Edit tour

Windows Analysis Report
23eb97f4-980c-745d-c5e2-6fdb70189e48.eml

Overview

General Information

Sample name:	23eb97f4-980c-745d-c5e2-6fdb70189e48.eml
Analysis ID:	1467192
MD5:	0504a9e027463df2524c34785c4370df
SHA1:	1e3cc9cf6800430e50608eef513c0c62142684ed
SHA256:	0c021dd3dedb4f581c35c5e23b18fcad472f318207f64545a015a469bef89091
Infos:

Detection

HTMLPhisher

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected phishing page

Yara detected HtmlPhish29

AI detected suspicious e-Mail

Office viewer loads remote template

Phishing site detected (based on shot match)

Tries to detect the country of the analysis system (by using the IP)

Detected clear text password fields (password is not hidden)

Detected non-DNS traffic on DNS port

HTML page contains hidden URLs or javascript code

Queries the volume information (name, serial number etc) of a device

Sigma detected: Excel Network Connections

Sigma detected: Office Autorun Keys Modification

Sigma detected: Suspicious Office Outbound Connections

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 1428 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\23eb97f4-980c-745d-c5e2-6fdb70189e48.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 5008 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "3746BD7C-CAAA-4E9B-B5E3-A783F3BDADA9" "EAC5D534-D677-47E3-848A-9EE2928924C7" "1428" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

EXCEL.EXE (PID: 6328 cmdline: "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\ETS9RD8W\Mitek Holdings Inc Remittance Advice.xlsx" MD5: 4A871771235598812032C822E6F68F19)

EXCEL.EXE (PID: 6596 cmdline: "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE" /Embedding MD5: 4A871771235598812032C822E6F68F19)

chrome.exe (PID: 6616 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://form.questionscout.com/667c5a5b01ef84c1eaf4663e MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 6680 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=2024,i,8418763609125932989,11422265555400074771,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

splwow64.exe (PID: 1360 cmdline: C:\Windows\splwow64.exe 12288 MD5: 77DE7761B037061C7C112FD3C5B91E73)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author
0.2.pages.csv	JoeSecurity_HtmlPhish_29	Yara detected HtmlPhish_29	Joe Security
0.1.pages.csv	JoeSecurity_HtmlPhish_29	Yara detected HtmlPhish_29	Joe Security
0.0.pages.csv	JoeSecurity_HtmlPhish_29	Yara detected HtmlPhish_29	Joe Security
0.3.pages.csv	JoeSecurity_HtmlPhish_29	Yara detected HtmlPhish_29	Joe Security
0.2.pages.csv	JoeSecurity_HtmlPhish_29	Yara detected HtmlPhish_29	Joe Security
0.4.pages.csv	JoeSecurity_HtmlPhish_29	Yara detected HtmlPhish_29	Joe Security
0.0.pages.csv	JoeSecurity_HtmlPhish_29	Yara detected HtmlPhish_29	Joe Security
0.1.pages.csv	JoeSecurity_HtmlPhish_29	Yara detected HtmlPhish_29	Joe Security
0.1.pages.csv	JoeSecurity_HtmlPhish_29	Yara detected HtmlPhish_29	Joe Security
0.2.pages.csv	JoeSecurity_HtmlPhish_29	Yara detected HtmlPhish_29	Joe Security
0.3.pages.csv	JoeSecurity_HtmlPhish_29	Yara detected HtmlPhish_29	Joe Security
0.0.pages.csv	JoeSecurity_HtmlPhish_29	Yara detected HtmlPhish_29	Joe Security
0.4.pages.csv	JoeSecurity_HtmlPhish_29	Yara detected HtmlPhish_29	Joe Security
Click to see the 8 entries

Sigma Signatures

Sigma detected: Excel Network Connections

Source: Network Connection

Author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton: Data: DestinationIp: 13.107.246.60, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 6328, Protocol: tcp, SourceIp: 192.168.2.17, SourceIsIpv6: false, SourcePort: 58032

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 1428, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.17, DestinationIsIpv6: false, DestinationPort: 58032, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE, Initiated: true, ProcessId: 6328, Protocol: tcp, SourceIp: 13.107.246.60, SourceIsIpv6: false, SourcePort: 443

