Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
[EXTERNAL] Analyzing the Attack Surface.eml

Overview

General Information

Sample name:	[EXTERNAL] Analyzing the Attack Surface.eml
Analysis ID:	1561215
MD5:	5e68446121e76db1dfd516af399a9ef6
SHA1:	86fae100ee77c2935eb6bd1c1bb5b724881c1972
SHA256:	31c4e98cea095934a5739cf86bf5882a849f6eb8f6e2c0eacd7291347edb1acb
Infos:

Detection

Score:	1
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Sigma detected: Office Autorun Keys Modification

Suricata IDS alerts with low severity for network traffic

Classification

×

Process Tree

System is w10x64native

OUTLOOK.EXE (PID: 9688 cmdline: "C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\[EXTERNAL] Analyzing the Attack Surface.eml" MD5: 6BE14F2DEA2AB6B01387EC38C4977F4F)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 9688, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-22T22:51:12.089000+0100	2028371	3	Unknown Traffic	192.168.11.30	49741	23.200.88.22	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: Network traffic

Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.11.30:49741 -> 23.200.88.22:443

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: c.pki.goog

Source: [EXTERNAL] Analyzing the Attack Surface.eml	String found in binary or memory: https://gem.godaddy.com/unsubscribe?pact=9320-184795233-0192fea1-c090-72e6-aea8-f9e2a46749a5-ea96329
Source: App_1732312230978494100_4BA7F0B3-BD5D-492A-ACC3-B728FA4F3FE3.log.0.dr	String found in binary or memory: https://login.windows.net

Source: classification engine

Classification label: clean1.winEML@1/16@1/0

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_14326_20404-20241122T1650300861-9688.etl

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{529A9E6B-6587-4F23-AB9E-9C7D683E3C50}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	File Volume queried: C:\Windows\System32 FullSizeInformation			Jump to behavior
Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE	File Volume queried: C:\Windows\System32 FullSizeInformation			Jump to behavior

Source: C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	Path Interception	Path Interception	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Non-Application Layer Protocol	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	2 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.214.172	true	false		high
pki-goog.l.google.com	142.250.65.227	true	false		high
c.pki.goog	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://login.windows.net	App_1732312230978494100_4BA7F0B3-BD5D-492A-ACC3-B728FA4F3FE3.log.0.dr	false		high
https://gem.godaddy.com/unsubscribe?pact=9320-184795233-0192fea1-c090-72e6-aea8-f9e2a46749a5-ea96329	[EXTERNAL] Analyzing the Attack Surface.eml	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1561215
Start date and time:	2024-11-22 22:46:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2021, Chrome 128, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	[EXTERNAL] Analyzing the Attack Surface.eml
Detection:	CLEAN
Classification:	clean1.winEML@1/16@1/0
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, BackgroundTransferHost.exe, sppsvc.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, TextInputHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.113.194.132, 52.109.20.48, 52.182.143.210, 23.59.145.241
Excluded domains from analysis (whitelisted): www.bing.com, prod.ols.live.com.akadns.net, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, self.events.data.microsoft.com, tse1.mm.bing.net, ctldl.windowsupdate.com, g.bing.com, s-0005-office.config.skype.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, ecs-office.s-0005.s-msedge.net, ris.api.iris.microsoft.com, login.live.com, s-0005.s-msedge.net, e16604.g.akamaiedge.net, ecs.office.trafficmanager.net, prod.fs.microsoft.com.akadns.net, onedscolprdcus10.centralus.cloudapp.azure.com, wu-b-net.trafficmanager.net, ols.officeapps.live.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: [EXTERNAL] Analyzing the Attack Surface.eml

Simulations

Behavior and APIs

⊘No simulations

LLM Input / Output

Input	Output
URL: email Model: Joe Sandbox AI	{ "explanation": [ "Multiple tracking/redirect links through secureclick.net domain", "Marketing email with suspicious 'Attack Surface' subject trying to create urgency", "Contains typical mass mailing/newsletter elements and unsubscribe links" ], "phishing": false, "confidence": 7, "generated_by_ai": false }
{ "date": "Fri, 22 Nov 2024 13:19:25 +0000", "subject": "[EXTERNAL] Analyzing the Attack Surface", "communications": [ "You don't often get email from simone@hctit.com. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>\n\n\n\nAnalyzing the Attack Surface22 Nov 08:00 AM Insights from an Attackers Perspective...Read More\n\n[https://cascade.madmimi.com/theme_logos/0150/6694/promotion/logo.png?1723427801]\n\nAnalyzing the Attack Surface<https://email.cloud.secureclick.net/c/56657?id=9320.16.1.33e19ff7c4e153555ce8ae2ca531d282>\n22 Nov 08:00 AM\n[https://cascade.madmimi.com/bulk_images/29501352/1073925908-1024x54220241122-19614-ajecvq.jpg?1732281318]\n\nInsights from an Attackers Perspective...Read More<https://email.cloud.secureclick.net/c/56657?id=9320.17.1.0e54189ba7801d13428c80467ceec3a6>\n\n[facebook]<https://email.cloud.secureclick.net/c/56657?id=9320.18.1.d5aafb0146478aaf7b60be5cce581d4a> [linkedin] <https://email.cloud.secureclick.net/c/56657?id=9320.19.1.7ccf2780d05355179f0f8cce73ef955a>\n\n\n2024 HCTIT \| HCTIT \| 22725 Greater Mack Ave 301B #4072 \| St Clair Shores, MI 48080\n\nWeb Version<https://email.cloud.secureclick.net/c/56657?id=9320.20.1.cd1d2d47dadf9c57a1cb21f22cd7d380&p=eyJ7e21pbWktc2lnbmF0dXJlfX0iOiIxODQ3OTUyMzMtMDE5MmZlYTEtYzA5MC03MmU2LWFlYTgtZjllMmE0Njc0OWE1LWVhOTYzMjkwOTBjZmEwZjI5MjAwZjY2MmQ5ZGQ4Y2Q1ZTI5ZDNmNzYiLCJ7e2VtYWlsSWR9fSI6IjkzMjAifQ==> Forward<https://email.cloud.secureclick.net/c/56657?id=9320.21.1.1855c567356bb3bf0e347c39a5939627&p=eyJ7e21pbWktc2lnbmF0dXJlfX0iOiIxODQ3OTUyMzMtMDE5MmZlYTEtYzA5MC03MmU2LWFlYTgtZjllMmE0Njc0OWE1LWVhOTYzMjkwOTBjZmEwZjI5MjAwZjY2MmQ5ZGQ4Y2Q1ZTI5ZDNmNzYiLCJ7e2VtYWlsSWR9fSI6IjkzMjAifQ==> Unsubscribe<https://gem.godaddy.com/opt_out?pact=9320-184795233-0192fea1-c090-72e6-aea8-f9e2a46749a5-ea96329090cfa0f29200f662d9dd8cd5e29d3f76>\n\nPowered by\nGoDaddy Email Marketing <https://gem.godaddy.com/>\n" ], "from": "Simone Haddad <simone@hctit.com>", "to": "Beth Barron <beth.barron@oakville.ca>", "attachements": [] }
URL: Email Model: Joe Sandbox AI	{ "contains_trigger_text": true, "trigger_text": "Insights from an Attacker's Perspective...", "prominent_button_name": "Web Version", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: Email Model: Joe Sandbox AI	{ "brands": [ "HCTT", "HCTT" ] }
	{ "brands": [ "HCTT", "HCTT" ] }

