Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Quarantined Messages (17).zip

Overview

General Information

Sample name:Quarantined Messages (17).zip
Analysis ID:1438235
MD5:0e470fd94fe661e546140b0111a37e48
SHA1:126377a97ec72294bafef89bcb02955996964f7f
SHA256:02f88e0effb254717f1b1ed9264e3a6ec0118eee0854e900979303b277e1724f
Infos:

Detection

Score:3
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Creates a window with clipboard capturing capabilities
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Office Macro File Download
Sigma detected: Outlook Security Settings Updated - Registry
Stores files to the Windows start menu directory

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
All HTTP servers contacted by the sample do not answer. The sample is likely an old dropper which does no longer work.
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis

Process Tree

  • System is w10x64_ra
  • rundll32.exe (PID: 4800 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • OUTLOOK.EXE (PID: 4196 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\AppData\Local\Temp\Temp1_Quarantined Messages (17).zip\c8d6f348-2c7f-4373-d490-08dc6d99c1ea\3776921e-2a18-2cd4-aaec-da6b081172ed.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 6368 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "F934068C-7290-4272-93EB-0EABEDB4C2FD" "72FE0D74-B04C-4033-BC1B-8AD57BC871D2" "4196" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • chrome.exe (PID: 7048 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\summary_06-May-2024_08-02-35.htm MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 4780 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1844,i,419478032194363723,16406378703367206043,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 4196, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
Sigma detected: Office Macro File Download
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 4196, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm
Sigma detected: Outlook Security Settings Updated - Registry
Source: Registry Key setAuthor: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\WG1H6521\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 4196, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder
Sigma detected: Office Macro File Creation
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 4196, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: file:///C:/Users/user/Desktop/summary_06-May-2024_08-02-35.htmHTTP Parser: No favicon
Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49719 version: TLS 1.2
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownTCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownHTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.16:49719 version: TLS 1.2
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow created: window name: CLIPBRDWNDCLASS
Source: classification engineClassification label: clean3.winZIP@17/28@2/34
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240508T1356150468-4196.etl
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\desktop.ini
Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\AppData\Local\Temp\Temp1_Quarantined Messages (17).zip\c8d6f348-2c7f-4373-d490-08dc6d99c1ea\3776921e-2a18-2cd4-aaec-da6b081172ed.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "F934068C-7290-4272-93EB-0EABEDB4C2FD" "72FE0D74-B04C-4033-BC1B-8AD57BC871D2" "4196" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "F934068C-7290-4272-93EB-0EABEDB4C2FD" "72FE0D74-B04C-4033-BC1B-8AD57BC871D2" "4196" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\summary_06-May-2024_08-02-35.htm
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1844,i,419478032194363723,16406378703367206043,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 --field-trial-handle=1844,i,419478032194363723,16406378703367206043,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dll
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow detected: Number of UI elements: 16
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote Services1
Clipboard Data		2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
Registry Run Keys / Startup Folder		1
DLL Side-Loading		1
Rundll32		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Registry Run Keys / Startup Folder		1
Process Injection		Security Account Manager13
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
file:///C:/Users/user/Desktop/summary_06-May-2024_08-02-35.htm0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
142.251.215.228
truefalse
    		high

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    file:///C:/Users/user/Desktop/summary_06-May-2024_08-02-35.htmfalse
    • Avira URL Cloud: safe
    		low

    World Map of Contacted IPs

    • No. of IPs < 25%
    • 25% < No. of IPs < 50%
    • 50% < No. of IPs < 75%
    • 75% < No. of IPs

    Public IPs

    IPDomainCountryFlagASNASN NameMalicious
    52.113.194.132
    		unknownUnited States
    		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    20.42.73.30
    		unknownUnited States
    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    1.1.1.1
    		unknownAustralia
    		13335CLOUDFLARENETUSfalse
    74.125.20.84
    		unknownUnited States
    		15169GOOGLEUSfalse
    142.251.215.228
    		www.google.comUnited States
    		15169GOOGLEUSfalse
    239.255.255.250
    		unknownReserved
    		unknownunknownfalse
    142.250.69.195
    		unknownUnited States
    		15169GOOGLEUSfalse
    142.250.69.206
    		unknownUnited States
    		15169GOOGLEUSfalse
    104.98.118.147
    		unknownUnited States
    		20940AKAMAI-ASN1EUfalse
    52.109.20.39
    		unknownUnited States
    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    52.109.0.142
    		unknownUnited States
    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
    52.109.0.91
    		unknownUnited States
    		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