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: geolocation-db.com

Phishing

AI detected phishing page

Source: https://form.questionscout.com	LLM: Score: 9 brands: Microsoft 365 Reasons: The URL 'https://form.questionscout.com' does not match the legitimate domain associated with Microsoft 365, which is 'microsoft.com'. The page prominently displays a login form requesting an email address and password, which is a common tactic used in phishing attacks. The use of a third-party domain (questionscout.com) instead of the official Microsoft domain is highly suspicious and indicative of a phishing attempt. Additionally, there is no CAPTCHA present, which is often used by legitimate sites to prevent automated attacks. The overall design and branding attempt to mimic Microsoft 365, employing social engineering techniques to mislead users. DOM: 0.0.pages.csv
Source: https://form.questionscout.com	LLM: Score: 9 brands: Microsoft 365 Reasons: The URL 'https://form.questionscout.com' does not match the legitimate domain for Microsoft 365, which is 'microsoft.com'. The page prominently displays a login form asking for email and password, which is a common tactic used in phishing attacks. The use of the Microsoft 365 branding on a non-Microsoft domain is suspicious and indicative of social engineering techniques aimed at misleading users. There is no captcha present, which is often used on legitimate login pages to prevent automated attacks. Based on these factors, the site is highly likely to be a phishing site. DOM: 0.2.pages.csv
Source: https://form.questionscout.com	LLM: Score: 10 brands: Microsoft 365 Reasons: The URL 'https://form.questionscout.com' does not match the legitimate domain for Microsoft 365, which is 'microsoft.com'. The page displays a prominent login form asking for email and password, which is a common phishing tactic. The use of offensive language in the email and password fields is highly suspicious and unprofessional, indicating malicious intent. Additionally, the domain 'questionscout.com' is not associated with Microsoft 365. The presence of social engineering techniques and suspicious elements strongly suggests that this is a phishing site. DOM: 0.4.pages.csv
Source: https://form.questionscout.com	LLM: Score: 10 brands: Microsoft 365 Reasons: The URL 'https://form.questionscout.com' does not match the legitimate domain for Microsoft 365, which is 'microsoft.com'. The page prominently displays a login form asking for an email address and password, which is a common phishing technique. The domain 'questionscout.com' is unrelated to Microsoft, raising suspicion. Additionally, the use of offensive language in the email and password fields is highly unprofessional and indicative of a phishing attempt. The site uses social engineering techniques to mislead users into thinking it is a legitimate Microsoft 365 login page. DOM: 0.3.pages.csv

Yara detected HtmlPhish29

Source: Yara match	File source: 0.2.pages.csv, type: HTML
Source: Yara match	File source: 0.1.pages.csv, type: HTML
Source: Yara match	File source: 0.0.pages.csv, type: HTML
Source: Yara match	File source: 0.3.pages.csv, type: HTML
Source: Yara match	File source: 0.2.pages.csv, type: HTML
Source: Yara match	File source: 0.4.pages.csv, type: HTML
Source: Yara match	File source: 0.0.pages.csv, type: HTML
Source: Yara match	File source: 0.1.pages.csv, type: HTML
Source: Yara match	File source: 0.1.pages.csv, type: HTML
Source: Yara match	File source: 0.2.pages.csv, type: HTML
Source: Yara match	File source: 0.3.pages.csv, type: HTML
Source: Yara match	File source: 0.0.pages.csv, type: HTML
Source: Yara match	File source: 0.4.pages.csv, type: HTML

Phishing site detected (based on shot match)

Source: https://v8ylw.pargape.com/4wmGg/	Matcher: Template: captcha matched
Source: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/tk19v/0x4AAAAAAAZ_ULCgVPKce-5k/auto/normal	Matcher: Template: captcha matched
Source: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/tk19v/0x4AAAAAAAZ_ULCgVPKce-5k/auto/normal	Matcher: Template: captcha matched

Source: https://form.questionscout.com/667c5a5b01ef84c1eaf4663e

HTTP Parser: <input type="text"... for password input

Source: https://v8ylw.pargape.com/4wmGg/

HTTP Parser: Base64 decoded: <!DOCTYPE html><html lang="en"><head> <script src="https://code.jquery.com/jquery-3.6.0.min.js"></script> <script src="https://challenges.cloudflare.com/turnstile/v0/api.js?render=explicit"></script> <script src="https://cdnjs.cloudflar...

Source: https://v8ylw.pargape.com/4wmGg/	HTTP Parser: No favicon
Source: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/tk19v/0x4AAAAAAAZ_ULCgVPKce-5k/auto/normal	HTTP Parser: No favicon
Source: https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/tk19v/0x4AAAAAAAZ_ULCgVPKce-5k/auto/normal	HTTP Parser: No favicon

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.17:58022 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.17:58032 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.17:58034 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.17:58036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.17:58033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.17:58035 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:58043 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.209.182:443 -> 192.168.2.17:58044 version: TLS 1.2

Source: excel.exe

Memory has grown: Private usage: 1MB later: 88MB

Source: global traffic	TCP traffic: 192.168.2.17:57986 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.17:57986 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.17:57986 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.17:57986 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.17:57986 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 192.168.2.17:57986 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 13.85.23.86
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: form.questionscout.com
Source: global traffic	DNS traffic detected: DNS query: d3djdih2k2vfi2.cloudfront.net
Source: global traffic	DNS traffic detected: DNS query: formapi.questionscout.com
Source: global traffic	DNS traffic detected: DNS query: geolocation-db.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: brentwoodnsteel.shop
Source: global traffic	DNS traffic detected: DNS query: v8ylw.pargape.com
Source: global traffic	DNS traffic detected: DNS query: xks.vrt7119.ru
Source: global traffic	DNS traffic detected: DNS query: a.nel.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: code.jquery.com
Source: global traffic	DNS traffic detected: DNS query: challenges.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: cdnjs.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: cdn.socket.io
Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: ok4static.oktacdn.com
Source: global traffic	DNS traffic detected: DNS query: objects.githubusercontent.com

