Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
s1TlFBQj.eml

Overview

General Information

Sample name:s1TlFBQj.eml
renamed because original name is a hash value
Original sample name:abx_CloudMessage_WzMzMTgsICI4M2JhYTdkZC1hMTQ1LTQzZDUtYmQ3MC0xODFkNTc5ZDczMTJAZmM1YzY4ZjYtOTdmMy00ZWZlLWI2ODktZWI1YzEyMzRmODIxIiwgIkFBa0FMZ0FBQUFBQUhZUURFYXBtRWMyYnlBQ3FBQy1FV2cwQTQ0UUxHVnhNRkVHUTMtOE1rZ0s1TlFBQj.eml
Analysis ID:1430411
MD5:95c17f3ada77d7b70fd103503afb65c3
SHA1:890d743a7924df81bbcd08882d1fb2cf77a17b74
SHA256:388fadb8c6b92e2c62f3218e90fb5ec2b1c2a6e0777009859a8439e6d32ffb0f
Infos:

Detection

Score:2
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Creates a window with clipboard capturing capabilities
Phishing site detected (based on OCR NLP Model)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Office Macro File Download

Classification

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 2960 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\s1TlFBQj.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 1856 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "850F2285-132C-4041-86C8-A7FCAFCBC6A8" "E2F15479-65A2-46C7-AC1D-7CEED2590D36" "2960" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 2960, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
Sigma detected: Office Macro File Download
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 2960, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm
Sigma detected: Office Macro File Creation
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 2960, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: MSG / EMLML Model on OCR Text: Matched 85.6% probability on "No suele recibir correos electr6nicos de contabilidadfrijolin@gmail.com. Por qu esto es importante CAUTION: This email originated from outside the company . Do not click links or open attachments unless you recognize the sender and know the content is safe. co-facturasproveedor@hycite.com restauranteelfrijolin@gmail.com LSantan2@hycite.com restauranteelfrijolin@gmail.com restauranteelfrijolin@gmail.com LHernan2@hycite.com "
Source: s1TlFBQj.emlString found in binary or memory: https://aka.ms/Lear=
Source: ~WRS{CDE2BE2F-EEA3-4F83-9DB8-DCFC83489BF8}.tmp.0.drString found in binary or memory: https://aka.ms/LearnAboutSenderIdentification
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow created: window name: CLIPBRDWNDCLASSJump to behavior
Source: classification engineClassification label: clean2.winEML@3/23@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240423T1626300189-2960.etlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\s1TlFBQj.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "850F2285-132C-4041-86C8-A7FCAFCBC6A8" "E2F15479-65A2-46C7-AC1D-7CEED2590D36" "2960" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "850F2285-132C-4041-86C8-A7FCAFCBC6A8" "E2F15479-65A2-46C7-AC1D-7CEED2590D36" "2960" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote Services1
Clipboard Data		Data ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager12
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1430411 Sample: s1TlFBQj.eml Startdate: 23/04/2024 Architecture: WINDOWS Score: 2 5 OUTLOOK.EXE 99 129 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://aka.ms/Lear=s1TlFBQj.emlfalse
    		high
    https://aka.ms/LearnAboutSenderIdentification~WRS{CDE2BE2F-EEA3-4F83-9DB8-DCFC83489BF8}.tmp.0.drfalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:40.0.0 Tourmaline
      Analysis ID:1430411
      Start date and time:2024-04-23 16:25:56 +02:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 4m 9s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:defaultwindowsinteractivecookbook.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:19
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:s1TlFBQj.eml
      renamed because original name is a hash value
      Original Sample Name:abx_CloudMessage_WzMzMTgsICI4M2JhYTdkZC1hMTQ1LTQzZDUtYmQ3MC0xODFkNTc5ZDczMTJAZmM1YzY4ZjYtOTdmMy00ZWZlLWI2ODktZWI1YzEyMzRmODIxIiwgIkFBa0FMZ0FBQUFBQUhZUURFYXBtRWMyYnlBQ3FBQy1FV2cwQTQ0UUxHVnhNRkVHUTMtOE1rZ0s1TlFBQj.eml
      Detection:CLEAN
      Classification:clean2.winEML@3/23@0/0
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .eml

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, SIHClient.exe, backgroundTaskHost.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, TextInputHost.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 52.113.194.132, 52.109.6.63, 23.193.106.147, 23.193.106.182, 20.189.173.25
      • Excluded domains from analysis (whitelisted): www.bing.com, ecs.office.com, omex.cdn.office.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, eus2-azsc-000.roaming.officeapps.live.com, osiprod-eus2-buff-azsc-000.eastus2.cloudapp.azure.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, us1.roaming1.live.com.akadns.net, login.live.com, s-0005.s-msedge.net, evoke-windowsservices-tas.msedge.net, onedscolprdwus20.westus.cloudapp.azure.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, mobile.events.data.trafficmanager.net, a1864.dscd.akamai.net
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtQueryAttributesFile calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • VT rate limit hit for: s1TlFBQj.eml

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:data
      Category:dropped
      Size (bytes):231348
      Entropy (8bit):4.393149266578248
      Encrypted:false
      SSDEEP:1536:DsYLkmgszmlHFIsvpgsiQCNcAz79ysQqt2VOW+qoQEPrcm0FvW57yMtr8kamWgPb:bBgnG+g/miGu2wqoQYrt0FvpKe4CCIbq
      MD5:DA5EDAEB4EC13DA0881A23409BCB2466
      SHA1:43C8A86F1F506BACE0E1E20796E99C3AAD6ADAAF
      SHA-256:40D5701E53FE758819C491E800A78514A962ED69B7BC3D4A82DE5ECB7316FE51
      SHA-512:2E95AAB5E96320FFE41C6AE2ADBF9C42ACD034D77D283FE6A1E873B2C52DC36280211EB78B369D28250C682DCB82D9D7C972C14CE15D4BEA43DA0C60F3933D9D
      Malicious:false
      Reputation:low
      Preview:TH02...... ..].4........SM01X...,....v.4............IPM.Activity...........h...............h............H..h,.......z>....h.........^..H..h\tor ...AppD...h.f..0..........hB9.............h........_`rj...h.:..@...I.+w...h....H...8.wj...0....T...............d.........2h...............k..............!h.............. h...A..........#h....8.........$h.^......8....."h........x.....'h..............1hB9..<.........0h....4....wj../h....h.....wjH..hp...p...,.....-h ............+h.8...... ........... ...... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

      C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:ASCII text, with very long lines (65536), with no line terminators
      Category:dropped
      Size (bytes):322260
      Entropy (8bit):4.000299760592446
      Encrypted:false
      SSDEEP:6144:dztCFLNyoAHq5Rv2SCtUTnRe4N2+A/3oKBL37GZbTSB+pMZIrh:HMLgvKz9CtgRemO3oUHi3SBSMZIl
      MD5:CC90D669144261B198DEAD45AA266572
      SHA1:EF164048A8BC8BD3A015CF63E78BDAC720071305
      SHA-256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
      SHA-512:16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview:51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