    Private

    IP
    192.168.2.16

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1438235
    Start date and time:2024-05-08 13:55:39 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:defaultwindowsinteractivecookbook.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:19
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    Analysis Mode:stream
    Analysis stop reason:Timeout
    Sample name:Quarantined Messages (17).zip
    Detection:CLEAN
    Classification:clean3.winZIP@17/28@2/34
    Cookbook Comments:
    • Found application associated with file extension: .zip

    Warnings

    • Exclude process from analysis (whitelisted): dllhost.exe
    • Excluded IPs from analysis (whitelisted): 52.109.0.91, 52.113.194.132, 52.109.20.39, 104.98.118.147, 52.109.0.142
    • Excluded domains from analysis (whitelisted): omex.cdn.office.net, odc.officeapps.live.com, slscr.update.microsoft.com, osiprod-wus-bronze-azsc-000.westus.cloudapp.azure.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, login.live.com, wus-azsc-config.officeapps.live.com, officeclient.microsoft.com, osiprod-scus-buff-azsc-000.southcentralus.cloudapp.azure.com, a1864.dscd.akamai.net, wus-azsc-000.odc.officeapps.live.com, ecs.office.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, us2.roaming1.live.com.akadns.net, ctldl.windowsupdate.com, scus-azsc-000.roaming.officeapps.live.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, us2.odcsm1.live.com.akadns.net, s-0005.s-msedge.net, config.officeapps.live.com, us.configsvc1.live.com.akadns.net, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, prod.odcsm1.live.com.akadns.net
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtQueryAttributesFile calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • Report size getting too big, too many NtSetValueKey calls found.

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):231348
    Entropy (8bit):4.392920726592617
    Encrypted:false
    SSDEEP:
    MD5:8BB9926EE3C37371AB7EEEA516B92A5A
    SHA1:880C45BD955F4EFC7F491285EB64E0ABBB605113
    SHA-256:67556CA56EB5BA1FABB15F19837ADF60A3158D073E72EC4E409A5DE0E361098B
    SHA-512:4B11894D9E99260B82FA9BDE3662007D3EE386566CEE19E6595688A8916316A992F85ABA6EC479C83BB26E75C692D118454580FB12A554968F2EC1BE321E199E
    Malicious:false
    Reputation:unknown
    Preview:TH02...... ...Y.>.......SM01X...,....6K.>...........IPM.Activity...........h...............h............H..h........l.Z....h.........I..H..h\cal ...pDat...h.o..0...p......h|.^............h........_`Wk...h..^.@...I.lw...h....H...8.\k...0....T...............d.........2h...............k3.......C.T...!h.............. h.Z~9..........#h....8.........$h.I......8....."h.l......Ho....'h..............1h|.^.<.........0h....4....\k../h....h.....\kH..h....p.........-h .............+h..^................ ...... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

    C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:ASCII text, with very long lines (65536), with no line terminators
    Category:dropped
    Size (bytes):322260
    Entropy (8bit):4.000299760592446
    Encrypted:false
    SSDEEP:
    MD5:CC90D669144261B198DEAD45AA266572
    SHA1:EF164048A8BC8BD3A015CF63E78BDAC720071305
    SHA-256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
    SHA-512:16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
    Malicious:false
    Reputation:unknown
    Preview:51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

    C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:ASCII text, with no line terminators
    Category:dropped
    Size (bytes):10
    Entropy (8bit):2.4464393446710155
    Encrypted:false
    SSDEEP:
    MD5:03E09EE0579B85405C52E3901C75B3E3
    SHA1:AF3AE06248C69A85189D5EBA6CE993056E8BF36E
    SHA-256:700FB13BDDF16511DAA4CD4F448579E036973668F02161406B9E14E36722F665
    SHA-512:3966548E957F94EEF5DA16AA93BB9C181AAC98ACD1B7DE6724C5C9A4CE9885BF762EACAA01FA5934CBC9052277434899F1F017D47EDA2BBA2182CC5FCCFA24AF
    Malicious:false
    Reputation:unknown
    Preview:1715169379

    C:\Users\user\AppData\Local\Microsoft\Office\16.0\Floodgate\Outlook.CampaignStates.json

