Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Payment Notification.msg

Overview

General Information

Sample name:Payment Notification.msg
Analysis ID:1520503
MD5:06c0d12c4506593156fab7dd90ee7dd7
SHA1:1de63367d82f1f0c3161c27f7532893ed972c293
SHA256:1de64415b4416951fa76930050af3251ebb5ad4ba14a5e36d8f3eea90c5e847e
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected phishing page
Detected non-DNS traffic on DNS port
HTML body contains low number of good links
HTML title does not match URL
None HTTPS page querying sensitive user data (password, username or email)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Outlook Security Settings Updated - Registry
Stores files to the Windows start menu directory
Suspicious form URL found

Classification

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 2300 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Payment Notification.msg" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7056 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "59B2A838-0380-452D-A670-9D7BF4DB4190" "BC6C1EFA-D211-406B-9636-10E8EBB51CD5" "2300" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
    • chrome.exe (PID: 1608 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\ULMT1WW1\Payment Notification.HTML MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 3020 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2004,i,13723851235940274987,11511661909437348448,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 2300, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
Sigma detected: Outlook Security Settings Updated - Registry
Source: Registry Key setAuthor: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\ULMT1WW1\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 2300, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
AI detected phishing page
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/ULMT1WW1/Payment%20Notification.HTMLLLM: Score: 10 Reasons: HTML file with login form DOM: 0.0.pages.csv
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/ULMT1WW1/Payment%20Notification.HTMLHTTP Parser: Number of links: 0
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/ULMT1WW1/Payment%20Notification.HTMLHTTP Parser: Title: Payment Copy does not match URL
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/ULMT1WW1/Payment%20Notification.HTMLHTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/ULMT1WW1/Payment%20Notification.HTMLHTTP Parser: Form action: https://captain-hearo.co.za/wp-admin/images/eee.php
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/ULMT1WW1/Payment%20Notification.HTMLHTTP Parser: <input type="password" .../> found
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/ULMT1WW1/Payment%20Notification.HTMLHTTP Parser: No favicon
Source: https://gcdnb.pbrd.co/images/d5qRdBAI62SB.jpgHTTP Parser: No favicon
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/ULMT1WW1/Payment%20Notification.HTMLHTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/ULMT1WW1/Payment%20Notification.HTMLHTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries
Source: chrome.exeMemory has grown: Private usage: 1MB later: 29MB
Source: global trafficTCP traffic: 192.168.2.16:56872 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:56872 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:56872 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:56872 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:56872 -> 1.1.1.1:53
Source: global trafficTCP traffic: 192.168.2.16:56872 -> 1.1.1.1:53
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.221.95
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: global trafficDNS traffic detected: DNS query: captain-hearo.co.za
Source: global trafficDNS traffic detected: DNS query: gcdnb.pbrd.co
Source: global trafficDNS traffic detected: DNS query: a.nel.cloudflare.com
Source: unknownNetwork traffic detected: HTTP traffic on port 56875 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 56874 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 56876 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 56877 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 56878 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 56879 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 56877
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 56878
Source: unknownNetwork traffic detected: HTTP traffic on port 56881 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 56879
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 56874
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 56875
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 56876
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 56881
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: classification engineClassification label: mal48.phis.winMSG@24/11@8/96
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\Chrome\Application\Dictionaries
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240927T0636080779-2300.etl
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\desktop.ini
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Payment Notification.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "59B2A838-0380-452D-A670-9D7BF4DB4190" "BC6C1EFA-D211-406B-9636-10E8EBB51CD5" "2300" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "59B2A838-0380-452D-A670-9D7BF4DB4190" "BC6C1EFA-D211-406B-9636-10E8EBB51CD5" "2300" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\ULMT1WW1\Payment Notification.HTML
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2004,i,13723851235940274987,11511661909437348448,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\ULMT1WW1\Payment Notification.HTML
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=2004,i,13723851235940274987,11511661909437348448,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dll
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		3
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
Registry Run Keys / Startup Folder		1
DLL Side-Loading		1
Process Injection		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Registry Run Keys / Startup Folder		1
DLL Side-Loading		Security Account Manager13
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
Extra Window Memory Injection		1
Obfuscated Files or Information		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Extra Window Memory Injection		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
a.nel.cloudflare.com
35.190.80.1
truefalse
    		unknown
    gcdnb.pbrd.co
    		104.21.68.220
    		truefalse
      		unknown
      captain-hearo.co.za
      		154.0.160.214
      		truefalse
        		unknown
        www.google.com
        		142.250.186.132
        		truefalse
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          https://gcdnb.pbrd.co/images/d5qRdBAI62SB.jpgfalse
            		unknown
            file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/ULMT1WW1/Payment%20Notification.HTMLtrue
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              52.113.194.132
              		unknownUnited States
              		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
              142.250.184.195
              		unknownUnited States
              		15169GOOGLEUSfalse
              142.250.185.78
              		unknownUnited States
              		15169GOOGLEUSfalse
              1.1.1.1
              		unknownAustralia
              		13335CLOUDFLARENETUSfalse
              34.104.35.123
              		unknownUnited States
              		15169GOOGLEUSfalse
              108.177.15.84
              		unknownUnited States
              		15169GOOGLEUSfalse
              154.0.160.214
              		captain-hearo.co.zaSouth Africa
              		37611AfrihostZAfalse
              104.21.68.220
              		gcdnb.pbrd.coUnited States
              		13335CLOUDFLARENETUSfalse
              239.255.255.250
              		unknownReserved
              		unknownunknownfalse
              20.189.173.18
              		unknownUnited States
              		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
              142.250.186.132
              		www.google.comUnited States
              		15169GOOGLEUSfalse
              35.190.80.1
              		a.nel.cloudflare.comUnited States
              		15169GOOGLEUSfalse
              172.217.16.195
              		unknownUnited States
              		15169GOOGLEUSfalse
              52.109.76.144
              		unknownUnited States
              		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