Joe Sandbox View / Context

IPs

⊘No context

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	LRkZCtzQ3.ps1	Get hash	malicious	Unknown	Browse	199.232.210.172
	file.exe	Get hash	malicious	RedLine, SectopRAT	Browse	199.232.214.172
	filepdf.pdf.lnk.download.lnk	Get hash	malicious	Unknown	Browse	199.232.214.172
	VKXD1NsFdC.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.210.172
	hx0XzDVE1J.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.214.172
	PZI8hMQHWg.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.210.172
	lIUubnREXh.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.214.172
	cFIg55rrfH.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.210.172
	VKXD1NsFdC.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.214.172
	jsYhI4KOpg.exe	Get hash	malicious	ScreenConnect Tool	Browse	199.232.210.172
pki-goog.l.google.com	file.exe	Get hash	malicious	Credential Flusher	Browse	172.217.17.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	172.217.17.35
	file.exe	Get hash	malicious	Credential Flusher	Browse	142.250.181.131
	740d3a.msi	Get hash	malicious	Unknown	Browse	142.250.176.195
	file.exe	Get hash	malicious	Credential Flusher	Browse	142.250.185.99
	l2rP5bxDPg.exe	Get hash	malicious	Credential Flusher	Browse	142.250.186.35
	XUpERCR9nC.lnk	Get hash	malicious	Ducktail	Browse	142.250.65.163
	[EXTERNAL] Tribrik Management Limited Shared Document.eml	Get hash	malicious	Unknown	Browse	142.251.40.195
	MAqlwGvuGr.exe	Get hash	malicious	SheetRat	Browse	142.250.65.163
	9fGsCDYKLV.exe	Get hash	malicious	Flesh Stealer	Browse	142.251.40.163

ASNs

⊘No context

JA3 Fingerprints

⊘No context

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Office\Licenses\5\Perpetual\21661362613116367064193984360 (copy)

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	19716
Entropy (8bit):	3.8813582032954383
Encrypted:	false
SSDEEP:	384:8yD8G4c8Eitsd+NdsnFaFDUZYG+wFoQGQpPcMautt4P/GIF+Hoxu:8yD8G7itTnbpel+YG2Pcu4PXF+Ixu
MD5:	CDB8517498872033CCB5281DD7B398FE
SHA1:	BF0BCCA0805C66B0E1193E1758074B6412EC011C
SHA-256:	5407C113AD141734A8B2561F1E2776B779935899B41111BC91450F27B98D8E8D
SHA-512:	0721C0E842753DF68363594629BDE48EA2C0224C600F22F4EE1AAD6438E57C2755FFFF3B024C27E7B75DAF25C583714B2539A48F9298B004F61FB31F68962978
Malicious:	false
Reputation:	low
Preview:	{.".L.i.c.e.n.s.e.".:.".e.y.J.V.c.2.V.y.U.H.J.v.Z.m.l.s.Z.U.l.k.I.j.p.u.d.W.x.s.L.C.J.N.Y.X.h.E.Z.X.Z.p.Y.2.V.z.Q.W.x.s.b.3.d.l.Z.C.I.6.M.S.w.i.Q.W.N.0.a.X.Z.h.d.G.l.v.b.k.R.h.d.G.U.i.O.i.I.y.M.D.I.z.L.T.A.4.L.T.E.3.V.D.E.y.O.j.I.1.O.j.U.4.L.j.Y.w.M.T.E.x.N.T.d.a.I.i.w.i.R.X.J.y.b.3.J.G.Y.W.x.s.Y.m.F.j.a.0.N.h.d.G.V.n.b.3.J.5.I.j.p.u.d.W.x.s.L.C.J.S.Z.W.5.l.d.2.F.s.V.G.9.r.Z.W.4.i.O.i.J.l.e.U.p.K.W.k.d.W.d.W.R.H.b.D.B.l.U.0.k.2.S.W.x.0.V.m.M.y.V.n.l.T.V.1.E.5.V.j.B.4.S.l.J.D.M.H.d.N.R.E.F.6.T.k.R.B.d.0.1.U.R.T.J.O.e.m.R.G.U.k.R.j.M.0.8.w.T.n.B.a.R.D.A.0.T.m.p.J.N.F.p.H.T.T.F.O.R.F.p.r.W.X.p.r.N.U.5.E.W.T.V.P.M.D.V.o.Y.l.d.V.O.U.1.E.Q.X.d.N.e.l.F.3.T.U.R.F.e.E.5.q.Y.z.N.S.V.V.E.z.T.j.E.w.a.U.x.D.S.k.l.Z.W.E.p.r.Z.D.J.G.e.V.p.V.b.G.t.J.a.m.9.p.U.U.R.F.M.0.5.6.T.T.J.N.a.k.U.x.T.W.p.N.e.k.5.E.V.X.l.N.R.E.k.x.T.m.p.F.d.0.1.U.W.T.R.N.a.l.U.1.T.l.R.R.e.E.1.6.Q.T.F.N.e.l.E.0.T.k.R.B.M.0.1.E.U.X.d.N.V.F.k.1.T.0.R.J.N.U.1.6.Y.z.V.O.R.G.c.w.T.k.R.n.d.0.5.U.T.T.N.O.a.k.U.y.T.X.p.N.N.E.9.U.V.X.d.P.