      C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:ASCII text, with no line terminators
      Category:dropped
      Size (bytes):10
      Entropy (8bit):2.4464393446710155
      Encrypted:false
      SSDEEP:3:LHin:G
      MD5:D8C41D2EE04E494C640D9EF1FD6E7ABC
      SHA1:40A04C4B1ACA4C109EF948B151A3139B0134D26E
      SHA-256:3BEF3E7D6AACD6E14B82675CC8DC0E6913C8F8035158C561DD99EACD8DEC4944
      SHA-512:47E6FAA2E3D929E46E1B87D5246B45AFE49986EC8AD21DE5CA914E0C6D5660CA9F40F01FC771E085995B73B5B7EBE164ACE50BAD8684F4C0CEB39EAEA4F23104
      Malicious:false
      Reputation:low
      Preview:1713882393

      C:\Users\user\AppData\Local\Microsoft\Office\16.0\Floodgate\Outlook.CampaignStates.json

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:JSON data
      Category:dropped
      Size (bytes):1573
      Entropy (8bit):5.1878472686410255
      Encrypted:false
      SSDEEP:48:YZVtmf/x1REziQQf/x16r6MzXeUmf/x1eAgEzx:Pfp1REzafp1s6Mzunfp1qEzx
      MD5:A36130221DA97AFF81D0929C64210C16
      SHA1:BA565A88EC843C7599917BE470D666454BC27D8B
      SHA-256:926B249AD4AF94A7835D553F07AFF99659157F10FCC26B4091A0B5EC015143A9
      SHA-512:543713495DD25E07BA648DCA1452A0012A1720695643D712F1D06A2A8F18C118C6D22C208FBCB1897A951925FEEDDDB989BAF2E300733B0066076A1F68886E2B
      Malicious:false
      Reputation:low
      Preview:{"CampaignStates":[{"CampaignId":"398f8b35-ef06-4a2b-a5dc-d85540d6fff3","LastNominationTimeUtc":"2023-10-06T09:55:42Z","LastNominationBuildNumber":"16.0.16827.20130","DeleteAfterSecondsWhenStale":31536000,"ForceCandidacy":false,"IsCandidate":true,"DidCandidateTriggerSurvey":false,"LastSurveyActivatedTimeUtc":"1601-01-01T00:00:00Z","LastSurveyId":"34d6c19c-a4a8-44c8-8cde-799414b8b5bc","LastSurveyStartTimeUtc":"2023-10-06T09:55:42Z","LastSurveyExpirationTimeUtc":"2024-10-05T09:55:42Z","LastCooldownEndTimeUtc":"1601-01-01T00:00:00Z"},{"CampaignId":"69e92aee-73d9-4a12-85fe-502abaebd9b1","LastNominationTimeUtc":"2024-04-23T14:26:30Z","LastNominationBuildNumber":"16.0.16827.20130","DeleteAfterSecondsWhenStale":2592000,"ForceCandidacy":false,"IsCandidate":true,"DidCandidateTriggerSurvey":false,"LastSurveyActivatedTimeUtc":"1601-01-01T00:00:00Z","LastSurveyId":"71d3b46b-477a-4cd3-84c5-32f34d09d2b0","LastSurveyStartTimeUtc":"2024-04-23T14:26:30Z","LastSurveyExpirationTimeUtc":"2024-05-23T14:26:

      C:\Users\user\AppData\Local\Microsoft\Office\16.0\Floodgate\Outlook.GovernedChannelStates.json

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:JSON data
      Category:dropped
      Size (bytes):740
      Entropy (8bit):4.578658879460996
      Encrypted:false
      SSDEEP:12:Ym6dnG20cYIyJG20c6IfG20c6IGG20cDIZG20cdI2ayG20cgaIbnG20cIQPIKG2X:YddnUcYIyJUc6IfUc6IGUcDIZUcdIFy0
      MD5:439A34DE8DA5C04AF25AADB84A2120D4
      SHA1:F12F9FF6E03A5762BD03061557029446680B1DAE
      SHA-256:32B560C75C25C6F56C0439F67A3FA7D4F271F07B435EE41575A3D82C6C612880
      SHA-512:BE704CD0DF8041945D16B8103135650B33D5E97D6F7C202E9C9499C3AE57E33855C2CC3A8F73B578DB482F47026C756F1FAA411A2CC58B5E53CE23CD24229834
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview:{"ChannelStates":[{"ChannelType":0,"CooldownStartTimeUtc":"1601-01-01T00:00:00Z","Cooldown":1209600},{"ChannelType":1,"CooldownStartTimeUtc":"1601-01-01T00:00:00Z","Cooldown":0},{"ChannelType":2,"CooldownStartTimeUtc":"1601-01-01T00:00:00Z","Cooldown":0},{"ChannelType":3,"CooldownStartTimeUtc":"1601-01-01T00:00:00Z","Cooldown":3600},{"ChannelType":4,"CooldownStartTimeUtc":"1601-01-01T00:00:00Z","Cooldown":10800},{"ChannelType":5,"CooldownStartTimeUtc":"1601-01-01T00:00:00Z","Cooldown":7776000},{"ChannelType":6,"CooldownStartTimeUtc":"1601-01-01T00:00:00Z","Cooldown":1800},{"ChannelType":7,"CooldownStartTimeUtc":"1601-01-01T00:00:00Z","Cooldown":0},{"ChannelType":8,"CooldownStartTimeUtc":"1601-01-01T00:00:00Z","Cooldown":1209600}]}

      C:\Users\user\AppData\Local\Microsoft\Office\16.0\Floodgate\Outlook.Settings.json

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:JSON data
      Category:dropped
      Size (bytes):87
      Entropy (8bit):4.576828956814449
      Encrypted:false
      SSDEEP:3:Y2NKbNCOAqui32B0fkWbSpgLGwHY:Y2YZOUU0ffogaw4
      MD5:E4E83F8123E9740B8AA3C3DFA77C1C04
      SHA1:5281EAE96EFDE7B0E16A1D977F005F0D3BD7AAD0
      SHA-256:6034F27B0823B2A6A76FE296E851939FD05324D0AF9D55F249C79AF118B0EB31
      SHA-512:BD6B33FD2BBCE4A46991BC0D877695D16F7E60B1959A0DEFC79B627E569E5C6CAC7B4AD4E3E1D8389A08584602A51CF84D44CF247F03BEB95F7D307FBBA12BB9
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview:{"ShouldFloodgateTakePrecedenceOverRateAndReview":false,"AreRatingSurveysEnabled":true}

      C:\Users\user\AppData\Local\Microsoft\Office\16.0\Floodgate\Outlook.SurveyEventActivityStats.json

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:JSON data
      Category:dropped
      Size (bytes):110
      Entropy (8bit):5.0204155958877905
      Encrypted:false
      SSDEEP:3:Y2Qt6eHgMgWIdiQKRB2RVVMXE9A/f392zJexGLlWrY1n:Y2Qt6eHlgliRn2RsXIA/fYwQZWM1
      MD5:4A6F413FBD153870C88C37524EE1C347
      SHA1:789D597E0020384A58DDFA7DD3B3B3FE42AC0C43
      SHA-256:59C05768D407F353CE6281C5B295DBBD6A1A4ED7FF33FFA0F00CAEA99D227BA1
      SHA-512:95D0B5DEAC8010B07CA30CBC874D99F62D8F05C5DE00F907D1C85F1DA6604FD49C4AA81DEE65DAFF80E63CE549E2C666C92AEDA60D06E71BE3785B73B0201843
      Malicious:false
      Reputation:low
      Preview:{"Surveys":{"71d3b46b-477a-4cd3-84c5-32f34d09d2b0":{"ExpirationTimeUtc":"2024-05-23T14:26:30Z","Counts":[0]}}}