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:JSON data
    Category:dropped
    Size (bytes):1538
    Entropy (8bit):5.170046666246265
    Encrypted:false
    SSDEEP:
    MD5:F903C4A051E8AA36E9E085B08D1BC55E
    SHA1:FF9AF9BBA28D4F3FF2238A64425CABE8123250AB
    SHA-256:59D97433D58543D3CAE4BFDF9AC0DC6990A99BFB10D118B0D62D32DA15D30968
    SHA-512:7B9A526C71B8DF94CF6556AB827C07E2265ACF6F81B4A12B3303ACCD6601C92735ECAA0F4AD5DC054FD1E7EA19B29FC220F41213822CD04E71DC27FDA8C9027B
    Malicious:false
    Reputation:unknown
    Preview:{"CampaignStates":[{"CampaignId":"398f8b35-ef06-4a2b-a5dc-d85540d6fff3","LastNominationTimeUtc":"2023-10-06T09:25:18Z","LastNominationBuildNumber":"16.0.16827.20130","DeleteAfterSecondsWhenStale":31536000,"ForceCandidacy":false,"IsCandidate":true,"DidCandidateTriggerSurvey":false,"LastSurveyActivatedTimeUtc":"1601-01-01T00:00:00Z","LastSurveyId":"7e1f72bd-2c13-423b-93cf-2786588bccbb","LastSurveyStartTimeUtc":"2023-10-06T09:25:18Z","LastSurveyExpirationTimeUtc":"2024-10-05T09:25:18Z","LastCooldownEndTimeUtc":"1601-01-01T00:00:00Z"},{"CampaignId":"8a42827d-29d2-473e-998e-3217724c5b68","LastNominationTimeUtc":"2023-10-06T09:25:18Z","LastNominationBuildNumber":"16.0.16827.20130","DeleteAfterSecondsWhenStale":31536000,"ForceCandidacy":false,"IsCandidate":true,"DidCandidateTriggerSurvey":false,"LastSurveyActivatedTimeUtc":"1601-01-01T00:00:00Z","LastSurveyId":"0bb7f335-0b8a-4926-bb93-540e4e5b86c8","LastSurveyStartTimeUtc":"2023-10-06T09:25:18Z","LastSurveyExpirationTimeUtc":"2024-10-05T09:25

    C:\Users\user\AppData\Local\Microsoft\Office\16.0\Floodgate\Outlook.GovernedChannelStates.json

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:JSON data
    Category:dropped
    Size (bytes):740
    Entropy (8bit):4.578658879460996
    Encrypted:false
    SSDEEP:
    MD5:439A34DE8DA5C04AF25AADB84A2120D4
    SHA1:F12F9FF6E03A5762BD03061557029446680B1DAE
    SHA-256:32B560C75C25C6F56C0439F67A3FA7D4F271F07B435EE41575A3D82C6C612880
    SHA-512:BE704CD0DF8041945D16B8103135650B33D5E97D6F7C202E9C9499C3AE57E33855C2CC3A8F73B578DB482F47026C756F1FAA411A2CC58B5E53CE23CD24229834
    Malicious:false
    Reputation:unknown
    Preview:{"ChannelStates":[{"ChannelType":0,"CooldownStartTimeUtc":"1601-01-01T00:00:00Z","Cooldown":1209600},{"ChannelType":1,"CooldownStartTimeUtc":"1601-01-01T00:00:00Z","Cooldown":0},{"ChannelType":2,"CooldownStartTimeUtc":"1601-01-01T00:00:00Z","Cooldown":0},{"ChannelType":3,"CooldownStartTimeUtc":"1601-01-01T00:00:00Z","Cooldown":3600},{"ChannelType":4,"CooldownStartTimeUtc":"1601-01-01T00:00:00Z","Cooldown":10800},{"ChannelType":5,"CooldownStartTimeUtc":"1601-01-01T00:00:00Z","Cooldown":7776000},{"ChannelType":6,"CooldownStartTimeUtc":"1601-01-01T00:00:00Z","Cooldown":1800},{"ChannelType":7,"CooldownStartTimeUtc":"1601-01-01T00:00:00Z","Cooldown":0},{"ChannelType":8,"CooldownStartTimeUtc":"1601-01-01T00:00:00Z","Cooldown":1209600}]}

    C:\Users\user\AppData\Local\Microsoft\Office\16.0\Floodgate\Outlook.Settings.json

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:JSON data
    Category:dropped
    Size (bytes):87
    Entropy (8bit):4.576828956814449
    Encrypted:false
    SSDEEP:
    MD5:E4E83F8123E9740B8AA3C3DFA77C1C04
    SHA1:5281EAE96EFDE7B0E16A1D977F005F0D3BD7AAD0
    SHA-256:6034F27B0823B2A6A76FE296E851939FD05324D0AF9D55F249C79AF118B0EB31
    SHA-512:BD6B33FD2BBCE4A46991BC0D877695D16F7E60B1959A0DEFC79B627E569E5C6CAC7B4AD4E3E1D8389A08584602A51CF84D44CF247F03BEB95F7D307FBBA12BB9
    Malicious:false
    Reputation:unknown
    Preview:{"ShouldFloodgateTakePrecedenceOverRateAndReview":false,"AreRatingSurveysEnabled":true}

    C:\Users\user\AppData\Local\Microsoft\Office\16.0\Floodgate\Outlook.SurveyEventActivityStats.json

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:JSON data
    Category:dropped
    Size (bytes):14
    Entropy (8bit):3.378783493486176
    Encrypted:false
    SSDEEP:
    MD5:6CA4960355E4951C72AA5F6364E459D5
    SHA1:2FD90B4EC32804DFF7A41B6E63C8B0A40B592113
    SHA-256:88301F0B7E96132A2699A8BCE47D120855C7F0A37054540019E3204D6BCBABA3
    SHA-512:8544CD778717788B7484FAF2001F463320A357DB63CB72715C1395EF19D32EEC4278BAB07F15DE3F4FED6AF7E4F96C41908A0C45BE94D5CDD8121877ECCF310D
    Malicious:false
    Reputation:unknown
    Preview:{"Surveys":{}}

    C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\25AB4A9A-DF95-44A4-B233-041BAA334CB6

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):166208
    Entropy (8bit):5.340932080221233
    Encrypted:false
    SSDEEP:
    MD5:3FB17A70F8E429DBCF8B535B8A8FF6E3
    SHA1:85A0EE72E9925F1C42ACADCF41A968DAD2B2F6F0
    SHA-256:891A4F284AF2F82A570C966120C8DB6BA478C98204BAF3161485576A3FA52BD3
    SHA-512:86AC29E6D4AB456A1CBACFB0D70917A36A6F3A47477BBC81AE6FD7026689A36B1C228F91059EA3375EF401FDA79013845B770CF2329A96856CB5FCDFE50A9C58
    Malicious:false
    Reputation:unknown
    Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-05-08T11:56:17">.. Build: 16.0.17702.40136-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuth

    C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:SQLite 3.x database, last written using SQLite version 3034001, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
    Category:dropped
    Size (bytes):4096
    Entropy (8bit):0.09304735440217722
    Encrypted:false
    SSDEEP:
    MD5:D0DE7DB24F7B0C0FE636B34E253F1562
    SHA1:6EF2957FDEDDC3EB84974F136C22E39553287B80
    SHA-256:B6DC74E4A39FFA38ED8C93D58AADEB7E7A0674DAC1152AF413E9DA7313ADE6ED
    SHA-512:42D00510CD9771CE63D44991EA10C10C8FBCF69DF08819D60B7F8E7B0F9B1D385AE26912C847A024D1D127EC098904784147218869AE8D2050BCE9B306DB2DDE
    Malicious:false
    Reputation:unknown
    Preview:SQLite format 3......@ ..........................................................................K.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:SQLite Rollback Journal
    Category:dropped
    Size (bytes):4616
    Entropy (8bit):0.1384465837476566
    Encrypted:false
    SSDEEP:
    MD5:EE33954AEBE8D5C0F22711EC5570B8F2
    SHA1:55B686BAF6108DCD2899A06FA8590F0302C470D1
    SHA-256:88E37F82310BE2E817D29810D36EE6B0B946891C34425BB8FEB376133C7741B3
    SHA-512:E7D600A59956DF752E8AE9ADCC5EAE346E89D98D09BBA8170A5309D9DDDA2ED5402374E470BA2899AE15C8B51BE8C8B5B9975DF9F6A189BBDF25A06D8CEEA321
    Malicious:false
    Reputation:unknown
    Preview:.... .c........d....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..........................................................................K.................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):32768
    Entropy (8bit):0.04486648292292196
    Encrypted:false
    SSDEEP:
    MD5:D292E402BACE99B056EB8068A044E3AE
    SHA1:92F88DC41882D1F94B0A018E167A2BFCB3ED3692
    SHA-256:7FF2F2D4A7756B37048A91B6AEC485D3921767CC265B055D0A2A60752BFA5668
    SHA-512:EB0CE240C1FD543903345AFEEA3FEB387EB4D96FC1A81EAF1C7CD4A3AC4E279F207DE3440110D81B636DF5724B9EE6B5DFE303600778E64807E373ACA2E886E0
    Malicious:false
    Reputation:unknown
    Preview:..-......................0.......W.<j.iX5..K.....-......................0.......W.<j.iX5..K...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:SQLite Write-Ahead Log, version 3007000
    Category:dropped
    Size (bytes):45352
    Entropy (8bit):0.3947019065830845
    Encrypted:false
    SSDEEP:
    MD5:B06B703E855590C3CD24D7A2F72D6F20
    SHA1:B20E04F517D5E1D348782B8537939AEA94B4EE31
    SHA-256:5CF9768CF8E840D50D759E30E1FAC5FF75C0AE1949F5C5A5520D2C9B78613AB6
    SHA-512:E0754297814642AF508FF8955CB689D5EC600C221CF0EC332B9673B2AC5A39BC75C7C79F5D93F5EBE749E4CB831BF79B8E87BF6C967E07482F22A2371041AF09
    Malicious:false
    Reputation:unknown
    Preview:7....-............W.<j.is>....Q...........W.<j.i...a.8A.SQLite format 3......@ ..........................................................................K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\WG1H6521\summary_06-May-2024_08-02-35.htm:Zone.Identifier

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):26
    Entropy (8bit):3.95006375643621
    Encrypted:false
    SSDEEP:
    MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
    SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
    SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
    SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
    Malicious:false
    Reputation:unknown
    Preview:[ZoneTransfer]..ZoneId=3..

    C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1715169375681586600_49E01608-A0CF-4AE7-9046-9786213DC423.log

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:ASCII text, with very long lines (28729), with CRLF line terminators
    Category:dropped
    Size (bytes):20971520
    Entropy (8bit):0.1586409682161881
    Encrypted:false
    SSDEEP:
    MD5:DE485029B05C7EADA76B8A2750840B63
    SHA1:EB1558A7373C01B777D93ED28F4C8E626B80F909
    SHA-256:F576C09D8BB7EB3FA17E1E1292849ED337725175B586561E776FA6E40053BE21
    SHA-512:608A775E99F5D4D2614C5CC2DB321E4BFE7281333A3CB7CFC6677F85DAA3462D1E02378885D68392A2C836FD2AFE3A95F9D709DD72E63C588B9F218A963A9EBB
    Malicious:false
    Reputation:unknown
    Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..05/08/2024 11:56:15.735.OUTLOOK (0x1064).0xF70.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":21,"Time":"2024-05-08T11:56:15.735Z","Contract":"Office.System.Activity","Activity.CV":"CBbgSc+g50qQRpeGIT3EIw.4.9","Activity.Duration":15,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...05/08/2024 11:56:15.751.OUTLOOK (0x1064).0xF70.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":23,"Time":"2024-05-08T11:56:15.751Z","Contract":"Office.System.Activity","Activity.CV":"CBbgSc+g50qQRpeGIT3EIw.4.10","Activity.Duration":12084,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorVer

    C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1715169375682376700_49E01608-A0CF-4AE7-9046-9786213DC423.log

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):20971520
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:
    MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
    SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
    SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
    SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
    Malicious:false
    Reputation:unknown
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240508T1356150468-4196.etl

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):98304
    Entropy (8bit):4.468389116322039
    Encrypted:false
    SSDEEP:
    MD5:3DAB2B7976C411A409B8768570CCAE55
    SHA1:D149D4C7FB5B0393D010D616ED7CA7CD66C84D69
    SHA-256:044D3C69AF00769CDEFE469244586C23A394A4E490D1989C7C6A16E6236C2219
    SHA-512:4CB5D595F08B07657310067F7409B8E10BC837243BBBA514462707D32F4AE94E576D8E8198D482CBA527A6D6FE159B3A80C2F7FB24DC2440A83C9044FEF2233F
    Malicious:false
    Reputation:unknown
    Preview:............................................................................`...p...d......>...................eJ..............Zb..2.......................................@.t.z.r.e.s...d.l.l.,.-.3.2.2.......................................................@.t.z.r.e.s...d.l.l.,.-.3.2.1.............................................................g..Y.............>...........v.2._.O.U.T.L.O.O.K.:.1.0.6.4.:.4.1.6.6.d.a.9.d.d.7.d.7.4.5.c.5.8.2.2.8.d.9.a.b.7.f.9.b.3.9.4.5...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.5.0.8.T.1.3.5.6.1.5.0.4.6.8.-.4.1.9.6...e.t.l.......P.P.p...d......>...........................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):30
    Entropy (8bit):1.2389205950315936
    Encrypted:false
    SSDEEP:
    MD5:FC7ABB379A2629368CC6CCF69F845D06
    SHA1:02CF336266971747009F5442D5C64413B0C075C4
    SHA-256:36FF6FED591DA8E5DCF36363002800ECBFD1F7FDF11308798A836B4A6153E91C
    SHA-512:6EC09FA3DCF3ED1B4D7D8E60DEA2D4EE7EDA1FD26FEF946467415F47A1889B6A13325F1EDA0F5877FE19FEA2E7F8B996ADCD85F2EB0755BDBE766F1D6B151B2D
    Malicious:false
    Reputation:unknown
    Preview:..............................

    C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:Composite Document File V2 Document, Cannot read section info
    Category:dropped
    Size (bytes):2560
    Entropy (8bit):2.016991364538616
    Encrypted:false
    SSDEEP:
    MD5:99999DA4784866D5E506282111EE6E60
    SHA1:863F43D1BE8281DB3B77868056132F59192756A4
    SHA-256:76386788439BC34A80560BE9C02DC7CE26CB45DC46C6E63995E66C0316CA22D1
    SHA-512:5D3EE571CA1405780CA0A08756BC6F6F4814EC8CF2E1A03E6182ACE67947BF1E2B9373429A251B9FC5EC7F7E9D1C43A61BFF78EB71CA50F8F9C09C75235A9EFE
    Malicious:false
    Reputation:unknown
    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Microsoft\Templates\NormalEmail.dotm (copy)

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:Microsoft Word 2007+
    Category:dropped
    Size (bytes):0
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:
    MD5:219FAEC747E0EFCA440608B929B8976F
    SHA1:C5DC40B87E535AB0DE3D22ED05DA67955F527EF1
    SHA-256:19EA0ADF8A99FAECE22208FD0772B244D7F5E4E28B40F40591E6A2A8BEC7306E
    SHA-512:68E788B1320AA529B73AF798788F8B3AD1F31C6165FB3AF10A7337FD9919AE0D31E629ABEDD1D471E08E86DA65BA641E0CB5D0052426934BBA29440F62D7F5BC
    Malicious:false
    Reputation:unknown
    Preview:PK..........!.Q3.p............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-J\X ......J..0....K......H...R*.D.g..3.H....M!`.l.....J.j;*...>.b.Fa...B....wz...<`F..K6.._s.r.F`.<X.T....7....U.._t:.\:...<&....A%&:f.9..H.hd..*1y.Lx.k)".........e..k.g.....)....&......A...3..WNN.U..e...<....'4(.....x.....nh.t.....p7..j..s...I@.w6.X..C.Tp...r+..^..F.N...".az...h.[!F.!...g...i"...C..n9.~l...3.....H..V..9.2.,)s..GZD..mo6M..a.!...q$.......O..r-.........PK..........!.........N......

    C:\Users\user\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:modified
    Size (bytes):162
    Entropy (8bit):3.7946653282965834
    Encrypted:false
    SSDEEP:
    MD5:9837AA83873AEB431B42022ADCFF8C32
    SHA1:15691DBC198B8675163AA0B11E447410AE6AD054
    SHA-256:7CD4CBEA04F2E548860D3C699F109ECD8B62D40FF4E30E1A12DC55F58D2BBAC7
    SHA-512:3C7362FC8DDAC8B75368E38F568A38AE3711C497F013881B57332EEBCF8746D83B59559407F95177F83D8DCBFB5547CC7C5E0B8865E72C07ECB2CD150E524DB5
    Malicious:false
    Reputation:unknown
    Preview:.user...................................................c.a.l.i....E...<.u.....c .._...[..Xz.dM...PF.....b.....c .._...l..x.G.x...x...M...........x....c ..\...l..

    C:\Users\user\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:Microsoft Word 2007+
    Category:dropped
    Size (bytes):19616
    Entropy (8bit):7.477689097108452
    Encrypted:false
    SSDEEP:
    MD5:219FAEC747E0EFCA440608B929B8976F
    SHA1:C5DC40B87E535AB0DE3D22ED05DA67955F527EF1
    SHA-256:19EA0ADF8A99FAECE22208FD0772B244D7F5E4E28B40F40591E6A2A8BEC7306E
    SHA-512:68E788B1320AA529B73AF798788F8B3AD1F31C6165FB3AF10A7337FD9919AE0D31E629ABEDD1D471E08E86DA65BA641E0CB5D0052426934BBA29440F62D7F5BC
    Malicious:false
    Reputation:unknown
    Preview:PK..........!.Q3.p............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-J\X ......J..0....K......H...R*.D.g..3.H....M!`.l.....J.j;*...>.b.Fa...B....wz...<`F..K6.._s.r.F`.<X.T....7....U.._t:.\:...<&....A%&:f.9..H.hd..*1y.Lx.k)".........e..k.g.....)....&......A...3..WNN.U..e...<....'4(.....x.....nh.t.....p7..j..s...I@.w6.X..C.Tp...r+..^..F.N...".az...h.[!F.!...g...i"...C..n9.~l...3.....H..V..9.2.,)s..GZD..mo6M..a.!...q$.......O..r-.........PK..........!.........N......

    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

    Download File
    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed May 8 10:56:46 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
    Category:dropped
    Size (bytes):2673
    Entropy (8bit):3.9892065017626828
    Encrypted:false
    SSDEEP:
    MD5:F2D788F6A7A63D1EB5A6E060193B6FBC
    SHA1:454CD472FDDB6471AA105F8C2F7B9AEEFEBEFBA1
    SHA-256:1E303CF60ECDA7A5F594AB7FBD5D5EB425899443C857A89AEC6933C53612E41F
    SHA-512:F0873978ACE62757952C28306E93A91148E4236C816767287819E473267528478889EEA0A8A62B47E7B6D6CD1D16E3ABBDE3C1D9989D2145F302687334435107
    Malicious:false
    Reputation:unknown
    Preview:L..................F.@.. ...$+.,.....Tq.>...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.^....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X._....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X._....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X._..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X._...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........w.$}.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

    Download File
    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed May 8 10:56:46 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
    Category:dropped
    Size (bytes):2675
    Entropy (8bit):4.004885936185409
    Encrypted:false
    SSDEEP:
    MD5:CAC78A8F1DEBDC2694A9DF52C4318BDA
    SHA1:56DFA7F18DCF23468785962F54878098130BE3DE
    SHA-256:CD2F6E3D74EDB046712D01F4F615B37C6A3D14756A6BE63AFFE101D3705A3524
    SHA-512:EBD07358E2C9013E4EFE8A09927700EBF71F19E5824E8CFFBA53A32DBEB1AF331E35F46ADCEDD8B4FC406E4C92879840BD9FB8EAD840EAF210A4AB5B20FAECE4
    Malicious:false
    Reputation:unknown
    Preview:L..................F.@.. ...$+.,.....e.>...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.^....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X._....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X._....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X._..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X._...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........w.$}.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

    Download File
    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
    Category:dropped
    Size (bytes):2689
    Entropy (8bit):4.011299723680317
    Encrypted:false
    SSDEEP:
    MD5:23255AF2F4771D65B4CFF39F72EDFB07
    SHA1:AEE58FB5085A519003B56453D82DC5DB01C5A02D
    SHA-256:5DB6A3AB4071F8C412CA05D7CCBED12018C01E02962EF4A7BA5A47CB0B38028F
    SHA-512:A0B2ED4A6FF1DD5E6A706A9D81F0A16D17338C2074C1802E86DE94E6D1F82306196D98C84B1BFC1077F8021062D6C95FC49F6578F67882BCA886AAED43D4698E
    Malicious:false
    Reputation:unknown
    Preview:L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.^....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X._....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X._....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X._..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........w.$}.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

    Download File
    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed May 8 10:56:46 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
    Category:dropped
    Size (bytes):2677
    Entropy (8bit):4.000393251286238
    Encrypted:false
    SSDEEP:
    MD5:B266D74FE8CFF35A5B0AC685634D20EE
    SHA1:7157F1B9B620D5243A80A4518B42B64B56AA2C8B
    SHA-256:C125C95267D50081418382A2EE176E5B8389416014485A03392A4678F02C65C7
    SHA-512:49482F686B5E2A1B50AAD8033A3A68326ECBC435FBA863D02F93E2B2E17227745FFE906A7C0EA3ED8B9997288A3447D99C2383C41F2CCAA8D7EA5F83BAE45262
    Malicious:false
    Reputation:unknown
    Preview:L..................F.@.. ...$+.,....y._.>...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.^....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X._....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X._....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X._..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X._...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........w.$}.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

    Download File
    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed May 8 10:56:46 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
    Category:dropped
    Size (bytes):2677
    Entropy (8bit):3.9902501281696683
    Encrypted:false
    SSDEEP:
    MD5:8BE82B98E045F4406252C81FF042E612
    SHA1:67380115253B6B4C29011586EB277D859A4F5B72
    SHA-256:D2DFC07F4C7522B9809788E8403095C67F153587F3F4F43BF15E74731700EBD0
    SHA-512:FC1D300CA593094928DFF869D004A1E1B61C853448B53DB44537E2147F391506859D523BE22B16A0EC4743840CEE48475B1478183190AB4B9062588D852F5EA2
    Malicious:false
    Reputation:unknown
    Preview:L..................F.@.. ...$+.,....=.k.>...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.^....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X._....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X._....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X._..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X._...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........w.$}.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