C:\Users\user\AppData\LocalLow\Intel\ShaderCache\55358e20b61aed6fcad5b2283103fb1fe9f3dd3668577b575161f953d12f5a3f

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	98472
Entropy (8bit):	7.9465797909124385
Encrypted:	false
SSDEEP:	3072:Zc76saUM6iadjJx3ZbUyg2tP70QS28iVsvR/:yDaUM6p3ZDg2OQryvR/
MD5:	5D72238E1E80AC6A29AE58DBF480EC2B
SHA1:	EAA416E718FE6D14DB8EA6F163547AA9B6CFA962
SHA-256:	1703134D735E1B2D8FC67B26817003FE7BE1F023E588043D9427CA64516B0434
SHA-512:	751EE8B90B13E1F55341B919A0AFD182D66A8C260BF194F2E92FBD00DE01CA33318653A920B05C25464273729FDA8C45AD70E25E858537269BC781560670C3BF
Malicious:	false
Reputation:	low
Preview:	INSC.>.....Mar222021151921.38._......?Y... j.1/....s.h...fE............................0..bx.c`@.....^2200..A.....,.X)..(]..n(@.......Kc03.....}.......OB...d.?P... q.f.I..@j.........x.A#. ......Q@..C.#..!.`.U.....G..}..3....q.3B...4...=... .o... .....bJ.......c.~.`..pE0z"....xcu@.....P...7..;...#C...;.e.y@?.......P>(...v..(L@..P{.\|nF..jf.0]...kY!t....Y......('.....e`>.7.f..b0fH`..`d.........O`...a..v...D.....v.....\|B3...P...x.cD.@v.h....[j..."._.=.).HZ....t..................A...Xjx..Io.@..=vl.R.hX.NYR@.f......."T.-.LY...C..zB..7....8....M%..H.....Q.*.HL4....e.q..G...K....Z..\...'PXa.\|.V2.....>.\|q>;9o...o.,\|n.!..J.......I..P.P....7..l.?.)m...._,....M...=..c.....w.....Y.~.o...."../....V)N...Q.^!.D...M.w.iLd.+4\"...n..T.w.F%..u./..2.\|.v.`h..FEj~..}.5j~.D.j._.5_(..(-Do.Fu.2......E.S. :.Qt.&..E.m.......J..GD."o.yO.k.:....D.S..@.3.s.u..%......7P.&..B..s.....!...6.........9.>...g...R...._f..0.1...s<..4.....}./P..:.~\..c....1h.}\.....=..ub

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMDATA64.DAT

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	239628
Entropy (8bit):	4.272463757254674
Encrypted:	false
SSDEEP:	3072:HZg/tX4gKNmiGu2TqoQcrt0Fvqw8x2/6M:HQt4mi2GD8x2/6
MD5:	69AD2C02A032166FF2F294237DE89347
SHA1:	A6A0FB7E16EF481AAE045E0F37E8D09C496474C9
SHA-256:	EA6F4279C5F24FCDA1A22B5E71808DC09126C26040FD8360B1B45A0576E9DABC
SHA-512:	7EA8D8A5F8940D26B558CC6FCC3CDAD1A3F774D190C03340924CB251D9041FD8BA5D0B89A04DCCC1C4B4378A119CF0F89C3391A1159FA21782F4A4FD0E366799
Malicious:	false
Reputation:	low
Preview:	TH02...... .0P+.(=......SM01(.......@.!.(=..........IPM.Activity...........h.......................h-...................H..h................a......h....................H..h.... ...........a......h....0..................h.......................ha.......a.......a......h-...@........K.c.......h....H........$..T'.....0....T..................-...d........>.a.....2ha... ..................kF.G.........I.N.E.....!ha..................... ha...........g+.c......#h....8.................$ha...........<........."h.............4..a.....'h...............x-.....1h....<.................0hane\8.......Local\Te../h....l...............H..h....p...........a.....-h.............7.c......+ha..............................ha... ..............F7..............FIPM.Activity....Form....Standard..2hJournal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..............1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(...

