detection:MAL
    Classification:mal48.evad.winEML@7/16@4/38
    Cookbook Comments:
    • Found application associated with file extension: .eml
    • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
    • Excluded IPs from analysis (whitelisted): 13.107.6.181
    • Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, aadrm-com.b-0026.b-msedge.net, b-0026.b-msedge.net
    • Report size getting too big, too many NtOpenKeyEx calls found.
    • Report size getting too big, too many NtProtectVirtualMemory calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    File Type:data
    Category:dropped
    Size (bytes):239628
    Entropy (8bit):4.2725488495136945
    Encrypted:false
    SSDEEP:
    MD5:2DA19F3B8FBC9994174E689E6F46D96C
    SHA1:3AD946BE3F2BFF44DB0738B6F66048ED18FBAA6E
    SHA-256:A6BCA2C8D4EEA5D804B09F41D9BDE35ABA0878B45BC84D1B962CFC855CA6BF79
    SHA-512:FC8F10A43438C4F4B4DB0A64B52DF583785F98E52DE30FAFD58748555B76AFBECCD7E1B6DA9A1E8793E948CEB2CF9EA1E3D1B2087755B633974A478E122D888C
    Malicious:false
    Reputation:low
    Preview:TH02...... ..(.R#c......SM01(........M.R#c..........IPM.Activity...........h.......................hZ......XZ...........H..h.............r.V.......hZ.......B...........H..h.... ..................h....0..................h.......................h..............\.......hZ...@.........t........hB...H......../.........0....T........%K.............d.................2h.... ..................kF.G.........4m .E.....!h...................... h..............t.......#h....8.................$h............<........."h.............8.\......'h...............XZ.....1h....<.................0hiles8.......utoIt3\.../h....l........Bj.....H..h....p........p.\......-h..............t.......+h.................................... ..............F7..............FIPM.Activity.st.Form.e..Standard.tanJournal Entry.pdIPM.Microsoft.FolderDesign.FormsDescription................F.k............c.1122110020000000.000Microsoft.ofThis form is used to create journal entries.........kf...... ..........&...........(.......(...
    File Type:data
    Category:dropped
    Size (bytes):29882
    Entropy (8bit):3.98204256199309
    Encrypted:false
    SSDEEP:
    MD5:62B95C58FB8F179AB76D13F8A5B20DD3
    SHA1:02096108B39F75371778BDFDC3D1189CFFF14B47
    SHA-256:0EA989A7A433CF6062A4A371C8CF89A66088E12B0A0799615FA1B5EF652764CC
    SHA-512:4DB197CB10D48592299DE117A30B67B0D3AD396FB63A6793B88ADCB367AAA6DFFAAC197C22D3D8C551EB42AF0B15CB783218933259D7BC1AC178B0C1780D0921
    Malicious:false
    Reputation:low
    Preview:<.X.r.M.L. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".".>.<.B.O.D.Y. .t.y.p.e.=.".L.I.C.E.N.S.E.". .v.e.r.s.i.o.n.=.".3...0.".>.<.I.S.S.U.E.D.T.I.M.E.>.2.0.2.3.-.0.3.-.3.0.T.1.6.:.1.9.<./.I.S.S.U.E.D.T.I.M.E.>.<.D.E.S.C.R.I.P.T.O.R.>.<.O.B.J.E.C.T. .t.y.p.e.=.".M.a.c.h.i.n.e.-.C.e.r.t.i.f.i.c.a.t.e.".>.<.I.D. .t.y.p.e.=.".M.S.-.G.U.I.D.".>.{.9.2.9.9.2.2.3.6.-.A.9.2.0.-.4.1.5.2.-.A.B.A.C.-.1.C.8.3.4.6.7.C.5.A.5.7.}.<./.I.D.>.<.N.A.M.E.>.M.i.c.r.o.s.o.f.t. .M.a.c.h.i.n.e.-.C.e.r.t.i.f.i.c.a.t.e.<./.N.A.M.E.>.<./.O.B.J.E.C.T.>.<./.D.E.S.C.R.I.P.T.O.R.>.<.I.S.S.U.E.R.>.<.O.B.J.E.C.T. .t.y.p.e.=.".M.S.-.D.R.M.-.D.e.s.k.t.o.p.-.S.e.c.u.r.i.t.y.-.P.r.o.c.e.s.s.o.r.".>.<.I.D. .t.y.p.e.=.".M.S.-.G.U.I.D.".>.{.4.3.4.C.F.C.2.5.-.B.9.3.E.-.4.2.9.8.-.9.C.3.B.-.A.3.B.E.4.9.B.7.3.7.D.B.}.<./.I.D.>.<.N.A.M.E.>.M.i.c.r.o.s.o.f.t. .D.R.M. .P.r.o.d.u.c.t.i.o.n. .D.e.s.k.t.o.p. .S.e.c.u.r.i.t.y. .P.r.o.c.e.s.s.o.r. .A.c.t.i.v.a.t.i.o.n. .C.e.r.t.i.f.i.c.a.t.e.<./.N.A.M.E.>.<./.O.B.J.E.C.T.>.<.P.U.B.L.I.C.
    File Type:data
    Category:dropped
    Size (bytes):26606
    Entropy (8bit):3.9591086599428373
    Encrypted:false
    SSDEEP:
    MD5:9BB2504C91C116F0B5680A01C6B44E45
    SHA1:6D4165A51F070A25D0E97526D30E8E72BB0BD2F0
    SHA-256:192DB9CDEAA5C7CB60CF848E97C7C9AD717AB633EFB1C31539269E63232E4785
    SHA-512:98DEF4F7CCE2FA9C9B3B5441256079ECC5B88D3E55D99EBD0E7FFF4843C4F3621D5995C19CEC1E53DA44C6A6A5D98C5E4975378690DBE4C5A77DC69742B642F2
    Malicious:false
    Reputation:low
    Preview:<.X.r.M.L. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".".>.<.B.O.D.Y. .t.y.p.e.=.".L.I.C.E.N.S.E.". .v.e.r.s.i.o.n.=.".3...0.".>.<.I.S.S.U.E.D.T.I.M.E.>.2.0.2.3.-.0.3.-.3.0.T.1.6.:.1.9.<./.I.S.S.U.E.D.T.I.M.E.>.<.D.E.S.C.R.I.P.T.O.R.>.<.O.B.J.E.C.T. .t.y.p.e.=.".M.a.c.h.i.n.e.-.C.e.r.t.i.f.i.c.a.t.e.".>.<.I.D. .t.y.p.e.=.".M.S.-.G.U.I.D.".>.{.9.2.9.9.2.2.3.6.-.A.9.2.0.-.4.1.5.2.-.A.B.A.C.-.1.C.8.3.4.6.7.C.5.A.5.7.}.<./.I.D.>.<.N.A.M.E.>.M.i.c.r.o.s.o.f.t. .M.a.c.h.i.n.e.-.C.e.r.t.i.f.i.c.a.t.e.<./.N.A.M.E.>.<./.O.B.J.E.C.T.>.<./.D.E.S.C.R.I.P.T.O.R.>.<.I.S.S.U.E.R.>.<.O.B.J.E.C.T. .t.y.p.e.=.".M.S.-.D.R.M.-.D.e.s.k.t.o.p.-.S.e.c.u.r.i.t.y.-.P.r.o.c.e.s.s.o.r.".>.<.I.D. .t.y.p.e.=.".M.S.-.G.U.I.D.".>.{.5.b.4.4.e.d.9.2.-.3.8.9.4.-.4.3.e.b.-.8.3.9.5.-.2.a.1.3.a.e.8.d.f.2.2.3.}.<./.I.D.>.<.N.A.M.E.>.M.i.c.r.o.s.o.f.t. .D.R.M. .P.r.o.d.u.c.t.i.o.n. .D.e.s.k.t.o.p. .S.e.c.u.r.i.t.y. .P.r.o.c.e.s.s.o.r. .A.c.t.i.v.a.t.i.o.n. .C.e.r.t.i.f.i.c.a.t.e.<./.N.A.M.E.>.<./.O.B.J.E.C.T.>.<.P.U.B.L.I.C.
    File Type:data
    Category:dropped
    Size (bytes):108
    Entropy (8bit):1.4721459823594003
    Encrypted:false
    SSDEEP:
    MD5:EB286D323694BC6EC49DBC0E9D506815
    SHA1:27E8B94C3A1E00947702FC23C7BC9126604CA4E6
    SHA-256:5CB6BE8C171F3E9BFEAB5CA8A57CA50DEEAD72F15DD73F79F8AA2C1C06564646
    SHA-512:6E397505899B109073F2DB064005B86EBA904387426F33B901158F3D9DCEE9753D705B50CA43506EAAC4B3C69B664F15A21774DBDB562D68CD74340169C08502
    Malicious:false
    Reputation:low
    Preview:L.o.g.F.i.l.e._.6.2.4.8._.1...i.p.c.l.o.g...................................................................
    File Type:ASCII text, with very long lines (315), with CRLF, LF line terminators
    Category:dropped
    Size (bytes):407100
    Entropy (8bit):5.647756554946481
    Encrypted:false
    SSDEEP:
    MD5:76E709288DA654EFE40D2E2D7334CF25
    SHA1:592F858DBCF203C3925C4FF0A2C4494D21320807
    SHA-256:5F045EDC1BD63BA83DCA46E0867056CFD8C8F08F266014DC6E8203D1CF388D82
    SHA-512:3C90796F97C994FADAC5738C185B8531FF9178E01A7590C7F1FDBBFC67CA253E5CBF8209DFCCBA2A22683E7EA1820B5CA85C686CB0BE2D7646FB1DA201041E48
    Malicious:false
    Reputation:low
    Preview:{{[1][msipc]:[Info]:[6652]:[2023-03-30 16:19:17.095]: ippapi.cpp:ippInitializeAuthAndFileBasedLoggingIfNeeded:4984....Logging Initialized for client mode, store name is NULL....}}{{[2][msipc]:[Info]:[6652]:[2023-03-30 16:19:17.095]: ippapi.cpp:ippInitializeAuthAndFileBasedLoggingIfNeeded:4987....Log Version: 1.1....}}{{[7][msipc]:[Warning]:[6652]:[2023-03-30 16:19:17.095]: ipcauthadal.cpp:Microsoft::InformationProtection::AuthInit::Initialize:69....Client id is not set, authentication against Evo will not be possible.....}}{{[8][msipc]:[Warning]:[6652]:[2023-03-30 16:19:17.095]: ipcauthadal.cpp:Microsoft::InformationProtection::AuthInit::Initialize:73....Redirection uri is not set, authentication against Evo will not be possible.....}}{{[14][msipc]:[Info]:[6652]:[2023-03-30 16:19:17.095]: ippapi.cpp:ippInitializeAuthAndFileBasedLoggingIfNeeded:4993....Flighting Ring Id: Client not part of any flighting ring.....}}{{[16][msipc]:[Info]:[6652]:[2023-03-30 16:19:17.095]: registry.h:Microso
    File Type:data
    Category:dropped
    Size (bytes):4096
    Entropy (8bit):7.956569912927638
    Encrypted:false
    SSDEEP:
    MD5:EBA408573DA3AA03192EDCC1181B7A4D
    SHA1:60C676C695A61923B4FA506811B9115D8080EC7A
    SHA-256:88596687622EFC74FE7CD644BB9E1E3D8E90D7A1E161B556CBF58F74AC58F8B4
    SHA-512:0446D5368443E9C96CE9755276E8A6F9FDFFCA8E9301339FFE27D0D936BCD2257F3E4FD2CCCAF646DFAE21CA3591D626DAE66F4E02CC936D427F286B64B97020
    Malicious:false
    Reputation:low
    Preview:..P..3r~.N.C.jT.]CsC10#.UUG.GQ.K...3..Y.).i....A.......\...........<...c.9..>.i.Y.P...Z.R..e.1..2..o....:tz,9x..M.+j.n.r]...MW..Fb..<w.b|...../.....i,....8&]r.k8...Q.C.S.....,....(lI$.gG...ez..........$..Oa.7%......S./.4(...@(....%...j...b8.=.,.|.$E=L..~<...0m'.............h....u7'.v....k.N.5.ol`?i....Zu...z..?_.........FS.v<..4....L6...46)v..=.....fh.4p..._..[..i.(e8+..#...^.f.-K. gF.......M.f ..m....~..'..K..c..i...7.~6^X......0.K......~.:....vP.~..g.D.X.c".mIj...\....>YR...~,..%....D....:..k^.....Ww. E.j...Y x/...z_....b...K.4.....*3.h/....Ua.H.p.Y.~..q.......m..Q.V....*s.GA+.5.......E........=.OYG...C.4..O.....J....fvT.4d..3.\i..c..1.#g...XR_.. s.....#..$.2.s1.M..........m..,/S.d..$.\.....,.Ao..~..a....N&&N.N_K..Pz.pZi.c.I.::...[..o..#.f.4`.....G..&..P..TWN.d....#..|.Y)`....\....q.7~Z...K...+...;.o.hzz<1.....-m....W......*...|.Y.%.n....h...J.%..B8}..@e........t.\].... .....r0.D$...v!.%..\=s..7....].}(..i..{."...
    File Type:rpmsg Restricted Permission Message
    Category:dropped
    Size (bytes):1318359
    Entropy (8bit):7.992102357800238
    Encrypted:true
    SSDEEP:
    MD5:FD7BBFF7C4593095640B1CCA3E48D350
    SHA1:86ED8E32C13062AC036C85AD1512462B25674722
    SHA-256:7D0E9FCCA5DE059F3EF183D69D6A70D043448D3137CAC7381744697EC5269DC1
    SHA-512:75989941A4C2CE108B8AE4B6CEE65D1D4111F11A29B56F67606C6CBAB641379E51FA0BEAA732A1982F3FF0626CDFEA8DCBD56F0572E48F8301222B1024FFC698
    Malicious:false
    Reputation:low
    Preview:v..`..........|...x...gTS....K.R..).J...z.A.@hF@...R"...".`.*.i.((...0..MD....tPJ.@Fj...f.?...w..rr......_..\*..D...!,....a..9....@.A....1....... ..0@....>,.2...2...!.W...V...A....z...=... ..A...^....>.....!.. .#.,..y-.HA.Y.1B0?./......U....u..4.._.V...?k.eA.$.k..@........z..@..H7....@ ......"..d=@.Q..F....R@...Y ......(.M`3P.J`......P.j`.P..'5....v.m...@...}`....m.1..`.L........,....6......8.G..N....W................>..........@... 8..A...!....Pp...pp.D.H......X......j..'..H9Xy0...G.zC.........s.....1).F...........,.......&.03}...........*~....} ..T....a.G.Q|...f..u...z...B.....M......W.....~.Y~.k....S..S.s=.}.E.%7Un.X+.JF/.C.3.;.%V.1f..)].f.E.,K.*.'...M.+.r...J7....\4....k..p..7....\'%..T.V..S..........,..d7=2/.2...W..i..F..sV..5...%.0.G.D....fI".1...htq...P.}}..U=.o.B.)......cw.s...3..}.q...uL.^>jz....q..H............c..z;.x.0Kz.*U..6......mI.......B..v/cB]+.X...w6.8....{....O..5...H?:t..As.....w...._<}.a...5.>.........A..t.<.=.@...R......E..c.
    File Type:rpmsg Restricted Permission Message
    Category:dropped
    Size (bytes):1318359
    Entropy (8bit):7.992102357800238
    Encrypted:true
    SSDEEP:
    MD5:FD7BBFF7C4593095640B1CCA3E48D350
    SHA1:86ED8E32C13062AC036C85AD1512462B25674722
    SHA-256:7D0E9FCCA5DE059F3EF183D69D6A70D043448D3137CAC7381744697EC5269DC1
    SHA-512:75989941A4C2CE108B8AE4B6CEE65D1D4111F11A29B56F67606C6CBAB641379E51FA0BEAA732A1982F3FF0626CDFEA8DCBD56F0572E48F8301222B1024FFC698
    Malicious:false
    Reputation:low
    Preview:v..`..........|...x...gTS....K.R..).J...z.A.@hF@...R"...".`.*.i.((...0..MD....tPJ.@Fj...f.?...w..rr......_..\*..D...!,....a..9....@.A....1....... ..0@....>,.2...2...!.W...V...A....z...=... ..A...^....>.....!.. .#.,..y-.HA.Y.1B0?./......U....u..4.._.V...?k.eA.$.k..@........z..@..H7....@ ......"..d=@.Q..F....R@...Y ......(.M`3P.J`......P.j`.P..'5....v.m...@...}`....m.1..`.L........,....6......8.G..N....W................>..........@... 8..A...!....Pp...pp.D.H......X......j..'..H9Xy0...G.zC.........s.....1).F...........,.......&.03}...........*~....} ..T....a.G.Q|...f..u...z...B.....M......W.....~.Y~.k....S..S.s=.}.E.%7Un.X+.JF/.C.3.;.%V.1f..)].f.E.,K.*.'...M.+.r...J7....\4....k..p..7....\'%..T.V..S..........,..d7=2/.2...W..i..F..sV..5...%.0.G.D....fI".1...htq...P.}}..U=.o.B.)......cw.s...3..}.q...uL.^>jz....q..H............c..z;.x.0Kz.*U..6......mI.......B..v/cB]+.X...w6.8....{....O..5...H?:t..As.....w...._<}.a...5.>.........A..t.<.=.@...R......E..c.
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):26
    Entropy (8bit):3.95006375643621
    Encrypted:false
    SSDEEP:
    MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
    SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
    SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
    SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
    Malicious:false
    Reputation:low
    Preview:[ZoneTransfer]..ZoneId=3..
    Process:C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):16384
    Entropy (8bit):3.6946330635768145
    Encrypted:false
    SSDEEP:
    MD5:7047391D8BE68C88180B65F9AA90442F
    SHA1:577113C6A30331FBD5711BE43E4E85D80C801ECB
    SHA-256:FD616727191EBCDE1283E2FECFB4C016CFEC304D572363A4DA67492497906A2C
    SHA-512:F295F6FD183BDBDBDF6067B553B3FA259C8B39F631DC3B276505AF0E2A96F8902DEBA800C1CF6780676FB2EA78DB9AC9A13E6EA5DC183AE2D9382CB7B41CB1EE
    Malicious:false
    Reputation:low
    Preview:............................................................................n.............._#c...................G......~W._#c..Zb..2...............................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1..............................................................b..............._#c..........v.2._.O.U.T.L.O.O.K.:.1.9.9.8.:.8.f.e.8.4.5.7.2.3.f.7.8.4.3.b.9.9.5.6.c.c.9.2.2.e.4.7.5.2.2.e.8...C.:.\.U.s.e.r.s.\.a.l.f.r.e.d.o.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.3.9.2.9._.2.0.3.8.6.-.2.0.2.3.0.3.3.0.T.1.8.1.9.1.6.0.1.3.4.-.6.5.5.2...e.t.l.........P.P..........;._#c..........................................................................................................................................................................................................................................................................................
    File Type:data
    Category:dropped
    Size (bytes):1187287
    Entropy (8bit):7.991136316524422
    Encrypted:true
    SSDEEP:
    MD5:C30454D0AC58D7CA88634A3920C6C9EE
    SHA1:DEF8AADF163DD66AB6EBB00F5AF67E0A11118434
    SHA-256:89DE78F0856D401F16AAF962841EC3BD05D53F2D83F905722CDE2D0C430DE3CC
    SHA-512:C273EDC8D3504BBDC6E08B9C361196432E9FF69B67E2ACFDDAE7A1B01FBD33A8508F7E96912D88AB97571E02E73A374B363EFFF5CE5ABFAB432721AA97C7899E
    Malicious:false
    Reputation:low
    Preview:~_..>-.u/&).q....t|...h.<...K.k.~.;.R.9....=..ozP.....&...[..Wm-..3.j......+......u^.....O...._.J.u....?.'...K..W~T#..i...GLq...r...Fh..S.bT.l.......;X.d.....h..f..C>DKI..;..uc...g...id....f........$.K6r..s.~..#.........h..y...8...~..S..+).D+...KsE+e.Q..m..4.....".*...k.P...[........)=...-.g,..TY#f.........nd......7.5o.......WYr......G.....".I..k..%....'.^E.Z..:R..9r...2y..$....p..4....). ./....b.[P.[.d.@.]...gT*.....0...G.....?./~kH...v."..'"iS..../>.!.......C..&...N......$.....l\.e...s.@..@_.......01..[q..d..Y|.[.&.p..O[..]...\......x...z..3L*....7...K-.[*.w.,....k..']s...`.....&.....y8.I..L$v.....-./../q`.(......?~)..t=.....+.ij!?[K..7Z......$....1v....g.j....S2d".......A.yZ..z*eY....I!...N..*...A9.e..M3...gG|...&.$f..T..*....$.\.!.Q..".~...VD._^.........L...'..u..X..L...Dl&F..[O,C.B.D.7g]......}P.Rz....:.....6X..;.V.M!..O.....L.\.j=@2Z[.L.@t..MqO..T..*....%....B.a.RH..:.F..@*...e.....7....6..zo..-..q.. ..s...N..b~
    File Type:data
    Category:dropped
    Size (bytes):49152
    Entropy (8bit):0.679768771948196
    Encrypted:false
    SSDEEP:
    MD5:6F6CAE7D966AB20C4397506DA1BFA73A
    SHA1:7133F5D4945F4631AFD7D0DF2FC2799AE3CBA860
    SHA-256:0F57E02AD4B9A9E9A0F8A8EBFE492247D2047D4015DED2CD0DEB2E0FE7A3F7A0
    SHA-512:96A347F39574C31DD29F4E48035FD6094E434638C6D8114127FB31F7CB4D1BE18A028BBC438E09E55C5FFAE4575ACA952EAD597F193750A5274E321026867FB5
    Malicious:false
    Reputation:low
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):16384
    Entropy (8bit):0.9113788463168018
    Encrypted:false
    SSDEEP:
    MD5:ADF2D857DD0C62FE2E920AC80B78A9FD
    SHA1:3ABFD8C32DB0FBF84CAF8B332FF81D2D016A44D8
    SHA-256:C5DC3E05AE985E53716509BFC6BB51AED623B3B92DAE68260C41F4B590484385
    SHA-512:BDE91F40B95FCF1A57B591CD6DC1D55FD301AE992802A01FC89A8D6B8184EFA13B99BCF1EF36B9E0C77544FF632EDE3232115B6795649739A1C12E6E61193A1D
    Malicious:false
    Reputation:low
    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
    Category:dropped
    Size (bytes):20
    Entropy (8bit):2.8954618442383215
    Encrypted:false
    SSDEEP:
    MD5:F265DE41A3438656937BE5C5D5533FD0
    SHA1:821DB3674A94901FB5EC364B219CD1988114E406
    SHA-256:18EB4D03AEAF29E2919C8D5382C2184B16ACFE5E4F3A2CEA39E43D8A02C284F1
    SHA-512:7B3485397CFD4F88E2C7A36FB4642A3F9C996127BA36E8C306CB7560B03EE8AE839EE0564FB47A06BCE6DC01CD82BEC5D1479B70054F2186C255C4CE33C5ECF1
    Malicious:false
    Reputation:low
    Preview:..a.l.f.r.e.d.o.....
    File Type:rpmsg Restricted Permission Message
    Category:dropped
    Size (bytes):1318359
    Entropy (8bit):7.992102357800238
    Encrypted:true
    SSDEEP:
    MD5:FD7BBFF7C4593095640B1CCA3E48D350
    SHA1:86ED8E32C13062AC036C85AD1512462B25674722
    SHA-256:7D0E9FCCA5DE059F3EF183D69D6A70D043448D3137CAC7381744697EC5269DC1
    SHA-512:75989941A4C2CE108B8AE4B6CEE65D1D4111F11A29B56F67606C6CBAB641379E51FA0BEAA732A1982F3FF0626CDFEA8DCBD56F0572E48F8301222B1024FFC698
    Malicious:false
    Reputation:low
    Preview:v..`..........|...x...gTS....K.R..).J...z.A.@hF@...R"...".`.*.i.((...0..MD....tPJ.@Fj...f.?...w..rr......_..\*..D...!,....a..9....@.A....1....... ..0@....>,.2...2...!.W...V...A....z...=... ..A...^....>.....!.. .#.,..y-.HA.Y.1B0?./......U....u..4.._.V...?k.eA.$.k..@........z..@..H7....@ ......"..d=@.Q..F....R@...Y ......(.M`3P.J`......P.j`.P..'5....v.m...@...}`....m.1..`.L........,....6......8.G..N....W................>..........@... 8..A...!....Pp...pp.D.H......X......j..'..H9Xy0...G.zC.........s.....1).F...........,.......&.03}...........*~....} ..T....a.G.Q|...f..u...z...B.....M......W.....~.Y~.k....S..S.s=.}.E.%7Un.X+.JF/.C.3.;.%V.1f..)].f.E.,K.*.'...M.+.r...J7....\4....k..p..7....\'%..T.V..S..........,..d7=2/.2...W..i..F..sV..5...%.0.G.D....fI".1...htq...P.}}..U=.o.B.)......cw.s...3..}.q...uL.^>jz....q..H............c..z;.x.0Kz.*U..6......mI.......B..v/cB]+.X...w6.8....{....O..5...H?:t..As.....w...._<}.a...5.>.........A..t.<.=.@...R......E..c.
    File Type:data
    Category:dropped
    Size (bytes):197056
    Entropy (8bit):7.631073720271
    Encrypted:false
    SSDEEP:
    MD5:99D8065B851E46FEDDE1F761E6243AE4
    SHA1:F97C8010903B9808C5A3A4B14C09CD9447EF17BF
    SHA-256:E37C2697A7FC889F50B99575ECDAFA5DE21929EB219D204EAEAD7852097EBF99
    SHA-512:9D4C02A8F2E40266E284FCF7388DED2A190671DCB7EB96E7CD6B2AB807AD423F5B844FB52FEEE04F1785038BA56E0C4631E12438D263A3879ABCC7E3730D6FB7
    Malicious:false
    Reputation:low
    Preview:....LAAAAAAA..nA.AAA.w.6.AAA.w.6A6AA.w.6L6AA.wbA!AAA.wbAAA..6..6&AAA...6.AAAb..6XAAA..A.AAA!..A6AAAn..A6AAAAAAA(...+`...D^..NVbk.AAAAAA.AAA.AAAAAAAAAAAbAAA#AAAAAAAAAAAbAAA&AAAAAAA.AAA!AAA.6...6..AAA!AAA.6...6..AAA!AAA.6...6...AAAAAAAMAAA.AAAnAAAAAAAbA..AAA6AAA.AAAXAAA.AAAAAAA.AAA.AAAP6AA.AAA...I.AGA..AAbAAA.AAA.AGA.AGA.AAA.AAA.A...A..AAAA.AAA.AAA.A...AAAb6AA.A6.....AAA.AAA.A6..A6.AAAA(...+`...D^..NVb..AAAAAA(...+`...D^..NVb..AA.A.A.A.A.A.A.A.A.AxA.A.A..AA..AA.'AA.'AA..AA..AA..AA'.AAk.AAV.AA..AA..AA..AA'.AAk.AA.AAA.AtA.A.A.6.6.6.6.6.................. ...............A..LAAAAAAA..nA.AAA6#.A&AAA.#.AAAAA..bAAAAAb.bAAAAA...AAAAA*.A.AAA+A.AxA.A:AJA.A.A.AUA.A+A.AxA.A:AJA.A.AAA.AtAEA.A.A..........................................................v..\Ob.^D........A...AAAAAAA...AAAAA.5&A&AJA.ALAAAAAAAAAAA.AGA.A.b.A%A.A...6.AqA.^bA...A..bA5..A...A6#tA.!bA.SAA.AbA.S.A.6.AA..A...Ab.&A6.b.!.#A.d.A..A..bAb~.A.n.6.~.A...6!~LA..An~.A..bA.~HA...S.cA.t.A..A.].A,.EA...6..A...6Y.A.*bA..A...AAA.A
    File type:RFC 822 mail, ASCII text, with very long lines (749), with CRLF line terminators
    Entropy (8bit):6.0510153725291635
    TrID:
    • E-Mail message (Var. 5) (54515/1) 100.00%
    File name:attachment (5).eml
    File size:1823701
    MD5:165818089d440f4401ca2c6f474d141c
    SHA1:f1afe08f8319422addc598c6a3f7841c2b88cd82
    SHA256:4f1f650d513c99627917b759787d2a91bec971ec0cc052b07944a6c8ef6e258c
    SHA512:bf0b8eb99a981bc00b4f3f88fcbe3177446f70ae3887257997f4985b57927405de091f6dab0587a98af21830535f16bc9404e6282f9fda44a6657f07acb3605a
    SSDEEP:24576:PhXmHC8tggVMWWQxN03v6iZeC6g3A2PSvay/zmwxReUQ5H1st6IhExXWtDLj0MiT:PJGZoixxkUAVem24
    TLSH:E68523B9A00A7BDB0E3162B5A24D6C719EED3CC745950617A3BDCAB174BE0B4CF1D824
    File Content Preview:Received: from PH7PR16MB4851.namprd16.prod.outlook.com (::1) by.. SN1PR16MB2416.namprd16.prod.outlook.com with HTTPS; Thu, 30 Mar 2023 15:46:17.. +0000..Received: from BL0PR0102CA0003.prod.exchangelabs.com (2603:10b6:207:18::16) by.. PH7PR16MB4851.namprd1
    Icon Hash:98818c8a0e04e198