Source: unknown	Network traffic detected: HTTP traffic on port 58054 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58031 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58077 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58111 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58019 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58102
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58101
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58104
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58103
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58100
Source: unknown	Network traffic detected: HTTP traffic on port 58083 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58072 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58109
Source: unknown	Network traffic detected: HTTP traffic on port 58013 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58059 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58106
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58105
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58108
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58107
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58112
Source: unknown	Network traffic detected: HTTP traffic on port 58065 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58105 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58111
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58110
Source: unknown	Network traffic detected: HTTP traffic on port 58048 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58003
Source: unknown	Network traffic detected: HTTP traffic on port 58104 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58095 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58089 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58047 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58078 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58110 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58009
Source: unknown	Network traffic detected: HTTP traffic on port 58053 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58008
Source: unknown	Network traffic detected: HTTP traffic on port 58042 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58013
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58016
Source: unknown	Network traffic detected: HTTP traffic on port 58090 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58015
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58012
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58011
Source: unknown	Network traffic detected: HTTP traffic on port 58084 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58008 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58025 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58029 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58073 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58096 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57999 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58058 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58035 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58064 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58041 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58030 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58112 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58101 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58069 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58023 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58079 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58052 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58091 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58100 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58024 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58080 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58106 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58074 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58057 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58018 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58046 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58063 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58039 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58016 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58069
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58068
Source: unknown	Network traffic detected: HTTP traffic on port 58068 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58065
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58064
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58067
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58066
Source: unknown	Network traffic detected: HTTP traffic on port 58102 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58061
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58063
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58062
Source: unknown	Network traffic detected: HTTP traffic on port 58045 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58022 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58097 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 58108 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57998 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58034 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58051 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58079
Source: unknown	Network traffic detected: HTTP traffic on port 58092 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58076
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58075
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58078
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58077
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58072
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58071
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58074
Source: unknown	Network traffic detected: HTTP traffic on port 58086 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58073
Source: unknown	Network traffic detected: HTTP traffic on port 58040 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58070
Source: unknown	Network traffic detected: HTTP traffic on port 58027 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58098 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58107 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58075 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58033 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58056 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58087
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58086
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58089
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58088
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58083
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58082
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58084
Source: unknown	Network traffic detected: HTTP traffic on port 58081 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58028 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58062 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58081
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58080
Source: unknown	Network traffic detected: HTTP traffic on port 58011 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58070 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58067 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58098
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58097
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58099
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58094
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58093
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58096
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58095
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58090
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58092
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58091
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58109 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58018
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58019
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58025
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58024
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58027
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58026
Source: unknown	Network traffic detected: HTTP traffic on port 58093 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58087 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58023
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58022
Source: unknown	Network traffic detected: HTTP traffic on port 58049 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58009 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58055 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58003 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58076 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58029
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58028
Source: unknown	Network traffic detected: HTTP traffic on port 58038 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58035
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58038
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58037
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58032
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58031
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58034
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58033
Source: unknown	Network traffic detected: HTTP traffic on port 58061 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58030
Source: unknown	Network traffic detected: HTTP traffic on port 58082 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 57997 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58039
Source: unknown	Network traffic detected: HTTP traffic on port 58071 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58037 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58066 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58047
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58046
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58049
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58048
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58043
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58042
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58045
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58044
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58041
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58040
Source: unknown	Network traffic detected: HTTP traffic on port 58043 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58099 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57999
Source: unknown	Network traffic detected: HTTP traffic on port 58015 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58032 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57998
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 57997
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58058
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58057
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58059
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58054
Source: unknown	Network traffic detected: HTTP traffic on port 58094 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58053
Source: unknown	Network traffic detected: HTTP traffic on port 58088 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58056
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58055
Source: unknown	Network traffic detected: HTTP traffic on port 58103 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58052
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58051

Source: unknown	HTTPS traffic detected: 13.85.23.86:443 -> 192.168.2.17:58022 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.17:58032 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.17:58034 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.17:58036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.17:58033 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.246.60:443 -> 192.168.2.17:58035 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:58043 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.23.209.182:443 -> 192.168.2.17:58044 version: TLS 1.2

Source: classification engine

Classification label: mal72.phis.evad.winEML@27/52@54/144

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\Chrome\Application\Dictionaries

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240703T1431450296-1428.etl

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File read: C:\Users\desktop.ini

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\23eb97f4-980c-745d-c5e2-6fdb70189e48.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "3746BD7C-CAAA-4E9B-B5E3-A783F3BDADA9" "EAC5D534-D677-47E3-848A-9EE2928924C7" "1428" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\ETS9RD8W\Mitek Holdings Inc Remittance Advice.xlsx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "3746BD7C-CAAA-4E9B-B5E3-A783F3BDADA9" "EAC5D534-D677-47E3-848A-9EE2928924C7" "1428" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE" /Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://form.questionscout.com/667c5a5b01ef84c1eaf4663e
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=2024,i,8418763609125932989,11422265555400074771,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE" "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\ETS9RD8W\Mitek Holdings Inc Remittance Advice.xlsx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE "C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE" /Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://form.questionscout.com/667c5a5b01ef84c1eaf4663e
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=2024,i,8418763609125932989,11422265555400074771,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Persistence and Installation Behavior

AI detected suspicious e-Mail

Source: e-Mail

LLM: Score: 9 Reasons: The email impersonates Microsoft, a well-known brand. The sender's email address 'microsoft@mii.com' is suspicious and does not match Microsoft's official domain. The subject line 'Microsoft Corporate Structure' is designed to create interest. The email body contains a hyperlink 'www.mii.com/corporate-structure/' that does not lead to an official Microsoft website, indicating a potential phishing attempt.