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.09216609452072291
Encrypted:	false
SSDEEP:	3:lSWFN3l/klslpF/4llfll:l9F8E0/
MD5:	F138A66469C10D5761C6CBB36F2163C3
SHA1:	EEA136206474280549586923B7A4A3C6D5DB1E25
SHA-256:	C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6
SHA-512:	9D25F943B6137DD2981EE75D57BAF3A9E0EE27EEA2DF19591D580F02EC8520D837B8E419A8B1EB7197614A3C6D8793C56EBC848C38295ADA23C31273DAA302D9
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......................................................................... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	4616
Entropy (8bit):	0.13597159299334124
Encrypted:	false
SSDEEP:	3:7FEG2l+kal+9/FllkpMRgSWbNFl/sl+ltlslVlllfllOJQn:7+/lbu+vg9bNFlEs1EP/ee
MD5:	6497E83D177EE38C05ABC99027BFF9E8
SHA1:	0C9108A8897EC760BDB517B96C822C74B05CB981
SHA-256:	3A365B400CC8905A04F8ABF5E88A65B6F50EACE2E39E15F4032959C349B7C67C
SHA-512:	8FDB8ACBCF24588564F6B1CEA7E9212C5FB7330A833BFEB692480827670192C0917468E02969DCBE3C6ED70871DC43FA500C27039D720438163FB8397A8C1BA6
Malicious:	false
Reputation:	low
Preview:	.... .c......b.5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .......................................................................... .................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04495055541749482
Encrypted:	false
SSDEEP:	3:G4l2ANqFY4l2ANqfmlL9//Xlvlll1lllwlvlllglbXdbllAlldl+l:G4l2eqm4l2eq6L9XXPH4l942U
MD5:	459C080FE3C1D65F584626706B616A3E
SHA1:	DF5B170B13EAEC911C4907E7B3E38CB6604ECDB5
SHA-256:	EBD0A263500D74C4985306DBAD655D96E6460B4F06F717B54D90E83482882D27
SHA-512:	A02BA16D6F91CA3886BDA9CAA97BDD0922487757A93076B36E5628C9B0C540AFFE1810994F22776B237A33C51ABD9A7E97878FE330A90140AC483AD68A8DCDD7
Malicious:	false
Reputation:	low
Preview:	..-......................Y.;..8.E...X...\.0..-......................Y.;..8.E...X...\.0........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	modified
Size (bytes):	45352
Entropy (8bit):	0.39464536789438004
Encrypted:	false
SSDEEP:	24:KShwRq7yQ3zRDIUll7DBtDi4kZERDkGuzqt8VtbDBtDi4kZERDje:T6q7yQ1kUll7DYMQLzO8VFDYMe
MD5:	082BEEBF89FAEDEA40CAF7D6FE5D2EC3
SHA1:	7E50A5D443FC86290E22EF54741B61D5F6ED07D9
SHA-256:	576DB1FBBEB85E49DDA6F9957BFE772B331F00CDE9048DE33AD8ADF79FB338EC
SHA-512:	7558AAE53EEB203D76B65A0103A2B7AEB38468C2D5D48FDB6CD1A79646F151CF72A73D746E5C06EFC9FA7758544F7C85C01CDDACAF0CB2B026E6FC4440E390C5
Malicious:	false
Reputation:	low
Preview:	7....-...........E...n.H..L.1.........E......^...SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\B13C48DC.tmp

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	19716
Entropy (8bit):	3.8813582032954383
Encrypted:	false
SSDEEP:	384:8yD8G4c8Eitsd+NdsnFaFDUZYG+wFoQGQpPcMautt4P/GIF+Hoxu:8yD8G7itTnbpel+YG2Pcu4PXF+Ixu
MD5:	CDB8517498872033CCB5281DD7B398FE
SHA1:	BF0BCCA0805C66B0E1193E1758074B6412EC011C
SHA-256:	5407C113AD141734A8B2561F1E2776B779935899B41111BC91450F27B98D8E8D
SHA-512:	0721C0E842753DF68363594629BDE48EA2C0224C600F22F4EE1AAD6438E57C2755FFFF3B024C27E7B75DAF25C583714B2539A48F9298B004F61FB31F68962978
Malicious:	false
Reputation:	low
Preview:	{.".L.i.c.e.n.s.e.".:.".e.y.J.V.c.2.V.y.U.H.J.v.Z.m.l.s.Z.U.l.k.I.j.p.u.d.W.x.s.L.C.J.N.Y.X.h.E.Z.X.Z.p.Y.2.V.z.Q.W.x.s.b.3.d.l.Z.C.I.6.M.S.w.i.Q.W.N.0.a.X.Z.h.d.G.l.v.b.k.R.h.d.G.U.i.O.i.I.y.M.D.I.z.L.T.A.4.L.T.E.3.V.D.E.y.O.j.I.1.O.j.U.4.L.j.Y.w.M.T.E.x.N.T.d.a.I.i.w.i.R.X.J.y.b.3.J.G.Y.W.x.s.Y.m.F.j.a.0.N.h.d.G.V.n.b.3.J.5.I.j.p.u.d.W.x.s.L.C.J.S.Z.W.5.l.d.2.F.s.V.G.9.r.Z.W.4.i.O.i.J.l.e.U.p.K.W.k.d.W.d.W.R.H.b.D.B.l.U.0.k.2.S.W.x.0.V.m.M.y.V.n.l.T.V.1.E.5.V.j.B.4.S.l.J.D.M.H.d.N.R.E.F.6.T.k.R.B.d.0.1.U.R.T.J.O.e.m.R.G.U.k.R.j.M.0.8.w.T.n.B.a.R.D.A.0.T.m.p.J.N.F.p.H.T.T.F.O.R.F.p.r.W.X.p.r.N.U.5.E.W.T.V.P.M.D.V.o.Y.l.d.V.O.U.1.E.Q.X.d.N.e.l.F.3.T.U.R.F.e.E.5.q.Y.z.N.S.V.V.E.z.T.j.E.w.a.U.x.D.S.k.l.Z.W.E.p.r.Z.D.J.G.e.V.p.V.b.G.t.J.a.m.9.p.U.U.R.F.M.0.5.6.T.T.J.N.a.k.U.x.T.W.p.N.e.k.5.E.V.X.l.N.R.E.k.x.T.m.p.F.d.0.1.U.W.T.R.N.a.l.U.1.T.l.R.R.e.E.1.6.Q.T.F.N.e.l.E.0.T.k.R.B.M.0.1.E.U.X.d.N.V.F.k.1.T.0.R.J.N.U.1.6.Y.z.V.O.R.G.c.w.T.k.R.n.d.0.5.U.T.T.N.O.a.k.U.y.T.X.p.N.N.E.9.U.V.X.d.P.