      C:\Users\user\AppData\Local\Microsoft\Office\16.0\Floodgate\Outlook.SurveyHistoryStats.json

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:JSON data
      Category:dropped
      Size (bytes):14
      Entropy (8bit):3.378783493486176
      Encrypted:false
      SSDEEP:3:Y2Qt6eYYn:Y2Qt6eYYn
      MD5:6CA4960355E4951C72AA5F6364E459D5
      SHA1:2FD90B4EC32804DFF7A41B6E63C8B0A40B592113
      SHA-256:88301F0B7E96132A2699A8BCE47D120855C7F0A37054540019E3204D6BCBABA3
      SHA-512:8544CD778717788B7484FAF2001F463320A357DB63CB72715C1395EF19D32EEC4278BAB07F15DE3F4FED6AF7E4F96C41908A0C45BE94D5CDD8121877ECCF310D
      Malicious:false
      Reputation:moderate, very likely benign file
      Preview:{"Surveys":{}}

      C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:SQLite 3.x database, last written using SQLite version 3034001, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
      Category:dropped
      Size (bytes):4096
      Entropy (8bit):0.09304735440217722
      Encrypted:false
      SSDEEP:3:lSWFN3l/klslpEl9Xll:l9F8E+9
      MD5:D0DE7DB24F7B0C0FE636B34E253F1562
      SHA1:6EF2957FDEDDC3EB84974F136C22E39553287B80
      SHA-256:B6DC74E4A39FFA38ED8C93D58AADEB7E7A0674DAC1152AF413E9DA7313ADE6ED
      SHA-512:42D00510CD9771CE63D44991EA10C10C8FBCF69DF08819D60B7F8E7B0F9B1D385AE26912C847A024D1D127EC098904784147218869AE8D2050BCE9B306DB2DDE
      Malicious:false
      Preview:SQLite format 3......@ ..........................................................................K.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:SQLite Rollback Journal
      Category:dropped
      Size (bytes):4616
      Entropy (8bit):0.13784977103055013
      Encrypted:false
      SSDEEP:3:7FEG2l+wN4/FllkpMRgSWbNFl/sl+ltlslN04l9XllE:7+/lPig9bNFlEs1E39s
      MD5:CDFFC5BFF4DB0E1A02EB2B4DAE244166
      SHA1:9BAD1C1B8C2DE7DFEEF6DEBEA39B93BEFB7FB737
      SHA-256:7BD4480CA96CBCF65BDC8C007D83E7980CE168E81CB918C1D6938E2FB8398C7B
      SHA-512:965FC98A5A60749003D63D8844ADBD27EAF64086FE1D4810475BB57F400EA6976D8305A4B70CBE7331B089C322E8855F8E65A7B47CDC7BB72964BCBEE0347945
      Malicious:false
      Preview:.... .c........b....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..........................................................................K.................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:data
      Category:dropped
      Size (bytes):32768
      Entropy (8bit):0.0447824104283491
      Encrypted:false
      SSDEEP:3:G4l2YppGIYAl2YppGCmlL9//Xlvlll1lllwlvlllglbXdbllAlldl+l:G4l2Ypp4Al2YppcL9XXPH4l942U
      MD5:DE6BB4AE80364C1963348BC95FB2944F
      SHA1:490DEB13F31A6D17E6D5EED16CF01FE3F9DF2CDF
      SHA-256:B539905F3DE823EF24D2D0BA8994186E685FB9D0B84665ED942099D1629016EE
      SHA-512:44E5367F0506D07184B33E3E63B2C7F681F16C2438EA84A5CDC39FF6964421FBBBC71A368430D657B2648DA85D97B752082FFAED855BF1A09BBDFE22E8853E9A
      Malicious:false
      Preview:..-......................g(.zE... icV....J..S....-......................g(.zE... icV....J..S..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:SQLite Write-Ahead Log, version 3007000
      Category:dropped
      Size (bytes):45352
      Entropy (8bit):0.3938560967185485
      Encrypted:false
      SSDEEP:24:KldlQMIzRDnnill7DBtDi4kZERD+xqt8VtbDBtDi4kZERDW:Y7Qjbill7DYMKxO8VFDYMC
      MD5:D4C8BB5FCCE59319B1CCEFA4EEDF8F90
      SHA1:0BA43D1C9F3D56151B55BF4439A2D062DD6F0952
      SHA-256:EB571A382BC8DEF7120D78EE449B5BA13D521218E98D99F58D91DA99D711D4E9
      SHA-512:BB560FFD61A76E7BBECAF28B7511AB98722B8F6D0E6FC40FB00C8385F0491938F85B08CF1A32001EF460C735B59591B75697BCDFF985214736DF055A43EDA420
      Malicious:false
      Preview:7....-............ icV..>................ icV..[.pM....SQLite format 3......@ ..........................................................................K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{CDE2BE2F-EEA3-4F83-9DB8-DCFC83489BF8}.tmp

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:data
      Category:dropped
      Size (bytes):4984
      Entropy (8bit):3.11204952773412
      Encrypted:false
      SSDEEP:48:FyAL2V2ofsj5QkV8XnVX/lXX+YNZpk80yW5v1hlYNuyVsqwQCLnTKfhn2jqUqzHL:FwV2ofy5QaMGfb7lYQsreU2WzB
      MD5:A792797F56D03C1AAF0CB2EFEAA0376B
      SHA1:D4D396A19240BC244DAAC1CA9865819D7C69D55E
      SHA-256:597FB14A61BE00110ADB3D6989A84D85AFA817ED49A6D58AE66F313F295A5D5E
      SHA-512:871DE1A910B379420DDF9327C3170E8E8BFA5222B82116573C53D688C24274DDAF07DD928C9F7E8DEAA71F53E6ADC6F0E7949DABAAADF45FA20E85177AEA9055
      Malicious:false
      Preview:......N.o. .s.u.e.l.e. .r.e.c.i.b.i.r. .c.o.r.r.e.o.s. .e.l.e.c.t.r...n.i.c.o.s. .d.e. .c.o.n.t.a.b.i.l.i.d.a.d.f.r.i.j.o.l.i.n.@.g.m.a.i.l...c.o.m... .H.Y.P.E.R.L.I.N.K. .".h.t.t.p.s.:././.a.k.a...m.s./.L.e.a.r.n.A.b.o.u.t.S.e.n.d.e.r.I.d.e.n.t.i.f.i.c.a.t.i.o.n.".......................................................................................................................................................................................................................................................................|...~...................J...N..........."...&.......................................................................................................................................................................................................................................................................................................................................................$.-D..M.......%,...a$.*...$..$.If........!v..h.#v....:V.......t.....6......5.......4

      C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1713882390416905100_34A70147-A98F-4998-A87C-C559FFD0A449.log