Office viewer loads remote template

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE

Section loaded: netapi32.dll and davhlpr.dll loaded

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\splwow64.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX

Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000
Source: C:\Windows\splwow64.exe	Thread delayed: delay time: 120000

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	3 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Process Injection	Security Account Manager	1 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Extra Window Memory Injection	1 DLL Side-Loading	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Extra Window Memory Injection	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Name	IP	Active	Malicious	Reputation
dualstack.awseb-awseb-147jj8pq9oolw-1566203385.us-east-1.elb.amazonaws.com	50.16.154.212	true	false	unknown
a.nel.cloudflare.com	35.190.80.1	true	false	unknown
github.com	140.82.121.4	true	false	unknown
d3djdih2k2vfi2.cloudfront.net	18.245.33.131	true	false	unknown
geolocation-db.com	159.89.102.253	true	true	unknown
brentwoodnsteel.shop	69.49.245.172	true	false	unknown
v8ylw.pargape.com	188.114.96.3	true	false	unknown
code.jquery.com	151.101.130.137	true	false	unknown
d2vgu95hoyrpkh.cloudfront.net	13.227.219.47	true	false	unknown
cdnjs.cloudflare.com	104.17.24.14	true	false	unknown
challenges.cloudflare.com	104.17.2.184	true	false	unknown
www.google.com	216.58.206.36	true	false	unknown
xks.vrt7119.ru	172.67.169.107	true	false	unknown
questionscout-form-api-prod.us-east-1.elasticbeanstalk.com	18.208.94.120	true	false	unknown
d19d360lklgih4.cloudfront.net	65.9.86.73	true	false	unknown
objects.githubusercontent.com	185.199.108.133	true	false	unknown
s-part-0032.t-0009.t-msedge.net	13.107.246.60	true	false	unknown
form.questionscout.com	unknown	unknown	true	unknown
cdn.socket.io	unknown	unknown	true	unknown
formapi.questionscout.com	unknown	unknown	true	unknown
ok4static.oktacdn.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Reputation
https://challenges.cloudflare.com/cdn-cgi/challenge-platform/h/g/turnstile/if/ov2/av0/rcv0/0/tk19v/0x4AAAAAAAZ_ULCgVPKce-5k/auto/normal	true	unknown
https://v8ylw.pargape.com/4wmGg/	true	unknown
https://form.questionscout.com/667c5a5b01ef84c1eaf4663e	true	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
142.250.185.78	unknown	United States	15169	GOOGLEUS	false
142.250.186.170	unknown	United States	15169	GOOGLEUS	false
52.109.89.18	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.189.173.4	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.109.89.119	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.42.65.84	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.107.246.60	s-part-0032.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
216.58.206.36	www.google.com	United States	15169	GOOGLEUS	false
142.250.185.202	unknown	United States	15169	GOOGLEUS	false
216.58.206.35	unknown	United States	15169	GOOGLEUS	false
172.67.169.107	xks.vrt7119.ru	United States	13335	CLOUDFLARENETUS	false
151.101.130.137	code.jquery.com	United States	54113	FASTLYUS	false
104.17.3.184	unknown	United States	13335	CLOUDFLARENETUS	false
23.211.8.90	unknown	United States	16625	AKAMAI-ASUS	false
142.250.185.163	unknown	United States	15169	GOOGLEUS	false
142.250.186.110	unknown	United States	15169	GOOGLEUS	false
35.190.80.1	a.nel.cloudflare.com	United States	15169	GOOGLEUS	false
172.217.18.10	unknown	United States	15169	GOOGLEUS	false
66.102.1.84	unknown	United States	15169	GOOGLEUS	false
52.113.194.132	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.17.24.14	cdnjs.cloudflare.com	United States	13335	CLOUDFLARENETUS	false
3.212.145.1	unknown	United States	14618	AMAZON-AESUS	false
3.165.214.11	unknown	United States	16509	AMAZON-02US	false
216.58.206.67	unknown	United States	15169	GOOGLEUS	false
69.49.245.172	brentwoodnsteel.shop	United States	46606	UNIFIEDLAYER-AS-1US	false
18.245.33.131	d3djdih2k2vfi2.cloudfront.net	United States	16509	AMAZON-02US	false
159.89.102.253	geolocation-db.com	United States	14061	DIGITALOCEAN-ASNUS	true
50.16.154.212	dualstack.awseb-awseb-147jj8pq9oolw-1566203385.us-east-1.elb.amazonaws.com	United States	14618	AMAZON-AESUS	false
104.21.79.87	unknown	United States	13335	CLOUDFLARENETUS	false
2.19.126.151	unknown	European Union	16625	AKAMAI-ASUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
188.114.96.3	v8ylw.pargape.com	European Union	13335	CLOUDFLARENETUS	false
54.196.6.6	unknown	United States	14618	AMAZON-AESUS	false
18.208.94.120	questionscout-form-api-prod.us-east-1.elasticbeanstalk.com	United States	14618	AMAZON-AESUS	false
104.17.2.184	challenges.cloudflare.com	United States	13335	CLOUDFLARENETUS	false
52.109.76.243	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.17

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1467192
Start date and time:	2024-07-03 20:31:18 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	23eb97f4-980c-745d-c5e2-6fdb70189e48.eml
Detection:	MAL
Classification:	mal72.phis.evad.winEML@27/52@54/144
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Excluded IPs from analysis (whitelisted): 52.109.89.18, 52.113.194.132, 52.109.76.243, 2.19.126.151, 2.19.126.160
Excluded domains from analysis (whitelisted): ecs.office.com, omex.cdn.office.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, weu-azsc-config.officeapps.live.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, eur.roaming1.live.com.akadns.net, neu-azsc-000.roaming.officeapps.live.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, s-0005.s-msedge.net, config.officeapps.live.com, osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net, a1864.dscd.akamai.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetValueKey calls found.
VT rate limit hit for: 23eb97f4-980c-745d-c5e2-6fdb70189e48.eml

LLM Input / Output

Input	Output
URL: e-Mail Model: gpt-4o	```json{ "riskscore": 9, "brand_impersonated": "Microsoft", "reasons": "The email impersonates Microsoft, a well-known brand. The sender's email address 'microsoft@mii.com' is suspicious and does not match Microsoft's official domain. The subject line 'Microsoft Corporate Structure' is designed to create interest. The email body contains a hyperlink 'www.mii.com/corporate-structure/' that does not lead to an official Microsoft website, indicating a potential phishing attempt."}

URL: https://form.questionscout.com/667c5a5b01ef84c1eaf4663e Model: Perplexity: mixtral-8x7b-instruct	{"loginform": true,"urgency": false,"captcha": false,"reasons": ["The webpage contains a login form which explicitly requests sensitive information such as email addresses and passwords.","The text does not create a sense of urgency or interest.","There is no CAPTCHA or anti-robot detection mechanism present on the webpage."]}
Title: M l C R 0 S 0 F T - 0 F F l C E - 365 \| QuestionScout OCR: Microsoft 365 * EMAIL ADDRES * PASSWORD SIGN IN
URL: https://form.questionscout.com/667c5a5b01ef84c1eaf4663e Model: Perplexity: mixtral-8x7b-instruct	{"loginform": true,"urgency": false,"captcha": false,"reasons": ["The webpage contains a login form as it explicitly requests for sensitive information such as email addresses and passwords.","The text does not create a sense of urgency as it does not contain phrases that typically create urgency such as 'Click here to view document' or 'To view secured document click here'.","The webpage does not contain a CAPTCHA or any anti-robot detection mechanism."]}
Title: M l C R 0 S 0 F T - 0 F F l C E - 365 \| QuestionScout OCR: Microsoft 365 * EMAIL ADDRES areUaPHlSHlNGl * PASSWORD SIGN IN
URL: https://form.questionscout.com Model: gpt-4o	```json{ "phishing_score": 9, "brands": "Microsoft 365", "phishing": true, "suspicious_domain": true, "has_prominent_loginform": true, "has_captcha": false, "setechniques": true, "has_suspicious_link": false, "legitmate_domain": "microsoft.com", "reasons": "The URL 'https://form.questionscout.com' does not match the legitimate domain associated with Microsoft 365, which is 'microsoft.com'. The page prominently displays a login form requesting an email address and password, which is a common tactic used in phishing attacks. The use of a third-party domain (questionscout.com) instead of the official Microsoft domain is highly suspicious and indicative of a phishing attempt. Additionally, there is no CAPTCHA present, which is often used by legitimate sites to prevent automated attacks. The overall design and branding attempt to mimic Microsoft 365, employing social engineering techniques to mislead users."}

URL: https://form.questionscout.com Model: gpt-4o	```json{ "phishing_score": 9, "brands": "Microsoft 365", "phishing": true, "suspicious_domain": true, "has_prominent_loginform": true, "has_captcha": false, "setechniques": true, "has_suspicious_link": false, "legitmate_domain": "microsoft.com", "reasons": "The URL 'https://form.questionscout.com' does not match the legitimate domain for Microsoft 365, which is 'microsoft.com'. The page prominently displays a login form asking for email and password, which is a common tactic used in phishing attacks. The use of the Microsoft 365 branding on a non-Microsoft domain is suspicious and indicative of social engineering techniques aimed at misleading users. There is no captcha present, which is often used on legitimate login pages to prevent automated attacks. Based on these factors, the site is highly likely to be a phishing site."}

URL: https://form.questionscout.com/667c5a5b01ef84c1eaf4663e Model: Perplexity: mixtral-8x7b-instruct	{"loginform": true,"urgency": false,"captcha": false,"reasons": ["The webpage contains a login form as it explicitly requests sensitive information such as email addresses and passwords.","No elements creating a sense of urgency were found in the text.","No CAPTCHA or anti-robot detection mechanism was found on the webpage."]}
Title: M l C R 0 S 0 F T - 0 F F l C E - 365 \| QuestionScout OCR: Microsoft 365 * EMAIL ADDRES areUaPHlSHl * PASSWORD AreYouAnlndianPhishingFaggotl SIGN IN
URL: https://form.questionscout.com/667c5a5b01ef84c1eaf4663e Model: Perplexity: mixtral-8x7b-instruct	{"loginform": true,"urgency": false,"captcha": false,"reasons": ["The webpage contains a login form which explicitly requests sensitive information such as email addresses and passwords.","There is no sense of urgency in the text.","There is no CAPTCHA or anti-robot detection mechanism present on the webpage."]}
Title: M l C R 0 S 0 F T - 0 F F l C E - 365 \| QuestionScout OCR: Microsoft 365 * EMAIL ADDRES areUaPHlSHl * PASSWORD eYouAnlndianPhishingFaggotTakingOrdersFromAFickheadtoPhishtheOrganizationWithoutTellin SIGN IN
URL: https://form.questionscout.com Model: gpt-4o	```json{ "phishing_score": 10, "brands": "Microsoft 365", "phishing": true, "suspicious_domain": true, "has_prominent_loginform": true, "has_captcha": false, "setechniques": true, "has_suspicious_link": true, "legitmate_domain": "microsoft.com", "reasons": "The URL 'https://form.questionscout.com' does not match the legitimate domain for Microsoft 365, which is 'microsoft.com'. The page displays a prominent login form asking for email and password, which is a common phishing tactic. The use of offensive language in the email and password fields is highly suspicious and unprofessional, indicating malicious intent. Additionally, the domain 'questionscout.com' is not associated with Microsoft 365. The presence of social engineering techniques and suspicious elements strongly suggests that this is a phishing site."}

URL: https://form.questionscout.com Model: gpt-4o	```json{ "phishing_score": 10, "brands": "Microsoft 365", "phishing": true, "suspicious_domain": true, "has_prominent_loginform": true, "has_captcha": false, "setechniques": true, "has_suspicious_link": true, "legitmate_domain": "microsoft.com", "reasons": "The URL 'https://form.questionscout.com' does not match the legitimate domain for Microsoft 365, which is 'microsoft.com'. The page prominently displays a login form asking for an email address and password, which is a common phishing technique. The domain 'questionscout.com' is unrelated to Microsoft, raising suspicion. Additionally, the use of offensive language in the email and password fields is highly unprofessional and indicative of a phishing attempt. The site uses social engineering techniques to mislead users into thinking it is a legitimate Microsoft 365 login page."}

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.387262113682852
Encrypted:	false
SSDEEP:
MD5:	D2A5E116D72A5D1E3A9760CF3345219F
SHA1:	CAA9967755690C377B35A051BA4898490430EE36
SHA-256:	ED032F7EDD7A6C8C6EBDC8325B088C8D31F1FF1A112C45FBC87DF66033A1C45F
SHA-512:	C5266B536DA0A8C35DAEBF272079D4C191764B49C4467B21D75F26034DF1EA9E9E886F5331D3DC6AD901A14B6CDAE60EA037137E2020EEDA181D62798EFE04B5
Malicious:	false
Reputation:	unknown
Preview:	TH02...... ...c:w.......SM01X...,.....T:w...........IPM.Activity...........h...............h............H..h.o...........h........(...H..h\tor ...AppD...h....0...8.o....h...j...........h........_`.k...h]..j@...I.+w...h....H...8..k...0....T...............d.........2h...............k..;.......3...!h.............. h..a.....P.o...#h....8.........$h(.......8....."h........h.....'h..x...........1h...j<.........0h....4.....k../h....h......kH..h.4..p....o...-h .......\|.o...+h...j.....o......... ...... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Jul 3 17:32:16 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.9936469488141677
Encrypted:	false
SSDEEP:
MD5:	E94821B4A7A611D58798804E69437451
SHA1:	1BCF22CDEA4287FF05DD47E2C40934A26F4333E1
SHA-256:	1262795AC3AF0D016FBF21F243F707F84FA775624C1248840E1DE75546F12448
SHA-512:	3DE9767B5B5CC3129A0A15AA65E7FE2C4AAB851268F8CC4D180FEA71BA6660CBC8E13198EC4FFDE121238745972AAB0E47115A00D8F315247E1D869D2A81B0CB
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....2o.Tw.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.X.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.X......L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.X......M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.X.............................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.X.............................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i..............&.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

File type:	RFC 822 mail, ASCII text, with very long lines (566), with CRLF line terminators
Entropy (8bit):	6.086439021145469
TrID:	E-Mail message (Var. 5) (54515/1) 100.00%
File name:	23eb97f4-980c-745d-c5e2-6fdb70189e48.eml
File size:	199'488 bytes
MD5:	0504a9e027463df2524c34785c4370df
SHA1:	1e3cc9cf6800430e50608eef513c0c62142684ed
SHA256:	0c021dd3dedb4f581c35c5e23b18fcad472f318207f64545a015a469bef89091
SHA512:	28a28cf2b1cae77c1818a37b39b5119655927e0eaab23b06f2e423f8e6d1065a067c089f981b3f7681fb7f9bf15457f44e74d87b9ece692f0241ca2128657509
SSDEEP:	3072:S+4oJQXNCLCZMz0HW9jPuO/zhFAdncPerXMdn8EWeT/4zXMmG4B:S+XJQwLCZxHOzhF+MN8P+Wu4B
TLSH:	101412FD6A1015F24F23B2F27C5C7F995E84291F17824A50A94D77143AC2E95FFAB820
File Content Preview:	Received: from IA0PR10MB6819.namprd10.prod.outlook.com (2603:10b6:208:438::14).. by SJ0PR10MB4703.namprd10.prod.outlook.com with HTTPS; Wed, 3 Jul 2024.. 16:56:44 +0000..Received: from SJ0PR03CA0045.namprd03.prod.outlook.com (2603:10b6:a03:33e::20).. by I

Subject:	Mitek Holdings Inc Advice
From:	Andrea Bonardi <a.bonardi@bassareggiana.it>
To:	remittance <remittances@westernunionsmoneytransfer.com>
Cc:
BCC:
Date:	Wed, 03 Jul 2024 18:54:59 +0200
Communications:	Please see attached for the remittance advice. Could you please allocate this payment and send an updated statement? The pass code for viewing the document is: 3432 Thank you, Andrea Bonardi Complex Director of Finance Mitek Holdings Inc Office: 503.226.7641 x20957 OR CCB: 200978 1750 NW Naito Good AfterPkwy, Ste 250, Portland, OR 97209 MiTek Inc. and its subsidiaries are a global operating company organized in five divisions that serve the residential business segment (APAC, EMEA, Residential North America, Automation Solutions [including TBS Engineering], and Services) and four divisions that serve the commercial business segment (Commercial Builder Products, Mechanical Solutions, Mezzanine Systems, and Structural Framing). Additional information about our corporate organization is available at [ http://www.mii.com/corporate-structure/ \| www.mii.com/corporate-structure/ ] . MiTek Holdings, Inc.. All Rights Reserved ---- This communication (including any attachments) contains information which is confidential and may also be privileged. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any distribution, copying, or use of this communication or the information in it is strictly prohibited. If you have received this communication in error, please notify the sender immediately and then destroy any copies of it. '. If the disclaimer can't be applied, take no action.
Attachments:	Mitek Holdings Inc Remittance Advice.xlsx

Key	Value
Received	from mailstore09-dc.ilger.com (mailstore09-dc.ilger.com [10.230.0.113]) by mta4-dc.ilger.com (Postfix) with ESMTP id 0921F1205C6; Wed, 3 Jul 2024 18:55:00 +0200 (CEST)
Authentication-Results	spf=pass (sender IP is 93.47.117.64) smtp.mailfrom=bassareggiana.it; dkim=none (message not signed) header.d=none;dmarc=bestguesspass action=none header.from=bassareggiana.it;compauth=pass reason=109
Received-SPF	Pass (protection.outlook.com: domain of bassareggiana.it designates 93.47.117.64 as permitted sender) receiver=protection.outlook.com; client-ip=93.47.117.64; helo=mta4-dc.ilger.com; pr=C
X-Amavis-Modified	Mail body modified (using disclaimer) - mta4-dc.ilger.com
X-Virus-Scanned	amavis at mta4-dc.ilger.com
Date	Wed, 03 Jul 2024 18:54:59 +0200
From	Andrea Bonardi <a.bonardi@bassareggiana.it>
To	remittance <remittances@westernunionsmoneytransfer.com>
Message-ID	<1277217176.52991515.1720025699953.JavaMail.zimbra@bassareggiana.it>
Subject	Mitek Holdings Inc Advice
Content-Type	multipart/mixed; boundary="----=_Part_52991511_1702104258.1720025699945"
X-Mailer	Zimbra 9.0.0_GA_4612 (ZimbraWebClient - FF127 (Win)/9.0.0_GA_4612)
Thread-Index	hr3ElKqTN9FypyPII5ZxAqEy8ZZYcQ==
Thread-Topic	Mitek Holdings Inc Advice
Return-Path	a.bonardi@bassareggiana.it
X-EOPAttributedMessage	0
X-EOPTenantAttributedMessage	fa246a9e-8fe0-4eed-9eec-93652a25c4ee:0
X-MS-PublicTrafficType	Email
X-MS-TrafficTypeDiagnostic	MWH0EPF000971E5:EE_\|IA0PR10MB6819:EE_\|SJ0PR10MB4703:EE_
X-MS-Office365-Filtering-Correlation-Id	4a82cb33-d228-48ec-8855-08dc9b811415
X-MS-Exchange-AtpMessageProperties	SA\|SL
X-Microsoft-Antispam	BCL:0;ARA:13230040\|29132699027;
X-Forefront-Antispam-Report	CIP:93.47.117.64;CTRY:IT;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mta4-dc.ilger.com;PTR:mta4-dc.ilger.com;CAT:NONE;SFS:(13230040)(29132699027);DIR:INB;
X-Auto-Response-Suppress	DR, RN, NRN, OOF, AutoReply
X-MS-Exchange-CrossTenant-OriginalArrivalTime	03 Jul 2024 16:56:26.6216 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id	4a82cb33-d228-48ec-8855-08dc9b811415
X-MS-Exchange-CrossTenant-Id	fa246a9e-8fe0-4eed-9eec-93652a25c4ee
X-MS-Exchange-CrossTenant-AuthSource	MWH0EPF000971E5.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs	Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader	Internet
X-MS-Exchange-Transport-CrossTenantHeadersStamped	IA0PR10MB6819
X-MS-Exchange-Transport-EndToEndLatency	00:00:17.7612830
X-MS-Exchange-Processed-By-BccFoldering	15.20.7719.007
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003)(1420198);
X-Microsoft-Antispam-Message-Info	lVSs2fMyy5VLh04iFI5SCggH8PYYfU/JYEdk18OOy6mUXxisXFs0s4TuRToZrM/n0XHeLL+GU0vmIcMlAfYmnpse3vKMPQ44xhYaWA1NQXOJpBqANtoQ03G+MTwbM5daYkZFGAZWqxD5KAVa0NObU1756dLVPjZ3CEP9Ue+Jh4SJF3y4+FrtmVU4DW1ae7mUJ9wR4Mb+dO8AiFsDPNVOb5ucq+S9OmFnjPsys320Lkic0m9T6g8EDUtIEYUZiBeiL2BL5Oq22xlF0nu4CIyjGVC03SUrw7DJSA2VGyiVh6Ps1Na8+QmrX3aMFBBInJP4jOTS72yA+6QB57wZNgByjPdfS04CJEE9WI3TucZVgljY5JIaQL3lhTIc9ZAgyEAQsMGh5WtlV52PnxxhuYl5gS5BnCjlZEDGOqeE9TFZpykemRfZPNIIHMwl667KFXFL9vnfC33p9xHa3uk2PWGbBTBvClLX7hONkiIPRVkJldABgA7awKu4m1OGtYxemjF15/ohc1nMX9vJHkbQ9fLbeUoV59BodlJ6zwAreZiXdA07wKuaIloFNmGgLrOWk8a1zDcfAPpX7FL+5euWE11cTSs87vR+qsESMnXc0rt2DV1bFux7foyc3IXoiVLFAYj44vtZUfwPo0s+xI7pgrhzLMwNeQfURZvh/PejHm4sFUvSi0mUv+2UtEE9WPKflMG+7xBL3J1hkXBzRSOV5IK74/vTn+fQqwG6+meYKKUlrQ0lPm5gPWUBNcRRI03T/AbW086ShgY4XjQ9I0tnb3vWf3vNFhch+4py9Fw4JYvp/458npqmk6pQR2+AFy0oFleLPbY4gTz4XsdatLsm9uET5mVoYlJHqrIWGVuksttwzJ5Qzzb9R0fX7F/uKvI+v6/L6CclCXRPIS2U/BQzwURRNJFn7RfC7kYjraIAwuBOi1FjrXDhlxLahTZ2m5VThv4YZZ0zX4Ai2EjVsB60BLty3sbtYWpdSY6pbD8IPsgDtpC5iXfgI8Z9nq1Oj1yaD6HNDiLPGJ72fxR63V7l1tokYT0rV/dTAfIy8zqMhcS+xjndI9A87JSoDwmTl6q64uWci70usEOyIfk0xP+0zcmpVgIyO210CjF797DAk28rulLE3Iu42tMGFHTEGCfzwz3nQ+xp+XCLMKd5EiZ8ZUIO8zrczlbQHfyapMjpI65tW24J9y0oSP4OEvIg2Ikg9krr6Mzp7DvOrxbk+sMYOlfXPcQZmoruxr6q8P2PkjCDFmaXnhZ6PB+1UMOxR/yrnF4NeE3kEHE3tgu/Aaf+wSNv3IL+oy/YITVIFZtkbSjgdViNMV9xNl5ZjT9PahJ1zJaLMez6KrPwn8drhmqIE45BwGQCRPPlu3ub4lxOeNCyWQcobqVDVt8P2jD3l1ecXNf015XG6+GVo2NVUvjN9E/ohtF8zP2tAd3QQ5olalh7qqJ/1bEJVnwpnW9Weq4/3wBa9jN4JbMz951cBPJ8msrrOe7VIH6RKTVdinK08BJhp5LUBZ+6cDv7F8ehF2qPz2mctyUSifaxyvPGhzcJFPlKNri+0LUOeJdAhunTjmwAOIttf7J6R42BYA8ZRycThYINUJHXb7alBbIsDIZhg/Mpx66tcRcIY+nPA4f9Iw9aVnaft8Dt8MIv3v3nJRX7cCqNyBnidMRlu/KjhtMI8gwEh0SdhHL3u16Hy1xpmys9LQ38lvy9ZZ/GdTkf6cT+ksxbqaKLvy2bzfUadm+1NMupnwH81moymPLwWHoKWDGwmYbRQ+2jh/5R62Rc7rbt+F+/iXBXVDAOsvGkaehnyzMEtPwh0n3Vz58cJwSIm8/55HHqatsRL3mZiHB4+Ge0ihx4OcA//A2NGjlCHK2Flsh6ljphcNp3AVqEGiGXyR51S1F+ObMqQ17s52qIZenxdJAfnhrNxSKmQkFXV0fslD41WCvvn5BkqR2FqRnap4IMUqHE0AeEIU0DnG9zUsuGTN0tT0PZdZFUA2F0HLe30IF+Nw==
MIME-Version	1.0