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App_1732312230978494100_4BA7F0B3-BD5D-492A-ACC3-B728FA4F3FE3.log

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (28031), with CRLF line terminators
Category:	dropped
Size (bytes):	16777216
Entropy (8bit):	0.1903303023479035
Encrypted:	false
SSDEEP:	1536:dvxpiLkfNG5THZGz9Y/MWOuGQwbb0wjQtMEgfWXJkjcjGFOwsC1fGjMolgBGvsVj:txdytGzeMFO
MD5:	38EF7A370072A29B697B7AF4F8D21AEA
SHA1:	E95A7216068CD27D4D60A038794AE6B88B6F5245
SHA-256:	9DDBD888D6744493ED4155A201CC612EC9701AC6E5BA37140E33C804BED49BB4
SHA-512:	6FC1D6F2C486B6508345E79C24D849BF3BE39AF74BB2EA240D93DD86EC9D2F0C0DC98F6EF1E344DE03572AE00C1822879A793E9D00B379B90A51C5BA1D8D2973
Malicious:	false
Preview:	Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..11/22/2024 21:50:31.017.OUTLOOK (0x25D8).0x2648.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Experimentation.FeatureQueryBatched","Flags":33777005812056321,"InternalSequenceNumber":31,"Time":"2024-11-22T21:50:31.017Z","Data.Sequence":0,"Data.Count":128,"Data.Features":"[ { \"ID\" : 6, \"N\" : \"Microsoft.Office.Diagnostics.WerCrashDLLEnabled\", \"V\" : true, \"S\" : 11, \"P\" : 0, \"T\" : \"2024-11-22T21:50:30.8459475Z\", \"C\" : \"39\", \"Q\" : 3.0, \"M\" : 0, \"F\" : 5 }, { \"ID\" : 6, \"N\" : \"Microsoft.Office.Telemetry.TrackCPSWrites\", \"V\" : false, \"S\" : 1, \"P\" : 0, \"T\" : \"2024-11-22T21:50:30.8615678Z\", \"C\" : \"33\", \"Q\" : 0.0, \"M\" : 0, \"F\" : 5 }, { \"ID\" : 6, \"N\" : \"Microsoft.Office.Telemetry.CPSMaxWrites\", \"V\" : 2, \"S\" : 1, \"P\" : 0, \"T\" : \"2024-11-22T21:50:30.8615678Z\", \"C\" : \"33\", \"Q\" : 6.0, \"M\" : 0, \"F\" : 5 }, { \"ID\" : 6, \"N\" :

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App_1732312230979056000_4BA7F0B3-BD5D-492A-ACC3-B728FA4F3FE3.log

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	16777216
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	2C7AB85A893283E98C931E9511ADD182
SHA1:	3B4417FC421CEE30A9AD0FD9319220A8DAE32DA2
SHA-256:	080ACF35A507AC9849CFCBA47DC2AD83E01B75663A516279C8B9D243B719643E
SHA-512:	7E208B53E5C541B23906EF8ED8F5E12E4F1B470FBD0D3E907B1FC0C0B8D78EB1BBFB5A77DCFD9535ACF6FA47F4AB956D188B770352C13B0AB7E0160690BAE896
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_14326_20404-20241122T1650300861-9688.etl

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 134217728.000000
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	4.370677358166667
Encrypted:	false
SSDEEP:	768:M9jxtY/Hpq/O0ZdiIZ4kGcyXidZaN6HoJzCrf+fyqCfXcMPZYGXNANy3:Mhxuo1n4kGc2idZe6H7UMPZpXNA03
MD5:	0D8EECBD36BDFE4F12121B0F9B62F5A3
SHA1:	D317F0773EEC9543B8D4E3218991891BB2A56A57
SHA-256:	62561286CADE5F91EE6031790C20B09F1085B04E02B57823DE131B9DC4D4EE8C
SHA-512:	216731FBED624C5EBDB8E0AE7CAB82FD778DB2E2BFAA8DDF2A6844DF8F41943CC06B9D6484B3D570A12C37C25AAADCB05302FE8DFCAA67E15B8C5CD610EB771F
Malicious:	false
Preview:	............................................................................l....%...%.....(=..................bJ..............Zb..2...........................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................=.b.<.............(=..........v.2._.O.U.T.L.O.O.K.:.2.5.d.8.:.e.2.7.9.b.c.3.1.3.d.8.1.4.d.1.d.8.d.2.a.f.4.f.e.f.1.9.7.f.3.4.8...C.:.\.U.s.e.r.s.\.D.y.l.a.n.e.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.4.3.2.6._.2.0.4.0.4.-.2.0.2.4.1.1.2.2.T.1.6.5.0.3.0.0.8.6.1.-.9.6.8.8...e.t.l...........P.P..%...%.....(=..........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO2057.acl

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	37740
Entropy (8bit):	3.124569274408175
Encrypted:	false
SSDEEP:	768:VatNbFeZKdogeyHMOeYhIVi+iOFOqbPXdEmawb:A/eLAhIVJbf
MD5:	7BEBA166EEAB6D526683BBA63C2809F7
SHA1:	1D9935F9D194E5276E49DA262CF3AC666B4D85B3
SHA-256:	69AAE857ABAAA1FE1A420DDDE95A8C956B4BD6E102D3B2E72BF1746C38A4CF36
SHA-512:	9BC90DF1F2C8A1F1F1B97317BB834A813DD69C5C931A909F2277BF475C362800497EC0A0A125B505B58404E877ABFA24931FC68CC4D71956AC1BEB87E14AE2FC
Malicious:	false
Preview:	....jF..l.......S.....(.c.)...........(.e.)...... ....(.r.)...........(.t.m.)....."!..............& ....a.b.b.o.u.t.....a.b.o.u.t.....a.b.o.t.u.....a.b.o.u.t.....a.b.o.u.t.a.....a.b.o.u.t. .a.....a.b.o.u.t.i.t.....a.b.o.u.t. .i.t.....a.b.o.u.t.t.h.e.....a.b.o.u.t. .t.h.e.....a.b.s.c.e.n.c.e.....a.b.s.e.n.c.e.....a.c.c.e.s.o.r.i.e.s.....a.c.c.e.s.s.o.r.i.e.s.....a.c.c.i.d.a.n.t.....a.c.c.i.d.e.n.t.....a.c.c.o.m.o.d.a.t.e.....a.c.c.o.m.m.o.d.a.t.e.....a.c.c.o.r.d.i.n.g.t.o.....a.c.c.o.r.d.i.n.g. .t.o.....a.c.c.r.o.s.s.....a.c.r.o.s.s.....a.c.h.e.i.v.e.....a.c.h.i.e.v.e.....a.c.h.e.i.v.e.d.....a.c.h.i.e.v.e.d.....a.c.h.e.i.v.i.n.g.....a.c.h.i.e.v.i.n.g.....a.c.n.....c.a.n.....a.c.o.m.m.o.d.a.t.e.....a.c.c.o.m.m.o.d.a.t.e.....a.c.o.m.o.d.a.t.e.....a.c.c.o.m.m.o.d.a.t.e.....a.c.t.u.a.l.y.l.....a.c.t.u.a.l.l.y.....a.d.d.i.t.i.n.a.l.....a.d.d.i.t.i.o.n.a.l.....a.d.d.t.i.o.n.a.l.....a.d.d.i.t.i.o.n.a.l.....a.d.e.q.u.i.t.....a.d.e.q.u.a.t.e.....a.d.e.q.u.i.t.e.....a.d.e.q.u.a.t.e.....a.d.n.....