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:ASCII text, with very long lines (28752), with CRLF line terminators
      Category:dropped
      Size (bytes):20971520
      Entropy (8bit):0.15953698542021888
      Encrypted:false
      SSDEEP:1536:fg4ucLPRXRTXFq0g8nKP9GQzkSYmy8x/j0QLsyJXkBB:RLZh5q03MyU
      MD5:7EE6E196E37709FCDDD22CA2C8EE2396
      SHA1:CC217637C41D795DD698FD0B673BBB8E7A58527F
      SHA-256:685EEF76E1301C195E800B52246B243A5E0A4753F82BE8DE7656B2F2841AC401
      SHA-512:0FED1A71F65971AD598253348AFA9B61484284F21A3028F4070D2F2A38C762AD04837D0A40AC4A41ED8AC9E37FAA160EB764AD55DE6F0D76D4A68A5A10E18405
      Malicious:false
      Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..04/23/2024 14:26:30.458.OUTLOOK (0xB90).0xF5C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":25,"Time":"2024-04-23T14:26:30.458Z","Contract":"Office.System.Activity","Activity.CV":"RwGnNI+pmEmofMVZ/9CkSQ.4.11","Activity.Duration":12,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...04/23/2024 14:26:30.473.OUTLOOK (0xB90).0xF5C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":27,"Time":"2024-04-23T14:26:30.473Z","Contract":"Office.System.Activity","Activity.CV":"RwGnNI+pmEmofMVZ/9CkSQ.4.12","Activity.Duration":10887,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorVers

      C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1713882390417706400_34A70147-A98F-4998-A87C-C559FFD0A449.log

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:data
      Category:dropped
      Size (bytes):20971520
      Entropy (8bit):0.0
      Encrypted:false
      SSDEEP:3::
      MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
      SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
      SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
      SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
      Malicious:false
      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240423T1626300189-2960.etl

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:data
      Category:dropped
      Size (bytes):98304
      Entropy (8bit):4.476593497099553
      Encrypted:false
      SSDEEP:768:cVz9TExulb8smOyC4mQ9QGJa1F/DHXw37WXWVW7:qL4mQ9QGEX7X1
      MD5:7F10C1D6BA4AF740396A877110CC6005
      SHA1:4418A1AE443481CEC51970795974E4EA1D27BBAA
      SHA-256:CBE0E3A06C9E8BA25A38813D03C5603F15D100066DFF656F57EC624B4C5A3C20
      SHA-512:81F7158B9655419654FA4C49F212A4CA4DF8BC5433970A3A64D64412F72741F69874B17535F244728AE7C577AB35B396EF4D2101E523CA23DFD595266599A087
      Malicious:false
      Preview:............................................................................b...\.......0..;....................eJ..............Zb..2.......................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1........................................................... ....Y..........0..;............v.2._.O.U.T.L.O.O.K.:.b.9.0.:.b.f.a.a.0.e.3.0.2.d.8.4.4.6.4.e.8.4.4.c.1.6.a.2.c.5.f.f.6.1.d.e...C.:.\.U.s.e.r.s.\.t.o.r.r.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.4.2.3.T.1.6.2.6.3.0.0.1.8.9.-.2.9.6.0...e.t.l.............P.P.\........E.;....................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:data
      Category:dropped
      Size (bytes):30
      Entropy (8bit):1.2389205950315936
      Encrypted:false
      SSDEEP:3:Idlllt:Id/l
      MD5:DB910C699AFF690E15DB903A9B96EC07
      SHA1:EE33CE911FE0CC4A7F6A874D40A1DE0624ACE1CB
      SHA-256:A6761E53355EA4C61353B2CF51DACAFC05B55D68D11B2D29E668E213E49498FF
      SHA-512:D465E5EA5AFE349318239557A8E8FD47CAD23932DD89C345A6D08904688F822FD0261509EF83D65232B4A47B3B2C217A297A5A93B8B7F5B7369EB44A4BD503A0
      Malicious:false
      Preview:....?.........................

      C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:Composite Document File V2 Document, Cannot read section info
      Category:dropped
      Size (bytes):2560
      Entropy (8bit):2.0193739623516174
      Encrypted:false
      SSDEEP:12:rl3baFWrsqLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheCop:rJmnq1Py961op
      MD5:4F51744671E48758EBBA5FC8557322AF
      SHA1:4F69FFA9229D997BD46F69D92DD3D02AAA25860B
      SHA-256:C400A96A6A9EDFF1F8DEFA75ADAC8D2A65566EF93D5F6E328AA439251E76D7FC
      SHA-512:74DAB9634B486B923553ABB4A55A77274DCD3BF4191E6C13A77ADE6D1B3F43A62383B50329CAC17064A1D32690E27E8C8DCA37CC65717064A9A6B54E71C7D557
      Malicious:false
      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\AppData\Roaming\Microsoft\Templates\NormalEmail.dotm (copy)

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:Microsoft Word 2007+
      Category:dropped
      Size (bytes):19613
      Entropy (8bit):7.478815940344003
      Encrypted:false
      SSDEEP:384:Jrt+xRLymSajsvu73BlCw/vhYz3NsbA6PW1VMBAFTcU:VywGaGWwBYz2bA6+1ezU
      MD5:7C602A129996131DB78AEEE972FBE8BE
      SHA1:5E2D4B2F8703EE6B96DF23E678937A0017D1CDBB
      SHA-256:E49594906CC696C040F8237720159368251AC593C4EED71FF9C3023352AF1252
      SHA-512:8F50C094AA1D50906E7E9D5234046BA61E1CE9DA1722F3759ED5978D00F7290710BBF3BB8B8DD63941AB87BD40FCAAF68D0C72164B0DA93C56840C5A3C93DED7
      Malicious:false
      Preview:PK..........!.Q3.p............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-J\X ......J..0....K......H...R*.D.g..3.H....M!`.l.....J.j;*...>.b.Fa...B....wz...<`F..K6.._s.r.F`.<X.T....7....U.._t:.\:...<&....A%&:f.9..H.hd..*1y.Lx.k)".........e..k.g.....)....&......A...3..WNN.U..e...<....'4(.....x.....nh.t.....p7..j..s...I@.w6.X..C.Tp...r+..^..F.N...".az...h.[!F.!...g...i"...C..n9.~l...3.....H..V..9.2.,)s..GZD..mo6M..a.!...q$.......O..r-.........PK..........!.........N......

      C:\Users\user\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:data
      Category:modified
      Size (bytes):162
      Entropy (8bit):3.7561370880485208
      Encrypted:false
      SSDEEP:3:4HAGl/lSlJ/oPg+pv9fVGClldc+Ov9I9ZPToYlttq5o1H:4Ll/gl6o+B3Gv+Ov9AyYltYWd
      MD5:8EF658FC4A8952EC95BC138936925D9B
      SHA1:ECB5BF8E5EC6FAF60C8818705698E186A60FB747
      SHA-256:317F32B3B66ADD39A9F799586894919273B93F2ADFF5467E49DCD357BD2115D7
      SHA-512:8375C093C8927E7E2F2060882E3A49DE3AC84F5E49272EC01476DC6D19A151133C99E58ADFD9BB42E6879BCBE18453AD252FE68539DE941FC9090A9C3DA10A88
      Malicious:false
      Preview:.user.................................................t.o.r.r.e.s....<.v.............Y..Xz.cM....C....^b.............j.......<...<..M............<......PY...j..

      C:\Users\user\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:Microsoft Word 2007+
      Category:dropped
      Size (bytes):19613
      Entropy (8bit):7.478815940344003
      Encrypted:false
      SSDEEP:384:Jrt+xRLymSajsvu73BlCw/vhYz3NsbA6PW1VMBAFTcU:VywGaGWwBYz2bA6+1ezU
      MD5:7C602A129996131DB78AEEE972FBE8BE
      SHA1:5E2D4B2F8703EE6B96DF23E678937A0017D1CDBB
      SHA-256:E49594906CC696C040F8237720159368251AC593C4EED71FF9C3023352AF1252
      SHA-512:8F50C094AA1D50906E7E9D5234046BA61E1CE9DA1722F3759ED5978D00F7290710BBF3BB8B8DD63941AB87BD40FCAAF68D0C72164B0DA93C56840C5A3C93DED7
      Malicious:false
      Preview:PK..........!.Q3.p............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-J\X ......J..0....K......H...R*.D.g..3.H....M!`.l.....J.j;*...>.b.Fa...B....wz...<`F..K6.._s.r.F`.<X.T....7....U.._t:.\:...<&....A%&:f.9..H.hd..*1y.Lx.k)".........e..k.g.....)....&......A...3..WNN.U..e...<....'4(.....x.....nh.t.....p7..j..s...I@.w6.X..C.Tp...r+..^..F.N...".az...h.[!F.!...g...i"...C..n9.~l...3.....H..V..9.2.,)s..GZD..mo6M..a.!...q$.......O..r-.........PK..........!.........N......

      C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:Microsoft Outlook email folder (>=2003)
      Category:dropped
      Size (bytes):271360
      Entropy (8bit):4.417405407314774
      Encrypted:false
      SSDEEP:1536:TT/fg/OxuVvkXwGl6BvTOdZfj8G6Ir49SoxrNDNQm5KoynXgSKuSWuiKMW1DDwWR://fPulbfTOS11rNiQSKuxcM2yp96
      MD5:68C3BE72035B62F13CE202A65B96B309
      SHA1:E361110AA8358A49C2B9DC59EE7A684E2F63102B
      SHA-256:9B9237EB4AA06FBB4CBEFA6511CFFAFD3AFC941FA0432DEE4EEF747977A27346
      SHA-512:3C82C2FAF20AC9B8E2C685911FB9FAC16DB7AF6032A0040B1F31956FAE45141824916A086F9F3CFCF3AD2015C62ACEC2AAA238A0B46B6BBADF0B45E91FBD8F69
      Malicious:false
      Preview:!BDN...]SM......\...;..................._................@...........@...@...................................@...........................................................................$.......D...........................................................................................................................................................................................................................................................................................................................................Ox.0.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:data
      Category:dropped
      Size (bytes):131072
      Entropy (8bit):6.613812382892589
      Encrypted:false
      SSDEEP:1536:4YXgSTuSLuiKMckXfGl6fvTOpZfj8G/Ir492oxrNjzVW53jEpEHP4qQ10PAwrcTC:4vSTuocMcIhTO71xrN3jp9Pzu
      MD5:152338B3F323F05B77FEB35E9DE47F05
      SHA1:8DFF91F377189B374C48AECD256013BD492A7F68
      SHA-256:570DAF9E8C2B0191CB0EFFBE40E2E226D1E64FF5D406B1B4D235D9CE23C24626
      SHA-512:DE248CA70347C44D9B75404B848FC312D9ED3BBC5A2178635B18248994F002FBF20EBA0A1B6EC3004676221E76EEF07E8F21B97149D163EC1FC49AD71E90429A
      Malicious:false
      Preview:.i;.0...O...........:F.;.........D............#...|.............................................................................................................................................................................................................................................................................?.....................................................................................................................................................................................................................................f..D.........U0...P...........:F.;.........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:ASCII text, with CRLF line terminators
      Entropy (8bit):6.147595534907486
      TrID:
        File name:s1TlFBQj.eml
        File size:96'181 bytes
        MD5:95c17f3ada77d7b70fd103503afb65c3
        SHA1:890d743a7924df81bbcd08882d1fb2cf77a17b74
        SHA256:388fadb8c6b92e2c62f3218e90fb5ec2b1c2a6e0777009859a8439e6d32ffb0f
        SHA512:aaa79ed8d98e0bbb45ef868246b5853f3db82d2d751c799362e80bbce99f61f7c20664e1121120c87c04ec75ee1356fa8ad394a82981104ef6edb2bcbaa5d17a
        SSDEEP:1536:qLcXMJjbH3kuTGQrVv6YAtFD2IR5TKUivmaiF6e29yTPiHMXNArXP3IVRXrUkG05:GcXMJP3kYnVwyIRauaiEhvsurfIVRXYk
        TLSH:3993E16A5D4324679A34A35FE39D180012BC7B8D83D3D8F0B71E95A417ED233572D963
        File Content Preview:authentication-results: spf=pass (sender IP is 209.85.166.47).. smtp.mailfrom=gmail.com; dkim=pass (signature was verified).. header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;compauth=pass.. reason=100..cc: "Restaurante Paisa" <restaurantee

        Static Mail

        General

        Subject:EXTERNAL: Re: SOLICITUD FACTURA ELECTRONICA
        From:EL FRIJOLIN SAS <contabilidadfrijolin@gmail.com>
        To:Liz Karen Hernandez Galindo <LHernan2@hycite.com>
        Cc:Restaurante Paisa <restauranteelfrijolin@gmail.com>
        BCC:Restaurante Paisa <restauranteelfrijolin@gmail.com>
        Date:Fri, 19 Apr 2024 10:09:07 -0500
        Communications:
        • No suele recibir correos electrnicos de contabilidadfrijolin@gmail.com. Por qu esto es importanteCAUTION: This email originated from outside the company. Do not click links or open attachments unless you recognize the sender and know the content is safe.Buenos dias Esta factura fue emitida el 09 de abril y enviada al correo co-facturasproveedor@hycite.com, Si envian nuevamente el correo sin revisar se puede cometer el error de facturar doble vezContabilidadEl mi, 3 abr 2024 a las 15:15, Restaurante Paisa (<restauranteelfrijolin@gmail.com>) escribi:---------- Forwarded message ---------De: Lina Alejandra Santana Perez <LSantan2@hycite.com>Date: mi, 3 de abr. de 2024 3:11 p. m.Subject: SOLICITUD FACTURA ELECTRONICATo: restauranteelfrijolin@gmail.com <restauranteelfrijolin@gmail.com>Cc: Liz Karen Hernandez Galindo <LHernan2@hycite.com>Buen Dia, Solicito su amable colaboracin con la factura electrnica Gracias Confirmo nit de la empresa HY CITE ENTRERPRISES COLOMBIA900.744.272-4 No suele recibir correos electrnicos de contabilidadfrijolin@gmail.com. Por qu esto es importanteCAUTION: This email originated from outside the company. Do not click links or open attachments unless you recognize the sender and know the content is safe.Buenos dias Esta factura fue emitida el 09 de abril y enviada al correo co-facturasproveedor@hycite.com, Si envian nuevamente el correo sin revisar se puede cometer el error de facturar doble vezContabilidadEl mi, 3 abr 2024 a las 15:15, Restaurante Paisa (<restauranteelfrijolin@gmail.com>) escribi:---------- Forwarded message ---------De: Lina Alejandra Santana Perez <LSantan2@hycite.com>Date: mi, 3 de abr. de 2024 3:11 p. m.Subject: SOLICITUD FACTURA ELECTRONICATo: restauranteelfrijolin@gmail.com <restauranteelfrijolin@gmail.com>Cc: Liz Karen Hernandez Galindo <LHernan2@hycite.com>Buen Dia, Solicito su amable colaboracin con la factura electrnica Gracias Confirmo nit de la empresa HY CITE ENTRERPRISES COLOMBIA900.744.272-4 No suele recibir correos electrnicos de contabilidadfrijolin@gmail.com. Por qu esto es importante No suele recibir correos electrnicos de contabilidadfrijolin@gmail.com. Por qu esto es importante No suele recibir correos electrnicos de contabilidadfrijolin@gmail.com. Por qu esto es importante No suele recibir correos electrnicos de contabilidadfrijolin@gmail.com. Por qu esto es importante No suele recibir correos electrnicos de contabilidadfrijolin@gmail.com. Por qu esto es importante Por qu esto es importante https://aka.ms/LearnAboutSenderIdentification CAUTION: This email originated from outside the company. Do not click links or open attachments unless you recognize the sender and know the content is safe.Buenos dias Esta factura fue emitida el 09 de abril y enviada al correo co-facturasproveedor@hycite.com, Si envian nuevamente el correo sin revisar se puede cometer el error de facturar doble vezContabilidadEl mi, 3 abr 2024 a las 15:15, Restaurante Paisa (<restauranteelfrijolin@gmail.com>) escribi:---------- Forwarded message ---------De: Lina Alejandra Santana Perez <LSantan2@hycite.com>Date: mi, 3 de abr. de 2024 3:11 p. m.Subject: SOLICITUD FACTURA ELECTRONICATo: restauranteelfrijolin@gmail.com <restauranteelfrijolin@gmail.com>Cc: Liz Karen Hernandez Galindo <LHernan2@hycite.com>Buen Dia, Solicito su amable colaboracin con la factura electrnica Gracias Confirmo nit de la empresa HY CITE ENTRERPRISES COLOMBIA900.744.272-4 CAUTION: This email originated from outside the company. Do not click links or open attachments unless you recognize the sender and know the content is safe. CAUTION: This email originated from outside the company. Do not click links or open attachments unless you recognize the sender and know the content is safe. CAUTION: This email originated from outside the company. Do not click links or open attachments unless you recognize the sender and know the content is safe. Buenos dias Esta factura fue emitida el 09 de abril y enviada al correo co-facturasproveedor@hycite.com, Si envian nuevamente el correo sin revisar se puede cometer el error de facturar doble vezContabilidadEl mi, 3 abr 2024 a las 15:15, Restaurante Paisa (<restauranteelfrijolin@gmail.com>) escribi:---------- Forwarded message ---------De: Lina Alejandra Santana Perez <LSantan2@hycite.com>Date: mi, 3 de abr. de 2024 3:11 p. m.Subject: SOLICITUD FACTURA ELECTRONICATo: restauranteelfrijolin@gmail.com <restauranteelfrijolin@gmail.com>Cc: Liz Karen Hernandez Galindo <LHernan2@hycite.com>Buen Dia, Solicito su amable colaboracin con la factura electrnica Gracias Confirmo nit de la empresa HY CITE ENTRERPRISES COLOMBIA900.744.272-4 Buenos dias Esta factura fue emitida el 09 de abril y enviada al correo co-facturasproveedor@hycite.com, Si envian nuevamente el correo sin revisar se puede cometer el error de facturar doble vezContabilidad Esta factura fue emitida el 09 de abril y enviada al correo co-facturasproveedor@hycite.com, co-facturasproveedor@hycite.com mailto:co-facturasproveedor@hycite.com Si envian nuevamente el correo sin revisar se puede cometer el error de facturar doble vez Contabilidad El mi, 3 abr 2024 a las 15:15, Restaurante Paisa (<restauranteelfrijolin@gmail.com>) escribi:---------- Forwarded message ---------De: Lina Alejandra Santana Perez <LSantan2@hycite.com>Date: mi, 3 de abr. de 2024 3:11 p. m.Subject: SOLICITUD FACTURA ELECTRONICATo: restauranteelfrijolin@gmail.com <restauranteelfrijolin@gmail.com>Cc: Liz Karen Hernandez Galindo <LHernan2@hycite.com>Buen Dia, Solicito su amable colaboracin con la factura electrnica Gracias Confirmo nit de la empresa HY CITE ENTRERPRISES COLOMBIA900.744.272-4 El mi, 3 abr 2024 a las 15:15, Restaurante Paisa (<restauranteelfrijolin@gmail.com>) escribi: restauranteelfrijolin@gmail.com mailto:restauranteelfrijolin@gmail.com ---------- Forwarded message ---------De: Lina Alejandra Santana Perez <LSantan2@hycite.com>Date: mi, 3 de abr. de 2024 3:11 p. m.Subject: SOLICITUD FACTURA ELECTRONICATo: restauranteelfrijolin@gmail.com <restauranteelfrijolin@gmail.com>Cc: Liz Karen Hernandez Galindo <LHernan2@hycite.com>Buen Dia, Solicito su amable colaboracin con la factura electrnica Gracias Confirmo nit de la empresa HY CITE ENTRERPRISES COLOMBIA900.744.272-4 ---------- Forwarded message ---------De: Lina Alejandra Santana Perez <LSantan2@hycite.com>Date: mi, 3 de abr. de 2024 3:11 p. m.Subject: SOLICITUD FACTURA ELECTRONICATo: restauranteelfrijolin@gmail.com <restauranteelfrijolin@gmail.com>Cc: Liz Karen Hernandez Galindo <LHernan2@hycite.com>Buen Dia, Solicito su amable colaboracin con la factura electrnica Gracias Confirmo nit de la empresa HY CITE ENTRERPRISES COLOMBIA900.744.272-4 ---------- Forwarded message ---------De: Lina Alejandra Santana Perez <LSantan2@hycite.com>Date: mi, 3 de abr. de 2024 3:11 p. m.Subject: SOLICITUD FACTURA ELECTRONICATo: restauranteelfrijolin@gmail.com <restauranteelfrijolin@gmail.com>Cc: Liz Karen Hernandez Galindo <LHernan2@hycite.com> Lina Alejandra Santana Perez <LSantan2@hycite.com> LSantan2@hycite.com mailto:LSantan2@hycite.com restauranteelfrijolin@gmail.com mailto:restauranteelfrijolin@gmail.com restauranteelfrijolin@gmail.com mailto:restauranteelfrijolin@gmail.com LHernan2@hycite.com mailto:LHernan2@hycite.com Buen Dia, Solicito su amable colaboracin con la factura electrnica Gracias Confirmo nit de la empresa HY CITE ENTRERPRISES COLOMBIA900.744.272-4 Buen Dia, Solicito su amable colaboracin con la factura electrnica Gracias Confirmo nit de la empresa HY CITE ENTRERPRISES COLOMBIA900.744.272-4 Buen Dia, Buen Dia, Solicito su amable colaboracin con la factura electrnica Solicito su amable colaboracin con la factura electrnica Gracias Gracias Confirmo nit de la empresa Confirmo nit de la empresa Confirmo nit de la empresa HY CITE ENTRERPRISES COLOMBIA HY CITE ENTRERPRISES COLOMBIA 900.744.272-4 900.744.272-4
        Attachments:
        • FEFR237_f090161469300000000ED.pdf

        Headers

        Key Value
        authentication-resultsspf=pass (sender IP is 209.85.166.47) smtp.mailfrom=gmail.com; dkim=pass (signature was verified) header.d=gmail.com;dmarc=pass action=none header.from=gmail.com;compauth=pass reason=100
        ccRestaurante Paisa <restauranteelfrijolin@gmail.com>
        dateFri, 19 Apr 2024 10:09:07 -0500
        dkim-signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713539359; x=1714144159; darn=hycite.com; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=CcUZC6tp6AlITmhz8wJsSO7wBPE3i2hic1wTJPkhPVM=; b=Jca+2xu3OuW751Vd8w0X20G2n4Gikirm1QHIUTWSs3UsXdLZaiXpp0cuSC7/1S023B nxhjcGeJ3mG9QyaI9lfq+SbmeudEada8PUeWe5weqShmxlU1dE0N3RwOEKQgU1+BhH54 dEOmMr2WrIEJlEoB2uPoPBnHsJ/5ZXuw7xK3SyclNqnMTKhO66K9BMSYooFmKE1BwLfc UPMWaJirnevVh7v2jH94R8j3p6jmBTrlgwwu2hhdh/+EbXY1yDBchfUmJT8knYmt1jhu 2DJytgXIXeHQuvrmw6DFltHk4dPz5AReHstzErproXQvPTyTdHp1UCzvldfflD/a9Ldi eG5A==
        fromEL FRIJOLIN SAS <contabilidadfrijolin@gmail.com>
        in-reply-to <CACUVw6iFT1aH0sCi=AMiWgPLFhk+XTexvOi3O4RVBuwPwt+6sQ@mail.gmail.com>
        message-id <CACVF+P0tGjaUaTr2iKjPM=Z_6SmpH70CTV6r7VyjQAjwMDup5g@mail.gmail.com>
        mime-version1.0
        receivedfrom CH0PR16MB5275.namprd16.prod.outlook.com (2603:10b6:610:18c::18) by LV3PR16MB6147.namprd16.prod.outlook.com with HTTPS; Fri, 19 Apr 2024 15:09:45 +0000, from CH2PR11CA0008.namprd11.prod.outlook.com (2603:10b6:610:54::18) by CH0PR16MB5275.namprd16.prod.outlook.com (2603:10b6:610:18c::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7472.43; Fri, 19 Apr 2024 15:09:19 +0000, from CH2PEPF0000013D.namprd02.prod.outlook.com (2603:10b6:610:54:cafe::d1) by CH2PR11CA0008.outlook.office365.com (2603:10b6:610:54::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7495.30 via Frontend Transport; Fri, 19 Apr 2024 15:09:19 +0000, from mail-io1-f47.google.com (209.85.166.47) by CH2PEPF0000013D.mail.protection.outlook.com (10.167.244.69) with Microsoft SMTP Server (version=TLS1_3, cipher=TLS_AES_256_GCM_SHA384) id 15.20.7452.22 via Frontend Transport; Fri, 19 Apr 2024 15:09:19 +0000, by mail-io1-f47.google.com with SMTP id ca18e2360f4ac-7da37436e36so61220639f.0 for <LHernan2@hycite.com>; Fri, 19 Apr 2024 08:09:19 -0700 (PDT)
        received-spfPass (protection.outlook.com: domain of gmail.com designates 209.85.166.47 as permitted sender) receiver=protection.outlook.com; client-ip=209.85.166.47; helo=mail-io1-f47.google.com; pr=C
        references<CY5PR12MB655215369525CDEFD10186A1FC3D2@CY5PR12MB6552.namprd12.prod.outlook.com> <BYAPR16MB2694B218DA5A5CC674F44A7AE63D2@BYAPR16MB2694.namprd16.prod.outlook.com> <CACUVw6iFT1aH0sCi=AMiWgPLFhk+XTexvOi3O4RVBuwPwt+6sQ@mail.gmail.com>
        return-pathcontabilidadfrijolin@gmail.com
        subjectEXTERNAL: Re: SOLICITUD FACTURA ELECTRONICA
        toLiz Karen Hernandez Galindo <LHernan2@hycite.com>
        x-eopattributedmessage0
        x-eoptenantattributedmessagefc5c68f6-97f3-4efe-b689-eb5c1234f821:0
        x-forefront-antispam-reportCIP:209.85.166.47;CTRY:US;LANG:es;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail-io1-f47.google.com;PTR:mail-io1-f47.google.com;CAT:NONE;SFTY:9.25;SFS:(13230031)(7093399003);DIR:INB;SFTY:9.25;
        x-gm-message-stateAOJu0YzTQQAx7gWFWPfLksJhaQuwV2Vr+pOACn3Fj01JbvuLzGtClKU4 NtrtfnIsewcLFWfOw4jQ6f181CnR3UfjCGwl30TN7vL7BgmN6atPCCJ2bXI+zo40/MsqVnzgUYp y7CPa8Hp9+IMDt0a32DrDuFGhOzbl1PRe
        x-google-dkim-signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713539359; x=1714144159; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=CcUZC6tp6AlITmhz8wJsSO7wBPE3i2hic1wTJPkhPVM=; b=vX5sDMs4CpjLrD36fbfHikeYnhb9JitI2/1T9EQjbBgExvRgU6Sp3XqNAEnD/vEr86 QaNI2O2kH7F8Ek53xtghuUdEkhVqNViM1yul7G2wJps/wKvSN5R7axlIHnc238Ol8/pw O+NNShhdiJh+kea5Q9YEbVKlwv8ZKA3PGx5lFRwK+UsjbEG/XI6Bh2v4vrjk6P6jTU7p mp1yxwIyrMURZBt98kMPY4kF240uhlPA/On1X9wQBCstSQ6rfUgEuvrKP7IV7KLVFSO1 oWTt8atEMwecu3FnGSs8OGx3hngBLeGLkKttv+fmvJseFqfHr/fBmpsH0dWo0wIPtN/E saGw==
        x-google-smtp-sourceAGHT+IHMKnmsL/r6oKBIG+llX5Oq826OadpFCf1zDc3c4wHHD2t7Dx4gRkfDNw8VI0IJrjcgYMR6MJuHjigaSJmHLgk=
        x-microsoft-antispamBCL:0;
        x-microsoft-antispam-mailbox-deliveryucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003)(1420198);
        x-microsoft-antispam-message-infoATKUXcL+YUd0UIRT5oig+mOGONCjQ5EfYJ5B7sN3+OqQ2131FSrBt8CbdjogsLmyQj3J5iAjSnyvJcBliBR99xrTBi5hQIPIBGmBfG29ZXsgAIGQ8d2ey3kskubO+uRBaELyvGMt70E9IBCbUw2aJaJ4x6w6NACykHRduMSMBoIgqLpB2XHi/8ckQr+uj1dGD13/TnSix7gK8jMCJNtbLWDuYuYwf/dAPAA0TVT2cAp5+Twlq+S89AooQLUVGr0pWwaS5CVGpnj/TYvins5/gTCpT8GIK4TCHdmZk0Xy27ahFLt4ijSeQhk2v70Jn8FhhnmViPoXSv7oumH2vFclhQvvLxwSTiu8YJL4ICzDhEzj9X/d40wxFkHLjSt9Hg43GtvcSH/iZ4KPvV0ixcy2ZveTFbmEabobDJp8rvOL/Q8oSyVmd+FZZ1izkzF5CmbKtA2UOvP7T8wB6x9hkq95i4EX6Ydmfj4ipCPwYl/8g/pQDclxJKiXakwyDXr5uaJEdsRH90h7qW4dexij2ho9YxQumt8oFr3DOFPy32Vr+kICtDr58Q6j7DhZzEShnvg8/eEgM+JpUM2RULQYWhd1gvKZnF/OiH2yLTNF+NCe0nHBsBfNkRv00e+gD9YFx/b9zdbFE0S+L0YfBpfuFVvadRAN0sT33uAGDGALWqjXmocSnqvLeAFreCAGk0wl+aKIblQ/9tf87cRTAgCrbBUjU3VBefPkeyDS8MrjBz+zTxxdnbR6KrXNHH57aJGPazENjgxZNeFUR8Vid+8o2XMrHlEFqFrwFw1atX2db1iUDrI9uUXJ6gJGZEcc3SQowGZV+37I7hmLzpseaXtkcfaAQ0/XH4ImpICiKsM60s5Egg2OGdHyYd6EwWkUxuT/LndI2KxKhBAwhMoPKJcU9EhkEqBYLYboTPd0Eb/Xm3o8l/pzdEemWiuNCzxeHEALVB/41AZSOhDukhlLJeVHNLiW59poejm0m922YMJ6gmM0i7/wQZuU0fF7vjClDUatyarOE9UhFuc41mJT+epmdwAx6lGBmOZr4GiBWXNWcZ7gftdzaSsmeRd7sQfF+nqIyNy3TXHdSqp1TDTbZiCaO5rhAVYjDbj/IjQuuGWSu1rORyJQgAVrQSX21VTTj1B5KGCaacRWLBpmjnJLAZzLytXmyfFCZlRgxC8gi1saHFkTmcBsPAsI8im0rneG5ROOebj2X8TnhL7BdTnIaxTTpnZ2SSIR4bEzjVOgHxVk0bVnIGdBKX0U1GW3sB0KIDjTR+fNk6kzgoSZPY6f+2VuXoKbrAbrsp2SFaYNyUDjm1kuzyO8WiX3G1VpUBfabCSc2lDLiBReHRZJSEMT/cFsZRNTe76hAR4N33z814FvhD1K8HKsvJzDU8IGLW3G9Q4S8E/rzSQyfsC8LPiva8gXw2meM3YKVu5ThJavNMMO6+C2wbK9KR+5WocgGI0+4aAYSKJQ+Z+4xcwljZmsjFWu5pQ25zeemPv82wCE7Y8fXLgAy1MAexBnhKWiuHNoHLWnJ4xF1kG3xJpJF9kqcGPS2LMyHec984OdvMMTkBKqbtazKThkCeWcCQApRYDR01OUWCj40S7qVL4OOat1msbZjwmTG8M5R/47rGlOVJxwqrU8hfnomTSk+QZOxCLDWNwkxh/4eMm+Vma/og8GRsTZPubJ9ukj1FlYQBc7rQROpJ/8RYjbiyepR0xfayevpQZUE3swnVuWBX+zDN7FnhZ0qlM5X9yjQl3w4j7FIeIU3DAedZqKc+AI0AunBVhbAufiDuXTfZw+uhdKh634jDoScRJFCvl62zemqZCj+/F1RUh4H13rAIHI4y06zyz3+6g4hB0dX7bGYV8NLCGmhG96avDfG4k8S7Iq8G8yPvI+bK/agJhylKTSNXPJny1cus/cPQ49f9yhv1T60zqN3OY1JXVQd1s8RazDb3fW3ML52aRCJHjhEmuYIu0kapYVxcG4q5U3zty1JmQ36O2at849lSFfXk94S9Y6tjYzkcwqzNs1fn71RODejY7K5eRoOxb+OaZZxYXCg9u8PoK1F7rW93tX3Qy0gAAaSzqUj+kGJJOpdTvROEtqDAXoJZ3sSizzG1t6lbIHc1eupmd0FUmUl7h1/MlGqheBXo7T6PDI2sEwi20=
        x-ms-exchange-atpmessagepropertiesSA|SL
        x-ms-exchange-crosstenant-authasAnonymous
        x-ms-exchange-crosstenant-authsource CH2PEPF0000013D.namprd02.prod.outlook.com
        x-ms-exchange-crosstenant-fromentityheaderInternet
        x-ms-exchange-crosstenant-idfc5c68f6-97f3-4efe-b689-eb5c1234f821
        x-ms-exchange-crosstenant-network-message-id b6ae3e6d-8484-4130-511e-08dc6082b004
        x-ms-exchange-crosstenant-originalarrivaltime19 Apr 2024 15:09:19.4543 (UTC)
        x-ms-exchange-organization-authasAnonymous
        x-ms-exchange-organization-authsource CH2PEPF0000013D.namprd02.prod.outlook.com
        x-ms-exchange-organization-expirationinterval1:00:00:00.0000000
        x-ms-exchange-organization-expirationintervalreasonOriginalSubmit
        x-ms-exchange-organization-expirationstarttime 19 Apr 2024 15:09:19.4855 (UTC)
        x-ms-exchange-organization-expirationstarttimereasonOriginalSubmit
        x-ms-exchange-organization-messagedirectionalityIncoming
        x-ms-exchange-organization-network-message-id b6ae3e6d-8484-4130-511e-08dc6082b004
        x-ms-exchange-organization-scl1
        x-ms-exchange-processed-by-bccfoldering15.20.7472.035
        x-ms-exchange-transport-crosstenantheadersstampedCH0PR16MB5275
        x-ms-exchange-transport-endtoendlatency00:00:26.4600170
        x-ms-office365-filtering-correlation-idb6ae3e6d-8484-4130-511e-08dc6082b004
        x-ms-publictraffictypeEmail
        x-ms-traffictypediagnostic CH2PEPF0000013D:EE_|CH0PR16MB5275:EE_|LV3PR16MB6147:EE_
        x-receivedby 2002:a05:6602:6587:b0:7d3:4b31:7ecf with SMTP id gv7-20020a056602658700b007d34b317ecfmr2564631iob.15.1713539358672; Fri, 19 Apr 2024 08:09:18 -0700 (PDT)
        Content-Typemultipart/mixed; boundary="===============2474558484073483961=="

        File Icon

        Icon Hash:46070c0a8e0c67d6

        Network Behavior

        No network behavior found

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:16:26:30
        Start date:23/04/2024
        Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
        Wow64 process (32bit):true
        Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\s1TlFBQj.eml"
        Imagebase:0x730000
        File size:34'446'744 bytes
        MD5 hash:91A5292942864110ED734005B7E005C0
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate
        Has exited:true

        General

        Target ID:2
        Start time:16:26:31
        Start date:23/04/2024
        Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
        Wow64 process (32bit):false
        Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "850F2285-132C-4041-86C8-A7FCAFCBC6A8" "E2F15479-65A2-46C7-AC1D-7CEED2590D36" "2960" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
        Imagebase:0x7ff63fb40000
        File size:710'048 bytes
        MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate
        Has exited:true

        Disassembly

        No disassembly