    Download File
    Process:C:\Program Files\Google\Chrome\Application\chrome.exe
    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed May 8 10:56:46 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
    Category:dropped
    Size (bytes):2679
    Entropy (8bit):4.000277118108726
    Encrypted:false
    SSDEEP:
    MD5:EAD11C485AB6AB49FD60CD7CA38325E6
    SHA1:12800527BD52AEDD9DE2FB0F96EC4675960B44A1
    SHA-256:D10461BA3DC27EB9FDFA0D956D43F3B3E721A66015C4838A98520FAD51A34B2D
    SHA-512:356CF6CB7946B8957B2BB50DBFA97225F26CCA9F3EA8E4344DA6C4474C33977BB83FDDDD588F21EDF1A26E3832E7455FD5163A1A61861A6AFE83199447D1768D
    Malicious:false
    Reputation:unknown
    Preview:L..................F.@.. ...$+.,.....RV.>...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.X.^....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X._....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.X._....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.X._..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.X._...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........w.$}.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

    C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:Microsoft Outlook email folder (>=2003)
    Category:dropped
    Size (bytes):271360
    Entropy (8bit):1.6315852698898985
    Encrypted:false
    SSDEEP:
    MD5:6E80FDC36BB0E5EB23DB02B5A3B15AAA
    SHA1:109CBB892955004174326EFB3B4BC761B9D3B624
    SHA-256:3945D8B9BE3C165E16E430C97A77ED306FFA7583FF9C911BA6BA066A009AEE81
    SHA-512:A08B9F6D5F883488A70A9D136B0A951CE65D41DE5CB990F3F4E94963D6B16F36D9CBC7B557619BDF673BB649E6C8CAC83A05379843309B0C49EC5B743695F148
    Malicious:false
    Reputation:unknown
    Preview:!BDN%.o.SM......\...'...................q................@...........@...@...................................@...........................................................................$.......D......@........................V..................................................................................................................................................................................................................................................................................................|.......y.g.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):2.1255861475676254
    Encrypted:false
    SSDEEP:
    MD5:C43247D1718780FA1912F1713C39C627
    SHA1:62433530D0E5F068A4E1D60B9127A34E4882945D
    SHA-256:B8BB5C9B007C41E27AE45566C85634C7AD7F3FCE446B23C487CDC8CEAEF93921
    SHA-512:A499A19F3EB7BC3069ED49773B590EB0894F777F6D7B5EA75339E5DD2684EA57174ADACC61BFEA8271F3288FF0A9F6963CD832A102126D4207E7D0C475382FF5
    Malicious:false
    Reputation:unknown
    Preview:.q..0...8.......d...6...>........D............#...|............|.......................................>.............................................................................................................................................................................................................................................................................................................................................................................................................................................................A.S.D..........0...9.......d...6...>........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:Zip archive data, at least v4.5 to extract, compression method=deflate
    Entropy (8bit):7.988670393301542
    TrID:
    • ZIP compressed archive (8000/1) 100.00%
    File name:Quarantined Messages (17).zip
    File size:20'039 bytes
    MD5:0e470fd94fe661e546140b0111a37e48
    SHA1:126377a97ec72294bafef89bcb02955996964f7f
    SHA256:02f88e0effb254717f1b1ed9264e3a6ec0118eee0854e900979303b277e1724f
    SHA512:b6260a36b58e82e481fb0f4bc35a29dcf62ab18434acf851e74c01be89fdeba6fb7aa8cf2d27f1ccb1917a37aad1d75f55b68ad4a03bd2d6eefd2875f7605d0b
    SSDEEP:384:gUf12VkQNuqsF8uh8kzpgqqH8EamQn5GP8+gRqeU3v:gUf1tQNsFVh8kiH8EE0U+gRqvv
    TLSH:9792F1EA974E0958AA5D13370153B768193DC0F712C112ACBAE71A36D4FEF09CA0AC1B
    File Content Preview:PK..-......^.X_.c.........M...c8d6f348-2c7f-4373-d490-08dc6d99c1ea/3776921e-2a18-2cd4-aaec-da6b081172ed.eml....M........M........&M...*..y.Q..K....#....O\...A.,>)r.X!...[.....#...|....]_s+d......{n..;.h7]..*@]..._Z7 ....?.......e.q...w....d..:..P.ml.9jB.J

    File Icon

    Icon Hash:1c1c1e4e4ececedc