C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.6704798764553939
Encrypted:	false
SSDEEP:	12:rl3baFGqLKeTy2MyheC8T23BMyhe+S7wzQe9zNMyhe+S7xMyheCac:r8mnq1Pj961r
MD5:	1954236C0E940C93B36BC871FBDE623F
SHA1:	CB7225FFE2802B26944D9199C7FC3B786769FAA3
SHA-256:	CC50BFC41E6888A7DFD582C618640A4651A600A3A6CD674CA4A3C9DC607E5311
SHA-512:	C73CB0FADA033D8F6F44D1C0453618D2A51675CFE9B6584AF8245D48809B9DF201A92D877DC90F79C826C1B6596FC6D3D70C7014BF2D20E2812EE23AE54B7163
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	18
Entropy (8bit):	2.836591668108979
Encrypted:	false
SSDEEP:	3:QhRZln:Qb
MD5:	C635A6BFA5AE32F7E77689DF0465FC21
SHA1:	AFF2FB5D3D3DBB371C3EDAA867AA0FB4FD4D8B06
SHA-256:	75EB61906ED4248E5CB1C7A09A2031E5C159A52577A5625766612370E508D535
SHA-512:	A1BBCCBBD6B849070F3981710E1D1F0882C78C2947781908ACAF987FC2F3E34C8DB981212B47C9D714568E4F8D91D938056329787121EE9397D7086F8A57855A
Malicious:	false
Preview:	..D.y.l.a.n.e.....

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	3.410006839070419
Encrypted:	false
SSDEEP:	6144:RXCEkNCEkrCEkaCEkCCEkoCEk9XCEkjy5XM:RXCEkNCEkrCEkaCEkCCEkoCEk9XCEkuS
MD5:	FE10DE8D8A411E161E73A30071819068
SHA1:	331D471DB867B774106FA10516A52618A9C4B043
SHA-256:	ED952448A04C45D4FEE52F264C9767350C4BA8A9404D9E9E62455F5E0F8C3B4A
SHA-512:	55FEA20C58EB8C507BA3A599BA80BEE16E0260D6E01B6341651D84937A3746F0E8F9903FDEF30F879B793FC92D36D57E3175E31DE3BBC856FD6BEB2DA1443F2C
Malicious:	false
Preview:	!BDN.X.oSM......x....D..................`................@...........@...@...................................@...........................................................................$.......D......@-..........................................................................................................................................................................................................................................................................................................................\............B......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Process:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	4.5517634300564636
Encrypted:	false
SSDEEP:	3072:JYCEkNCEkrCEkaCEkjCEkoCEk9XCEkRzGpD/f:JYCEkNCEkrCEkaCEkjCEkoCEk9XCEkRG
MD5:	0F60665246E14D1EEAB9F592D09A0851
SHA1:	E62FF65CAE844B6E181FE0B7AE507E54CD041AF9
SHA-256:	B3E38D75E535369D7A470F8080E66E2D2D0E35821100B98C257D5F3FE6FAE67D
SHA-512:	E389D24EE4B0C3194D932BB08D0DB0E2CFE5FD8CBED2737F354732AB3C560FD2018B6ED156AF083329D80CB0A95F41DAE59CDA5B56AEFC52AD07415355FE3323
Malicious:	false
Preview:	&...0...i........%..t...(=.......D............#..........................................................................................................................................................................................................................?.............................?...............................................................................................................................................................................................................................................................F.D..........0...j........%..t...(=.......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	RFC 822 mail, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Entropy (8bit):	5.878964534302105
TrID:	Text - UTF-8 encoded (3003/1) 100.00%
File name:	[EXTERNAL] Analyzing the Attack Surface.eml
File size:	64'440 bytes
MD5:	5e68446121e76db1dfd516af399a9ef6
SHA1:	86fae100ee77c2935eb6bd1c1bb5b724881c1972
SHA256:	31c4e98cea095934a5739cf86bf5882a849f6eb8f6e2c0eacd7291347edb1acb
SHA512:	da52eaf4c17b8b24597c14deab9d87223550805b020611366a3f4fe763c30ac0b05329efe1ff7da019bd83820ce319ea469be6c15cd8fb1bf417b45104cce650
SSDEEP:	768:nKi/ZeogT6/M0MFbt6FrF2IddKbLlmxaQM8c+e+aaS+M3mJoi:nsrABM4rsIdUHl0ve+e+jS+MWJoi
TLSH:	8E531A4751433679DCA4E90A682F7A7732B43A4718F0604F1A3CEEB09692DF8B9F0785
File Content Preview:	...Received: from PH7PR12MB5733.namprd12.prod.outlook.com (2603:10b6:510:1e0::22).. by CH3PR12MB8353.namprd12.prod.outlook.com with HTTPS; Fri, 22 Nov 2024.. 13:21:50 +0000..Received: from YQBPR0101CA0347.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:c01:6b::8)..