              Private

              IP
              192.168.2.16

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1520503
              Start date and time:2024-09-27 12:35:39 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:defaultwindowsinteractivecookbook.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:15
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • EGA enabled
              Analysis Mode:stream
              Analysis stop reason:Timeout
              Sample name:Payment Notification.msg
              Detection:MAL
              Classification:mal48.phis.winMSG@24/11@8/96
              Cookbook Comments:
              • Found application associated with file extension: .msg

              Warnings

              • Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
              • Excluded IPs from analysis (whitelisted): 52.113.194.132
              • Excluded domains from analysis (whitelisted): ecs.office.com, s-0005.s-msedge.net, ecs.office.trafficmanager.net, s-0005-office.config.skype.com, ecs-office.s-0005.s-msedge.net
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtQueryAttributesFile calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.
              • Report size getting too big, too many NtSetValueKey calls found.
              • VT rate limit hit for: Payment Notification.msg

              LLM Input / Output

              InputOutput
              URL: Email Model: jbxai
              {
"brand":["X"],
"contains_trigger_text":false,
"trigger_text":"",
"prominent_button_name":"Sign in with Google",
"text_input_field_labels":["Sign in with Google",
"Sign in with Apple",
"Phone",
"email",
"username"],
"pdf_icon_visible":false,
"has_visible_captcha":false,
"has_urgent_text":false,
"has_visible_qrcode":false}
              URL: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/ULMT1WW1/Payment%20Notification.HTML Model: jbxai
              {
"brand":["Globi"],
"contains_trigger_text":true,
"trigger_text":"VIEW PAYMENT.pdf",
"prominent_button_name":"VIEW PAYMENT.pdf",
"text_input_field_labels":["Open with microsoft account",
"Email",
"Password"],
"pdf_icon_visible":true,
"has_visible_captcha":false,
"has_urgent_text":false,
"has_visible_qrcode":false}
              URL: https://gcdnb.pbrd.co/images/d5qRdBAI62SB.jpg Model: jbxai
              {
"brand":["docdroid"],
"contains_trigger_text":false,
"trigger_text":"",
"prominent_button_name":"Sign in with Google",
"text_input_field_labels":["Sign in with Google",
"Sign in with Apple",
"Phone",
"email",
"username"],
"pdf_icon_visible":false,
"has_visible_captcha":false,
"has_urgent_text":false,
"has_visible_qrcode":false}

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:data
              Category:dropped
              Size (bytes):231348
              Entropy (8bit):4.388727736148312
              Encrypted:false
              SSDEEP:
              MD5:E380DF77BF0445F863FD0F49352DBCDB
              SHA1:D77972D897A43683B5FCE72EA2CE6C2C39C68038
              SHA-256:0BD4424F866DB41E9568D07F6042DC52CCC7B1A2D5C1968DFAB4A2ADD61A9470
              SHA-512:AC05999958484B7089877EB7860909838E3F51DD9ED3B03A432AA0793C13531D4504D83ED5F79FAA9E53235F74C72D0F4DBC94BAF4085B70B2E5BD75C456671F
              Malicious:false
              Reputation:unknown
              Preview:TH02...... .0{..........SM01X...,...`..............IPM.Activity...........h...............h............H..h4.<.....`Y0-...h........ j..H..h\cal ...pDat...h...0.....<....hP].F...........h........_`Pk...h.\.F@...I.lw...h....H...8.Uk...0....T...............d.........2h...............k_.D.....e.....!h.............. h..".......<...#h....8.........$h j......8....."h.......(.....'h..L...........1hP].F<.........0h....4....Uk../h....h.....UkH..hh...p...4.<...-h ........<...+h.^.F....(.<................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

              C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:XML 1.0 document, ASCII text, with very long lines (1869), with no line terminators
              Category:modified
              Size (bytes):1869
              Entropy (8bit):5.085151849115282
              Encrypted:false
              SSDEEP:
              MD5:5378940AB38F46686F2D81247C06D7F3
              SHA1:D3C0AAE09A4AECFE4097340B8A1F7E9E9AAA8422
              SHA-256:8249934A95554238CDA71CBD317B299E47BBAB1E0AFEC4416AA9F611B29432EE
              SHA-512:EBAFF38047D2FB32FF304ED667A680B45EA29F20B60B4C0ACAA509BF8D5DBDFC50FE179457B8548B981F731370A1858F5048B5A3633E5286AB39EE0B308519BF
              Malicious:false
              Reputation:unknown
              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?><root><version>1</version><Count>12</Count><Resource><Id>Aptos_26215680</Id><LAT>2024-09-27T10:36:10Z</LAT><key>29939506207.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos_45876480</Id><LAT>2023-10-06T09:25:29Z</LAT><key>27160079615.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_26215424</Id><LAT>2023-10-06T09:25:29Z</LAT><key>31558910439.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos Display_26215680</Id><LAT>2023-10-06T09:25:29Z</LAT><key>23001069669.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_45876224</Id><LAT>2023-10-06T09:25:29Z</LAT><key>24153076628.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos Display_45876480</Id><LAT>2023-10-06T09:25:29Z</LAT><key>30264859306.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos_

              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\ULMT1WW1\Payment Notification (002).HTML

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:HTML document, ASCII text, with very long lines (7537), with CRLF line terminators
              Category:dropped
              Size (bytes):8857
              Entropy (8bit):6.159690219996976
              Encrypted:false
              SSDEEP:
              MD5:61101BB916192727A465FFC770916C06
              SHA1:0E6EFD108677A2E3A0B37385D1CECFE06BE4A879
              SHA-256:CF94DBA75513B6FB881EE49D943835009DD0C5DA02EB88C2A2D56DD347E8D394
              SHA-512:F782044E0B7A178B32087E2637B277B0560E6ACB814B781498A6DE8921177D39040BFE5AEA30D6E48D781FAD3D508F880D1AC7B654941AE16F1FAE34F0FE8AC0
              Malicious:false
              Reputation:unknown
              Preview: .. .. ...<title>Payment Copy</title> ...<style> ....body { .....background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAMIAAAEDCAMAAABQ/CumAAABPlBMVEX///+7u7vKysp3d3dlZWWxsbH8/Pz39/fy8vLp6emvr6+zs7Orq6uoqKi+vr64uLiampqjo6OJiYnExMTV1dXOzs7f39+Xl5fn5+fZ2dmQkJCFhYVqamp9fX11dXX1////+v+eAACnACOoAACNAADctsGucIAAAADt0tq/gJG3S2GuFz2sACqoBjOvPlPAbH/Pq7e3W2bOiJDYnKDv5OTp//3GYm29M0/eo6/14eX58ejovsO+Gj+nO1ClAA3Rh5iqL0rQxNH/8vjLkJ2yJU/82OPlxNDDbYXHnqmDLkjhk6LNW3WkT1quTFWYDij0tMbrj6TFABqpYW2tABGTW2R8HzOeABbKdn36ormOABnqf5KZIzrIhp/lcIjp2dbElJW1gpLFpaR8AADexsnZmae0AACeDDU9PT0sLCxVVVXQF1hSAAAUaUlEQVR4nO1dCYPctnUGMSKI+yAuAlzurq5EPuXYsmNVie1KsZM6SZ02rZNeSdMmcf3//0AfZ3alVda2dmcvrcxvZ4YkCIJ4BB7e+0AAi9CCBQsWLFiwYMHlgpDNdn/ev8qMnBL7hOxDfu+99vobb9566+377+yjPZCFXB8Z9vfJHtp/5+2bt3/07nvvvXv/jdtvffxgj+y9f41kQB158MGdH3/4EKG9PYT+7tEHd35yFwriqrN1Cuzt3fvpRx8/3oPaszf/vL9395OPPiTXqBDI3sNP3vx7EGR/rv/whb/u9Tt398j+VWftpCCPf3Tr7izJ0cf++JMv712jYnhy8wnkdlaDZyB/ePNndO/brnjZsPfpaxSUAH3286OBe7+4u39tSuGdf7i3

              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\ULMT1WW1\Payment Notification (002).HTML:Zone.Identifier

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:ASCII text, with CRLF line terminators
              Category:dropped
              Size (bytes):26
              Entropy (8bit):3.95006375643621
              Encrypted:false
              SSDEEP:
              MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
              SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
              SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
              SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
              Malicious:false
              Reputation:unknown
              Preview:[ZoneTransfer]..ZoneId=3..

              C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

              Download File
              Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
              File Type:data
              Category:dropped
              Size (bytes):30
              Entropy (8bit):1.2389205950315936
              Encrypted:false
              SSDEEP:
              MD5:ED7AA87545B845548C604E9A520A15B1
              SHA1:A07A2CBDD4DA730D2E6F5B2601EEB2470735774C
              SHA-256:A4E152DC262E9BC716144CB49E0218B197C6A35D8B6BD5E2EF758AA212C0BA52
              SHA-512:5966BCE947C358E4702E8AC9ECB0E437C3322FEB74A7E9277D48B3BEFBAAA7A446C6FA0AACE7E3A4459B8C17AB53B3D7CA68F9CF23671545F24B5A0D4001CE63
              Malicious:false
              Reputation:unknown
              Preview:..............................

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

              Download File
              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Sep 27 09:37:08 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
              Category:dropped
              Size (bytes):2673
              Entropy (8bit):3.9827078824147932
              Encrypted:false
              SSDEEP:
              MD5:E9BCA245486C871F18FE301B92E18724
              SHA1:DE67E54D09669CB21BEC4354E2E326082C936483
              SHA-256:B6364E43F5FB27B612C46D385F257D118AE85DAE2D312CF3ECA9639148B20073
              SHA-512:868422A6DDCFA24FCBAA6138D8E694FE217BE0EBA0666F85C0DA5D81AE5C536FCDA173B0A2D12D286421CADEC9E319FDD5FCAB496F0F20660C8AD3E608C4164E
              Malicious:false
              Reputation:unknown
              Preview:L..................F.@.. ...$+.,....._34....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I;YyT....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V;Y.T....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V;Y.T....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V;Y.T..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V;Y.T...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........@D.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

              Download File
              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Sep 27 09:37:08 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
              Category:dropped
              Size (bytes):2675
              Entropy (8bit):4.001470619819501
              Encrypted:false
              SSDEEP:
              MD5:BECE3C8F22018B601C5687430D5843A6
              SHA1:0E87E835904683DDE9290BD3DD32E08918503BE7
              SHA-256:96178F0DE7B9D835EDB8474144CC0A57A485FC75C777808C98B1988504029515
              SHA-512:B0B6E757BB840E88E52B5C3131303B5BFB76F7CC55CA8E89B1B4091A71BB34FA302FEE4F6F5A90D3AF1A9967C62670778A7993FBD59BADC6A6C0EB01619B2EA3
              Malicious:false
              Reputation:unknown
              Preview:L..................F.@.. ...$+.,....)<(4....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I;YyT....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V;Y.T....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V;Y.T....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V;Y.T..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V;Y.T...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........@D.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

              Download File
              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
              Category:dropped
              Size (bytes):2689
              Entropy (8bit):4.007597958186053
              Encrypted:false
              SSDEEP:
              MD5:0D5C32F5ED15F3683A42A905DAB5E3FB
              SHA1:F2C0E232CBEB4D78E49B81158B7608A0FEA091D3
              SHA-256:0C9421D88F739033C250D46F11AE01A3B6960E4DE8CFAA9CEADA7C6E980D4314
              SHA-512:CADF0AB677FBC8E90EBD0358C89DB59C10F75FA3D2B0E0422D2258EA8548681FB9A5F70D8975B06152DE1D17EAFE5E06802FD416AE5F24A5CC1F680A48D88A28
              Malicious:false
              Reputation:unknown
              Preview:L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I;YyT....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V;Y.T....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V;Y.T....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V;Y.T..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........@D.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

              Download File
              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Sep 27 09:37:08 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
              Category:dropped
              Size (bytes):2677
              Entropy (8bit):3.9981545793233324
              Encrypted:false
              SSDEEP:
              MD5:958AEB5597FC9A4099646765D5D2F325
              SHA1:A779D472525DF02AEAA8CB30F2B6EEBCC5212D2C
              SHA-256:8D32F6899A313369A6CFDDCBE25652B9D4A2A9024A4046C480D6D4E817A8151C
              SHA-512:D6B0C81C4F48AE526585D623888E1EF51C8554CF6A01E9F7A2C88ED6CB8DC831AAFE3F5DFB1464B5732684FC5A8FD987EA1922ABBC1F918F9F1CD9719A3E8E8D
              Malicious:false
              Reputation:unknown
              Preview:L..................F.@.. ...$+.,....%.!4....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I;YyT....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V;Y.T....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V;Y.T....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V;Y.T..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V;Y.T...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........@D.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

              Download File
              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Sep 27 09:37:08 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
              Category:dropped
              Size (bytes):2677
              Entropy (8bit):3.985391776198069
              Encrypted:false
              SSDEEP:
              MD5:5853573CC12EAEB5FBA6132F0C7E9BB3
              SHA1:F7C71EB4E6E3A93649244E6C56FB4B2282C3E8C1
              SHA-256:AE596076AF6CDE784CB1AD4BF3776649770926C06189BD20EC1940219B05C348
              SHA-512:E84D8B9446D31350BBE889CA85F9B26B0952955B9122573AC443C70E3FE38F9CD11B9201E927F8077DC23B2AB7558480A6E422E1F494843966BEB8172993E929
              Malicious:false
              Reputation:unknown
              Preview:L..................F.@.. ...$+.,....=..4....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I;YyT....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V;Y.T....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V;Y.T....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V;Y.T..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V;Y.T...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........@D.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

              Download File
              Process:C:\Program Files\Google\Chrome\Application\chrome.exe
              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Sep 27 09:37:08 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
              Category:dropped
              Size (bytes):2679
              Entropy (8bit):3.9952009270043027
              Encrypted:false
              SSDEEP:
              MD5:26891522A06B48A3F93AC265D1BF54DF
              SHA1:13F08B01B550473DC1844C5CE82804F443846D5C
              SHA-256:E1D4F3065A476E17C716B7EEAD228A400620E62AA45E6C20CAB7FFF9A68030D4
              SHA-512:75445A784B507B0DE959B7FAD775695522BCAD3A247877D5DC073CC252B12CCA6C723F28110E13B17FEEC3EF265EAF18575FFEA622410257AE1779E98A10125F
              Malicious:false
              Reputation:unknown
              Preview:L..................F.@.. ...$+.,.......4....N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I;YyT....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V;Y.T....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V;Y.T....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V;Y.T..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V;Y.T...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........@D.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

              Static File Info

              General

              File type:CDFV2 Microsoft Outlook Message
              Entropy (8bit):4.41335524562531
              TrID:
              • Outlook Message (71009/1) 58.92%
              • Outlook Form Template (41509/1) 34.44%
              • Generic OLE2 / Multistream Compound File (8008/1) 6.64%
              File name:Payment Notification.msg
              File size:40'448 bytes
              MD5:06c0d12c4506593156fab7dd90ee7dd7
              SHA1:1de63367d82f1f0c3161c27f7532893ed972c293
              SHA256:1de64415b4416951fa76930050af3251ebb5ad4ba14a5e36d8f3eea90c5e847e
              SHA512:7047506c2922a72bb9c04eeab1b3f89487ce33af9947338a237f1f5e9e00db46422c2e8d800c6002365814922e3848e07bf4e5bad8079f2ec6b7454da04e1337
              SSDEEP:768:qIGmIY+SRb4zPWKx3SjlKKsKzSesnTVxJLq3ZnDH:qNlxij1HsTVPLEnD
              TLSH:3803632136F99609F27BEF324DE680C7C5257DC1EE21978F7292331E0572591A872B2B
              File Content Preview:........................>......................................................................................................................................................................................................................................

              Static Mail

              General

              Subject:Payment Notification
              From:Siphesihle Sibanyon <ssibanyon@pcgroup.co.za>
              To:
              Cc:
              BCC:
              Date:Fri, 27 Sep 2024 10:44:26 +0200
              Communications:
              • ________________________________ CONFIDENTIAL CAUTION NOTICE This e-mail and any attachments may contain confidential, proprietary and/or personal information. It is intended solely for the use of the intended recipient. Access to this e-mail by any person other than the intended recipient is prohibited. If you are not the intended recipient, any processing of the e-mail or the information contained therein (including disclosure, dissemination, copying, distribution, storage) or any action taken or omitted in reliance upon this information, is prohibited and may be unlawful. If you have received this message in error, please notify the sender by return e-mail. ________________________________
              Attachments:
              • Payment Notification.HTML

              Headers

              Key Value
              Receivedfrom JNAP275MB2078.ZAFP275.PROD.OUTLOOK.COM
              JNAP275MB2078.ZAFP275.PROD.OUTLOOK.COM with HTTPS; Fri, 27 Sep 2024 0846:27
              CP7P275MB2534.ZAFP275.PROD.OUTLOOK.COM (26031086:100:51::8) with Microsoft
              15.20.8005.22; Fri, 27 Sep 2024 0844:26 +0000
              ([fe80:7b50:31e3:b32b:d2c0%4]) with mapi id 15.20.8005.020; Fri, 27 Sep 2024
              0844:26 +0000
              FromSiphesihle Sibanyon <ssibanyon@pcgroup.co.za>
              SubjectPayment Notification
              Thread-TopicPayment Notification
              Thread-IndexAQHbELlhH+b8OFjr5EikPfi/hSGKKA==
              DateFri, 27 Sep 2024 08:44:26 +0000
              Message-ID<JNAP275MB20785B920B35F0CC9AAD42F4FD6B2@JNAP275MB2078.ZAFP275.PROD.OUTLOOK.COM>
              Accept-Languageen-US
              Content-Languageen-US
              X-MS-Exchange-Organization-AuthAsInternal
              X-MS-Exchange-Organization-AuthMechanism04
              X-MS-Exchange-Organization-AuthSourceJNAP275MB2078.ZAFP275.PROD.OUTLOOK.COM
              X-MS-Has-Attachyes
              X-MS-Exchange-Organization-Network-Message-Id75b83c61-201d-451e-49a6-08dcded09821
              X-MS-Exchange-Organization-SCL1
              X-MS-TNEF-Correlatormsip_labels:
              x-ms-publictraffictypeEmail
              X-Microsoft-Antispam-Mailbox-Deliveryucf:1;jmr:0;auth:0;dest:C;OFR:CustomRules;ENG:(910001)(944506478)(944626604)(920097)(425001)(930097)(140003)(1420198);
              X-Microsoft-Antispam-Message-Info=?iso-8859-1?Q?AUpsXVwUXbeHNW8T1oIpNBQvpKT2wPY6sr7zC27I2whKVgmFdayRgMixzG?=
              Content-Typemultipart/mixed;
              MIME-Version1.0
              dateFri, 27 Sep 2024 10:44:26 +0200

              File Icon

              Icon Hash:c4e1928eacb280a2