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 23eb97f4-980c-745d-c5e2-6fdb70189e48.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

HTML

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

Location Tracking

Phishing

Compliance

Software Vulnerabilities

Networking

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\839AB9F6-CA20-4F69-B2BF-B6755F4072BB

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\ETS9RD8W\~$Mitek Holdings Inc Remittance Advice.xlsx

C:\Users\user\AppData\Local\Packages\oice_16_974fa576_32c1d314_157c\AC\Temp\24F3D46E.png

C:\Users\user\AppData\Local\Packages\oice_16_974fa576_32c1d314_157c\AC\Temp\A759858F.xlsx:Zone.Identifier

C:\Users\user\AppData\Local\Packages\oice_16_974fa576_32c1d314_157c\AC\Temp\Diagnostics\EXCEL\App1720031521441186300_9DF7721B-D1EB-4A0F-844A-3E3A898E6662.log

C:\Users\user\AppData\Local\Packages\oice_16_974fa576_32c1d314_157c\AC\Temp\msoC714.tmp

C:\Users\user\AppData\Local\Packages\oice_16_974fa576_32c1d314_157c\AC\Temp\~DFB43CF7CBB735F706.TMP

C:\Users\user\AppData\Local\Packages\oice_16_974fa576_32c1d314_157c\AC\Temp\~DFE7272B4093FC720B.TMP

C:\Users\user\AppData\Local\Temp\olk873C.tmp

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Chrome Cache Entry: 124

Chrome Cache Entry: 127

Chrome Cache Entry: 128

Chrome Cache Entry: 129

Chrome Cache Entry: 133

Chrome Cache Entry: 134

Chrome Cache Entry: 135

Chrome Cache Entry: 136

Chrome Cache Entry: 139

Windows Analysis Report
23eb97f4-980c-745d-c5e2-6fdb70189e48.eml