Static Mail

General

Subject:	[EXTERNAL] Analyzing the Attack Surface
From:	Simone Haddad <simone@hctit.com>
To:	Beth Barron <beth.barron@oakville.ca>
Cc:
BCC:
Date:	Fri, 22 Nov 2024 13:19:25 +0000
Communications:	You don't often get email from simone@hctit.com. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification> Analyzing the Attack Surface22 Nov 08:00 AM Insights from an Attackers Perspective...Read More [https://cascade.madmimi.com/theme_logos/0150/6694/promotion/logo.png?1723427801] Analyzing the Attack Surface<https://email.cloud.secureclick.net/c/56657?id=9320.16.1.33e19ff7c4e153555ce8ae2ca531d282> 22 Nov 08:00 AM [https://cascade.madmimi.com/bulk_images/29501352/1073925908-1024x54220241122-19614-ajecvq.jpg?1732281318] Insights from an Attackers Perspective...Read More<https://email.cloud.secureclick.net/c/56657?id=9320.17.1.0e54189ba7801d13428c80467ceec3a6> [facebook]<https://email.cloud.secureclick.net/c/56657?id=9320.18.1.d5aafb0146478aaf7b60be5cce581d4a> [linkedin] <https://email.cloud.secureclick.net/c/56657?id=9320.19.1.7ccf2780d05355179f0f8cce73ef955a> 2024 HCTIT \| HCTIT \| 22725 Greater Mack Ave 301B #4072 \| St Clair Shores, MI 48080 Web Version<https://email.cloud.secureclick.net/c/56657?id=9320.20.1.cd1d2d47dadf9c57a1cb21f22cd7d380&p=eyJ7e21pbWktc2lnbmF0dXJlfX0iOiIxODQ3OTUyMzMtMDE5MmZlYTEtYzA5MC03MmU2LWFlYTgtZjllMmE0Njc0OWE1LWVhOTYzMjkwOTBjZmEwZjI5MjAwZjY2MmQ5ZGQ4Y2Q1ZTI5ZDNmNzYiLCJ7e2VtYWlsSWR9fSI6IjkzMjAifQ==> Forward<https://email.cloud.secureclick.net/c/56657?id=9320.21.1.1855c567356bb3bf0e347c39a5939627&p=eyJ7e21pbWktc2lnbmF0dXJlfX0iOiIxODQ3OTUyMzMtMDE5MmZlYTEtYzA5MC03MmU2LWFlYTgtZjllMmE0Njc0OWE1LWVhOTYzMjkwOTBjZmEwZjI5MjAwZjY2MmQ5ZGQ4Y2Q1ZTI5ZDNmNzYiLCJ7e2VtYWlsSWR9fSI6IjkzMjAifQ==> Unsubscribe<https://gem.godaddy.com/opt_out?pact=9320-184795233-0192fea1-c090-72e6-aea8-f9e2a46749a5-ea96329090cfa0f29200f662d9dd8cd5e29d3f76> Powered by GoDaddy Email Marketing <https://gem.godaddy.com/>
Attachments:

Headers

Key	Value
Received	by m71.cloud.em.secureserver.net id h822dq3936cd for <beth.barron@oakville.ca>; Fri, 22 Nov 2024 13:19:25 +0000 (envelope-from <spc_56657.9320.1.f8b42d682122d867d6d360ed52b27085@bounces.cloud.em.hctit.com>)
From	Simone Haddad <simone@hctit.com>
To	Beth Barron <beth.barron@oakville.ca>
Subject	[EXTERNAL] Analyzing the Attack Surface
Thread-Topic	[EXTERNAL] Analyzing the Attack Surface
Thread-Index	AQHbPOF9o+/4UeFjBkaeWWWPNog0dA==
Date	Fri, 22 Nov 2024 13:19:25 +0000
Message-ID	<fE.56657.2495.9320.1732281565.5472643.eJP@ip-10-123-30-230.us-west-2.compute.internal.mail>
List-Unsubscribe	<mailto:spc_56657.9320.1.f8b42d682122d867d6d360ed52b27085@unsubscribes.cloud.em.secureserver.net?subject=Unsubscribe 56657.9320.1.f8b42d682122d867d6d360ed52b27085>, <https://gem.godaddy.com/unsubscribe?pact=9320-184795233-0192fea1-c090-72e6-aea8-f9e2a46749a5-ea96329090cfa0f29200f662d9dd8cd5e29d3f76>
Content-Language	en-US
X-MS-Exchange-Organization-AuthAs	Anonymous
X-MS-Exchange-Organization-AuthSource	QB1PEPF00004E07.CANPRD01.PROD.OUTLOOK.COM
X-MS-Has-Attach
X-Auto-Response-Suppress	All
X-MS-Exchange-Organization-Network-Message-Id	5f8d1b82-76ef-4a60-c02c-08dd0af84a08
X-MS-Exchange-Organization-SCL	1
X-MS-TNEF-Correlator
X-MS-Exchange-Organization-RecordReviewCfmType	0
received-spf	Pass (protection.outlook.com: domain of bounces.cloud.em.hctit.com designates 72.167.168.71 as permitted sender) receiver=protection.outlook.com; client-ip=72.167.168.71; helo=m71.cloud.em.secureserver.net; pr=C
x-ms-publictraffictype	Email
x-ms-exchange-crosstenant-id	c868558f-a1c1-46fc-821d-aed53bb48125
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
X-Microsoft-Antispam-Message-Info	QzUFopgrGTkorNHd6lHni/IwxrYaBFCMAk1apDrmm/ea4MFRg27ATMdlsjv34YbWVuK511pLsajlbJbgWUI1wzBDYHXFFA1hfqFf7cA91DZqr1zrw0fwT1ynkIchjHtJmK5peHOsECZarXEoioeVZUCdnUEasTJvDgoUfwfHs0SprvXZy/Y7fJr9HWKxWmTlcH/3Eo2CpBepjcepQabx5Ke/fTVGunhrh/ga5gL7XZ/fRH6q58EDQUBqloceMCWSC6iwxBTN6R+H/SP2uj/IAdO23tvcR5PQ0bn1Ya5IuV9u0/WbgCg/ua5x9HKzbAjoQ2LT3linXaize/36yAvvcOOrNTaEi0N7RF3Jyzvz5w8GlVUP7QM3mr/Oglogz3PVZCraqtfldmRo+jD5RGUtbmH+i6Wc4Q71igL67DSGuOE9Rw0Acv8WU/M1VSu/S/e5hv6dqfexsRlCxZiYGFmRBkOtfr2d+o1koDr6MtwZ6Y8pwGMm6khehaJgJ48wm1vB/iLNc1YBjAa4Cd23Q9JHr2UnwQcFJS/ChbIYkhH0CeXAYjBOZYbBdcCaTalsCPVtIZqQKjuvYmKxb5qhGfzBMMcQpB0RoZPJuk+2ukzYdkhxP6cbBhSo8F6NdzFeilOxmFSAkrmU+COtjIRGReAjkQADGnmV6u1C6Y+zu3W1CEBMdJQsQeDskGCSF4qWTKIhp1IrunBLh+PuziQ1Po9MlQA1/Vx8ycYoImvQuhggWI4pAoYJtS+fpZ1ZjY134FBZz6/ZHE1nSHMrmOaKv10f/TW46h6/M6cufO9Tmxp7sOH0FGgDfMhndzyMcxAVtPq1AOJYWqbfE/Kx4IJXPK247Nb4cl0VjIIrGoP1MfoZfrgvVDFtQMcKn0ttFbHjfXCv8RAvC4b7Jz3UrS0+89q6FRZ3QS9M53+QYcJoEC/kJZ32Uc8EpMJGlfJ4FAbT9tVzDtvbuoLhsADKhOxznAfCG6L0sKGBbZiwvjGpGaiGHPtqRahckRHb+QExcWjQLGM+gk94Z/J3vQAbhW9/bft6KxqubAb9G4i8FYa3Oeo4r9cSrBY/VhNn7fiAgZGTcocpOpwhLGPC0V1Pa53d/C6nFqxrpsa0DBtNUS8LMom3vuBgJYUw+tmS80nl3r0gsNUY2FSEigwmbc8R+Dct9YSQdLSan3Z3DR08X8n4+vA97/P9RMApkUCM3vUFs9J/bbakhVIdIfk7+5PWT0IHRB180N1fKncUNCs9LZ8VRiFGhCgBy+IZLMp6RkVvzupyzxOg5wEuh6iGpS2wkgrxIPs0kwd45MKHdov26K2UrWXDTMAoGXUT3TeybPwx8eGYs0wXaKWurDrl1EswdBt8NohbPdmFhQG7m+2bC5Okrhr99eE2iBqSQHnDnIMkaFldDwic0a/KSdpIeRIu0Ogh3Hqaoc4I0Q+DIcuAxgsASWk06VLrg0sSybq8tRLyQYcf13ZQQ+sySqQ12DVo8zjARe7lzm/jwOA55KOrhsusglRk9y85f3vUhua9DAlYt/XbDK/xVVVV5NSx3/CxQ29XzcG8sfIAVq8RpwPoOHz3qNLv50id6ofRZnxuz3r9gNvhGbAHG2rVGUQSGAco/wEKupH+CesO4wYb8zR064ebrWCyWew4LzLBSbdxF+8HJf6wW/2cwkEI5EszrjS4ChG8IwYLbJTLnwbFhBASfnD1+OXvv/rRoMIR1ZkmBzgTH7v2m0s3vhBn98zG8k8rvTstNp2//FzBj0gTtnWApBVwlUw0hZ3qXlx4KdLmYKctf+UmupL9LYccxYbU9kV2+Z4wKEQCJldM7f0aI0Z5P+z6zoSNV3eAVzypY2bcYpqGZ9Pzu0aClKwbQBdIOL3gyHjzg3Jgti33gttAi+tnK3EOizeuTAL08r7anwJKSSi9RnZB+MBHEoIQK4u81hJizfwq9F1ckThxNSIBDp3Ypbsv3KSPlP9O3DXoE5Pn3VuaMDpeVHwZd4dHsYrP58ZqQYjF1pTHdzwdUr7mEiV0U0BoX0+KpScnyC0BiMNwBq/ax3InD+/bA7tM1qYzwbjr47vG6X1O/A==
Content-Type	multipart/alternative; boundary="_000_fE566572495932017322815655472643eJPip1012330230uswest2c_"
MIME-Version	1.0

File Icon


Icon Hash:	46070c0a8e0c67d6

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-22T22:51:12.089000+0100	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.11.30	49741	23.200.88.22	443	TCP

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 22, 2024 22:51:37.151103020 CET	56400	53	192.168.11.30	1.1.1.1
Nov 22, 2024 22:51:37.246558905 CET	53	56400	1.1.1.1	192.168.11.30

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 22, 2024 22:51:37.151103020 CET	192.168.11.30	1.1.1.1	0x460c	Standard query (0)	c.pki.goog	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 22, 2024 22:51:37.246558905 CET	1.1.1.1	192.168.11.30	0x460c	No error (0)	c.pki.goog	pki-goog.l.google.com		CNAME (Canonical name)	IN (0x0001)	false
Nov 22, 2024 22:51:37.246558905 CET	1.1.1.1	192.168.11.30	0x460c	No error (0)	pki-goog.l.google.com		142.250.65.227	A (IP address)	IN (0x0001)	false
Nov 22, 2024 22:51:37.542071104 CET	1.1.1.1	192.168.11.30	0x9ba7	No error (0)	bg.microsoft.map.fastly.net		199.232.214.172	A (IP address)	IN (0x0001)	false
Nov 22, 2024 22:51:37.542071104 CET	1.1.1.1	192.168.11.30	0x9ba7	No error (0)	bg.microsoft.map.fastly.net		199.232.210.172	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: OUTLOOK.EXEPID: 9688, Parent PID: 5048

General

Target ID:	0
Start time:	16:50:30
Start date:	22/11/2024
Path:	C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\[EXTERNAL] Analyzing the Attack Surface.eml"
Imagebase:	0x7ff7ba420000
File size:	42'157'856 bytes
MD5 hash:	6BE14F2DEA2AB6B01387EC38C4977F4F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly