Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
phish_alert_sp2_2.0.0.0 (12).eml

Overview

General Information

Sample name:phish_alert_sp2_2.0.0.0 (12).eml
Analysis ID:1585548
MD5:5e24649d5e679301a4bc604d7d147f53
SHA1:dc2d2e3fe2f6aa535b8fff4087d7d02d9d38be98
SHA256:230fa438913a56bd65298dbfa665292b073467cb14bd260097643fd37c15cf38
Infos:

Detection

Score:56
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected landing page (webpage, office document or email)
AI detected potential phishing Email
Email DMARC failed
Email SPF failed
Email DKIM failed
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 8148 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0 (12).eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 4256 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "BF5E7705-B5BE-4FDA-9650-2500CED26608" "448E66F3-4C72-41AE-9621-9CD5E869A73C" "8148" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 8148, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
AI detected landing page (webpage, office document or email)
Source: EmailJoe Sandbox AI: Email contains prominent button: 'view message'
AI detected potential phishing Email
Source: EmailJoe Sandbox AI: Detected potential phishing email: The email contains multiple repetitive content blocks which is suspicious and indicates potential tampering or automated generation. The sender domain 'bracket.email' and format 'do.not.reply.with.email@bracket.email' appears suspicious and generic. The email attempts to create urgency and get the user to click on external links by claiming there's a secure message that will expire
Email DMARC failed
Source: phish_alert_sp2_2.0.0.0 (12).emlEmail attachement header: Authentication-Results: fail action=none header.from=bracket.email
Email SPF failed
Source: phish_alert_sp2_2.0.0.0 (12).emlEmail attachement header: Authentication-Results: softfail (sender IP is 67.231.158.153) smtp.mailfrom=ses.bracket.email
Source: phish_alert_sp2_2.0.0.0 (12).emlEmail attachement header: Authentication-Results: fail (body hash did not verify) header.d=bracket.email
Source: EmailClassification: Credential Stealer
Source: phish_alert_sp2_2.0.0.0 (12).emlString found in binary or memory: https://assets.bracket.email/assets/email-avatar-default-user-4a6956715a403309e04b47743279c0f259deb2
Source: phish_alert_sp2_2.0.0.0 (12).emlString found in binary or memory: https://assets.bracket.email/assets/logo-left-topmenu-white-112x40-cca001401b5f0508f1b6ac9a238180879
Source: phish_alert_sp2_2.0.0.0 (12).emlString found in binary or memory: https://assets.bracket.email/profiles/production/users/logos/1230355/email/SARTAFINALLOGO-_whtie_bac
Source: phish_alert_sp2_2.0.0.0 (12).emlString found in binary or memory: https://fonts.gstatic.com/s/lato/v11/HkF_qI1x_noxlxhrhMQYELO3LdcAZYWl9Si6vvxL-qU.woff)
Source: phish_alert_sp2_2.0.0.0 (12).emlString found in binary or memory: https://fonts.gstatic.com/s/lato/v11/RYyZNoeFgb0l7W3Vu1aSWOvvDin1pK8aKteLpeZ5c0A.woff)
Source: phish_alert_sp2_2.0.0.0 (12).emlString found in binary or memory: https://fonts.gstatic.com/s/lato/v11/qIIYRU-oROkIk8vfvxw6QvesZW2xOQ-xsNqO47m55DA.woff)
Source: phish_alert_sp2_2.0.0.0 (12).emlString found in binary or memory: https://fonts.gstatic.com/s/lato/v11/qdgUG4U09HnJwhYI-uK18wLUuEpTyoUstqEm5AMlJo4.woff)
Source: phish_alert_sp2_2.0.0.0 (12).emlString found in binary or memory: https://urldefense.com/v3/__https://bracket.email/signin/OAZ8Bdg9/verification/tRz9JwFSd2Fb6Fb8yXW2n
Source: phish_alert_sp2_2.0.0.0 (12).emlString found in binary or memory: https://urldefense.com/v3/__https://bracket.email/signin__;
Source: phish_alert_sp2_2.0.0.0 (12).emlString found in binary or memory: https://urldefense.com/v3/__https://www.sartaonline.com__;
Source: phish_alert_sp2_2.0.0.0 (12).emlString found in binary or memory: https://www.sartaonline.com
Source: classification engineClassification label: mal56.winEML@3/3@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user~1\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250107T1422520093-8148.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0 (12).eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "BF5E7705-B5BE-4FDA-9650-2500CED26608" "448E66F3-4C72-41AE-9621-9CD5E869A73C" "8148" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "BF5E7705-B5BE-4FDA-9650-2500CED26608" "448E66F3-4C72-41AE-9621-9CD5E869A73C" "8148" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation21
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Process Injection		LSASS Memory12
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://assets.bracket.email/assets/email-avatar-default-user-4a6956715a403309e04b47743279c0f259deb20%Avira URL Cloudsafe
https://assets.bracket.email/profiles/production/users/logos/1230355/email/SARTAFINALLOGO-_whtie_bac0%Avira URL Cloudsafe
https://assets.bracket.email/assets/logo-left-topmenu-white-112x40-cca001401b5f0508f1b6ac9a2381808790%Avira URL Cloudsafe
https://www.sartaonline.com0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0017.t-0009.t-msedge.net
13.107.246.45
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://urldefense.com/v3/__https://bracket.email/signin__;phish_alert_sp2_2.0.0.0 (12).emlfalse
      		high
      https://urldefense.com/v3/__https://bracket.email/signin/OAZ8Bdg9/verification/tRz9JwFSd2Fb6Fb8yXW2nphish_alert_sp2_2.0.0.0 (12).emlfalse
        		high
        https://assets.bracket.email/assets/email-avatar-default-user-4a6956715a403309e04b47743279c0f259deb2phish_alert_sp2_2.0.0.0 (12).emlfalse
        • Avira URL Cloud: safe
        		unknown
        https://assets.bracket.email/assets/logo-left-topmenu-white-112x40-cca001401b5f0508f1b6ac9a238180879phish_alert_sp2_2.0.0.0 (12).emlfalse
        • Avira URL Cloud: safe
        		unknown
        https://www.sartaonline.comphish_alert_sp2_2.0.0.0 (12).emlfalse
        • Avira URL Cloud: safe
        		unknown
        https://assets.bracket.email/profiles/production/users/logos/1230355/email/SARTAFINALLOGO-_whtie_bacphish_alert_sp2_2.0.0.0 (12).emlfalse
        • Avira URL Cloud: safe
        		unknown
        https://urldefense.com/v3/__https://www.sartaonline.com__;phish_alert_sp2_2.0.0.0 (12).emlfalse
          		high

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1585548
          Start date and time:2025-01-07 20:21:37 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 4m 16s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:9
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:phish_alert_sp2_2.0.0.0 (12).eml
          Detection:MAL
          Classification:mal56.winEML@3/3@0/0
          Cookbook Comments:
          • Found application associated with file extension: .eml

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
          • Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.109.68.129, 2.16.168.101, 2.16.168.119, 23.56.254.164, 52.113.194.132, 20.52.64.200, 13.107.246.45, 20.190.159.71, 4.175.87.197, 23.56.254.165
          • Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, otelrules.afd.azureedge.net, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, onedscolprdgwc02.germanywestcentral.cloudapp.azure.com, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, login.live.com, e16604.g.akamaiedge.net, frc-azsc-000.roaming.officeapps.live.com, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, prod.fs.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com, a1864.dscd.akamai.net, ecs.office.com, fs.microsoft.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, azureedge-t-prod.trafficmanager.net, ecs.offi
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtQueryAttributesFile calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • Report size getting too big, too many NtReadVirtualMemory calls found.
          • VT rate limit hit for: phish_alert_sp2_2.0.0.0 (12).eml

          Simulations

          Behavior and APIs

          No simulations

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          s-part-0017.t-0009.t-msedge.nethttp://sammobile.digidip.net/visit?url=https://massageclinic.com.au/wadblacks2&currurl=https://www.sammobile.com/2018/06/06/june-2018-security-patch-information-published-by-samsung/Get hashmaliciousGabagoolBrowse
          • 13.107.246.45
          3e18bdf74f3caef770a7edcf748bdaf0e6a4a21664e69.exeGet hashmaliciousAsyncRAT, GhostRatBrowse
          • 13.107.246.45
          [UPD]Intel_Unit.2.1.exeGet hashmaliciousLummaCBrowse
          • 13.107.246.45
          https://coggle.it/diagram/Z3zkZPAQxQkDOgmo/t/-/1f6434bfba7d8aab898b2531849681e8b0d7342489acbbff6b172f8658a09526Get hashmaliciousUnknownBrowse
          • 13.107.246.45
          https://email.garagesalefinder.com/c/eJyMU92OsjoUfZp6xwRaoO2FF-XPYT4VnXHQ8caUFivK3wcC-vYnzImc25OQlbXYa-_VJrtyniCCZ-ncwMg2KKWmPrvMCRWYGDSBBAkLnSGigttEUJpiLHRhzLK5JRHWEbE0wS1LkxzqmpnKRCMYcymIhUyJgKkr3nCVtjxPz1kp0-ZNVMUsn1_u9xogBmAAYDAMw5uqKpWnXLZp02cibUcfgEHNVcolgAEX-Q2goOUAeUsAbZ4B5Lma-bXS9YjEH8_jUsCMDFHdh-8V6xawX6ug4FFt3FtnCCFin8wJow2-DWulyU1_iVhfsfe8SpYtI8px_iiPHZXv8Movh2Cj-95Hcj0kV7urV6jyYvatjOfWaYZ2MRxIba6V3Jx55O3PcZmp2muai3lerzYyDgu0zWKnNlb-o7Sf7h6p70NxCvM23_41HfOEGuWGy9q9Hnlqfep7pO0Kfgrvm-rvV7zTOloie11_fJdEol2uDrr9xfmOPrr1Vr-IJWM_mXjnt9SPV5IVx53pOD-UrUI1qHwX-N2-JfHP9ThUm97B9z_nIOnjcuOGjloo51Iwxy6FckMA7bIrAPIMAG2RSYA8a5H18gTbKy737aLto4f-0GD3DaDdZgogj0WebZ6M8IN8ys_TY2eziPTBe70KjWKtt8gaxll5lpZ3gDzBtbpLNBsalBgGNrFuUoTHOC67JgfIGzehnVYBQAtjAC37l8GRuSOYU4G-pG2NgEYgk_ReFjwWsPli0J_MwSSdVxuc_v2bYU25I0BvMvvT0fBL_tdrsyktMAglv0Qs4o5D0vHD8ZIUFG4XwVMUFP0UQcef1jWBOkDea447drMR_PHuZATmTlIH0KIMQPP3-3_uWTOv0_JWvWU9L6semDpvmmpIeHn7fYv9HP4TAAD__7e2IkMGet hashmaliciousHTMLPhisherBrowse
          • 13.107.246.45
          Onedrive Shared document.htmlGet hashmaliciousHTMLPhisherBrowse
          • 13.107.246.45
          Quarantined Messages(3).zipGet hashmaliciousHTMLPhisherBrowse
          • 13.107.246.45
          1.exeGet hashmaliciousLummaC, XRedBrowse
          • 13.107.246.45
          64pOGv7k4N.exeGet hashmaliciousLummaCBrowse
          • 13.107.246.45
          https://docs.google.com/presentation/d/e/2PACX-1vT2PGn0zBbaptqxmzd37o4wD_789vdOk0IyvB9NJB93qGFh_af8Du5RuZX0G1lsycIP1UzhONEj31sn/pub?start=false&loop=false&delayms=3000Get hashmaliciousUnknownBrowse
          • 13.107.246.45

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250107T1422520093-8148.etl

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:data
          Category:dropped
          Size (bytes):102400
          Entropy (8bit):4.471695216733605
          Encrypted:false
          SSDEEP:768:8yR1a91T7aDmJL4UGFL7cU9xXAvWIVLXX7QmdcEYW3p:HA4HcU9xXAvWIjXZd
          MD5:0682AFDAB0219877F1BD617DC83DD3A9
          SHA1:ADEB33D19F51F0D45861A992988004FA0B3DB970
          SHA-256:6FEFCC19021341B95E3DB41C9B789EF2C00F6CD698FE093883FA4817895DDEC7
          SHA-512:E653EC5225E3BEA0F7E32F40F583E8BF7E1DE43E496A6B32AE87831779337212FB3916A69B7E7D1B2A1A5279578CFA9A220D8C4A5DA425459293EAF4C8403975
          Malicious:false
          Reputation:low
          Preview:............................................................................h............c..9a..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1.............................................................&.R............c..9a..........v.2._.O.U.T.L.O.O.K.:.1.f.d.4.:.d.9.8.7.5.5.7.8.2.2.6.a.4.1.4.5.b.3.e.1.7.6.6.0.c.3.9.2.f.0.4.5...C.:.\.U.s.e.r.s.\.F.R.O.N.T.D.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.1.0.7.T.1.4.2.2.5.2.0.0.9.3.-.8.1.4.8...e.t.l.......P.P.............9a..................................................................................................................................................................................................................................................................................................

          C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:Microsoft Outlook email folder (>=2003)
          Category:dropped
          Size (bytes):271360
          Entropy (8bit):3.078273125948715
          Encrypted:false
          SSDEEP:1536:sVsNzbTg14Bg1S38XiXU4B17Kba1g6XsN8ulY3q7PKvrCOjNSNvrAgirLMNc577Q:qsVbrCOjNRMiCp9Exp9
          MD5:8D263C8BF4E78F08F23BBCCE9510DD7E
          SHA1:C77219267B3E4D51ECDCCFFAD393A640844D7648
          SHA-256:615F3205EC83C26AE6F449463609582F134E58DBE8EC27F5B0B15C72653C0BF1
          SHA-512:2610A6DA4EA57D5091A0B5F01525E63B765B9DE54DF195F4FEA2361547CCDBDF394638F76CF3C4AA4E1109AAA6E575CC2F4E4469A0B755FE606D5AD29E14FE3C
          Malicious:true
          Reputation:low
          Preview:!BDN.xg.SM......\....'...S......H......._................@...........@...@...................................@...........................................................................$.......D......................C...............G....................................................................................................................................................................................................................................................................................................-W..3!.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

          C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:data
          Category:dropped
          Size (bytes):131072
          Entropy (8bit):3.9906274316785546
          Encrypted:false
          SSDEEP:1536:fW53jEpEHP4qQ10PAwr17l/iYq7PKhrCOjfpg14Bg1S39NvrAgirLMNwW53jEpE1:hp9oFrCOjfsMAp9O
          MD5:A581D5A81021EFB5DCBA43799763FD4B
          SHA1:88B58F22ADFF5E73F7B4B32BFEE135D239E621E9
          SHA-256:D4B2839A536E847C597594824662DDFC8EDA0F22DBB7FB59C6AB4E8AE24EFBAD
          SHA-512:1E96BE42A15B64CE778F33E92A30135181A8E611291FAD649C7E4DF5FBF2638B78CDC5E968BB210EC458BC294C2039ECA38231CB7A5A2544E76D70B681F332A8
          Malicious:true
          Reputation:low
          Preview:..ynC...e...............9a....................#.!BDN.xg.SM......\....'...S......H......._................@...........@...@...................................@...........................................................................$.......D......................C...............G....................................................................................................................................................................................................................................................................................................-W..3!.....9a....................#.........@\......p... ...........K..........."...........l...........#...........\......Z....$...........Y......h...`&...........T..........@(..........@e..........`+..(...............x..../..D.......@]......v... 4..`........R......x....8..|........Y......l....<...........[......n...@A...........J...........E...........i...........J...........h...........O...........Z..........@U..........

          Static File Info

          General

          File type:RFC 822 mail, ASCII text, with very long lines (2349), with CRLF line terminators
          Entropy (8bit):5.869058191274782
          TrID:
          • E-Mail message (Var. 5) (54515/1) 100.00%
          File name:phish_alert_sp2_2.0.0.0 (12).eml
          File size:26'813 bytes
          MD5:5e24649d5e679301a4bc604d7d147f53
          SHA1:dc2d2e3fe2f6aa535b8fff4087d7d02d9d38be98
          SHA256:230fa438913a56bd65298dbfa665292b073467cb14bd260097643fd37c15cf38
          SHA512:14d6d18c1699f22523d447f48252c3feec9a70fa4e07980c13f93b2308cd94a1ccb25972bfabeb23cee2e808da504bb76c164b33c3e1f8e9bc5447e56c59db32
          SSDEEP:384:jRf4V9QwoF6i5UbdySls1+ID3mrbJA0OlmDHsf3DwDHRu:jRsQwHTpySGTmHqlmDHsf3DX
          TLSH:48C23931F381244AA9325198F231BF6DF7A90047036344E8B99F51677BAACB10F53BAD
          File Content Preview:Received: from BN0PR07MB8896.namprd07.prod.outlook.com.. (2603:10b6:408:16e::12) by BYAPR07MB4645.namprd07.prod.outlook.com with.. HTTPS; Tue, 7 Jan 2025 15:29:42 +0000..Received: from AM6PR10CA0083.EURPRD10.PROD.OUTLOOK.COM.. (2603:10a6:209:8c::24) by BN

          Static Mail

          General

          Subject:New secure message: [RE: SARTA IP Address Assignments]
          From:"Adam Snyder [Bracket]" <do.not.reply.with.email@bracket.email>
          To:Clinton Taggart <clinton.taggart@vontas.com>
          Cc:
          BCC:
          Date:Tue, 07 Jan 2025 15:29:35 +0000
          Communications:
          • EXTERNAL: Do not click links or open attachments if you do not recognize the sender.You received a secure message from: Adam Snyder You received a secure message from: Adam SnyderIT ManagerStark Area Regional Transit Authority (SARTA)View message Adam Snyder sent you a message with Bracket. Tap the button above to securely view the message.This button will only work from this device and will expire after 1 week. Once it has expired you'll need to sign in to view your message.Important: Do not reply to this notification. To send an encrypted response, view the message and securely reply from there. Stark Area Regional Transit Authority (SARTA) 1600 Gateway Blvd SE, Canton, OH 44707 330-477-2782 https://www.sartaonline.com Why am I receiving this?You received a new secure message from Adam Snyder via the Bracket encrypted email service. This notification is automated, so if you need technical support please contact your email administrator. /* Email styles need to be inline */ EXTERNAL: Do not click links or open attachments if you do not recognize the sender.You received a secure message from: Adam Snyder You received a secure message from: Adam SnyderIT ManagerStark Area Regional Transit Authority (SARTA)View message Adam Snyder sent you a message with Bracket. Tap the button above to securely view the message.This button will only work from this device and will expire after 1 week. Once it has expired you'll need to sign in to view your message.Important: Do not reply to this notification. To send an encrypted response, view the message and securely reply from there. Stark Area Regional Transit Authority (SARTA) 1600 Gateway Blvd SE, Canton, OH 44707 330-477-2782 https://www.sartaonline.com Why am I receiving this?You received a new secure message from Adam Snyder via the Bracket encrypted email service. This notification is automated, so if you need technical support please contact your email administrator. EXTERNAL: Do not click links or open attachments if you do not recognize the sender. EXTERNAL: Do not click links or open attachments if you do not recognize the sender. EXTERNAL: Do not click links or open attachments if you do not recognize the sender. You received a secure message from: Adam Snyder You received a secure message from: Adam SnyderIT ManagerStark Area Regional Transit Authority (SARTA)View message Adam Snyder sent you a message with Bracket. Tap the button above to securely view the message.This button will only work from this device and will expire after 1 week. Once it has expired you'll need to sign in to view your message.Important: Do not reply to this notification. To send an encrypted response, view the message and securely reply from there. Stark Area Regional Transit Authority (SARTA) 1600 Gateway Blvd SE, Canton, OH 44707 330-477-2782 https://www.sartaonline.com Why am I receiving this?You received a new secure message from Adam Snyder via the Bracket encrypted email service. This notification is automated, so if you need technical support please contact your email administrator. /* FONTS */ @media screen { @font-face { font-family: 'Lato'; font-style: normal; font-weight: 400; src: local('Lato Regular'), local('Lato-Regular'), url(https://fonts.gstatic.com/s/lato/v11/qIIYRU-oROkIk8vfvxw6QvesZW2xOQ-xsNqO47m55DA.woff) format('woff'); } @font-face { font-family: 'Lato'; font-style: normal; font-weight: 700; src: local('Lato Bold'), local('Lato-Bold'), url(https://fonts.gstatic.com/s/lato/v11/qdgUG4U09HnJwhYI-uK18wLUuEpTyoUstqEm5AMlJo4.woff) format('woff'); } @font-face { font-family: 'Lato'; font-style: italic; font-weight: 400; src: local('Lato Italic'), local('Lato-Italic'), url(https://fonts.gstatic.com/s/lato/v11/RYyZNoeFgb0l7W3Vu1aSWOvvDin1pK8aKteLpeZ5c0A.woff) format('woff'); } @font-face { font-family: 'Lato'; font-style: italic; font-weight: 700; src: local('Lato Bold Italic'), local('Lato-BoldItalic'), url(https://fonts.gstatic.com/s/lato/v11/HkF_qI1x_noxlxhrhMQYELO3LdcAZYWl9Si6vvxL-qU.woff) format('woff'); } } /* CLIENT-SPECIFIC STYLES */ body, table, td, a { -webkit-text-size-adjust: 100%; -ms-text-size-adjust: 100%; -webkit-font-smoothing: antialiased; } table, td { mso-table-lspace: 0pt; mso-table-rspace: 0pt; } img { -ms-interpolation-mode: bicubic; } /* RESET STYLES */ img { border: 0; height: auto; line-height: 100%; outline: none; text-decoration: none; } table { border-collapse: collapse !important; } body { height: 100% !important; margin: 0 !important; padding: 0 !important; width: 100% !important; } /* iOS BLUE LINKS */ a[x-apple-data-detectors] { color: inherit !important; text-decoration: none !important; font-size: inherit !important; font-family: inherit !important; font-weight: inherit !important; line-height: inherit !important; } /* MOBILE STYLES */ @media only screen and (max-width: 479px) { h1 { font-size: 32px !important; line-height: 32px !important; } p[class=center] { text-align: center !important; } td[class=center] { text-align: center !important; } p[class=mainheading] { font-size: 16px !important; line-height: 18px !important; } p[class=subheading] { font-size: 14px !important; line-height: 18px !important; } } } a.profilenolink { text-decoration:none;color:#8c919b !important;cursor:default !important; } a.profilenolink:hover { text-decoration:none;color:#8c919b !important;cursor:default !important; } /* ANDROID CENTER FIX */ div[style*="margin: 16px 0;"] { margin: 0 !important; } You received a secure message from: Adam Snyder You received a secure message from: Adam SnyderIT ManagerStark Area Regional Transit Authority (SARTA)View message Adam Snyder sent you a message with Bracket. Tap the button above to securely view the message.This button will only work from this device and will expire after 1 week. Once it has expired you'll need to sign in to view your message.Important: Do not reply to this notification. To send an encrypted response, view the message and securely reply from there. Stark Area Regional Transit Authority (SARTA) 1600 Gateway Blvd SE, Canton, OH 44707 330-477-2782 https://www.sartaonline.com Why am I receiving this?You received a new secure message from Adam Snyder via the Bracket encrypted email service. This notification is automated, so if you need technical support please contact your email administrator. You received a secure message from: Adam SnyderIT ManagerStark Area Regional Transit Authority (SARTA)View message Adam Snyder sent you a message with Bracket. Tap the button above to securely view the message.This button will only work from this device and will expire after 1 week. Once it has expired you'll need to sign in to view your message.Important: Do not reply to this notification. To send an encrypted response, view the message and securely reply from there. Stark Area Regional Transit Authority (SARTA) 1600 Gateway Blvd SE, Canton, OH 44707 330-477-2782 https://www.sartaonline.com Why am I receiving this?You received a new secure message from Adam Snyder via the Bracket encrypted email service. This notification is automated, so if you need technical support please contact your email administrator. You received a secure message from: You received a secure message from: You received a secure message from: You received a secure message from: You received a secure message from: You received a secure message from: You received a secure message from: Adam SnyderIT ManagerStark Area Regional Transit Authority (SARTA) Adam SnyderIT ManagerStark Area Regional Transit Authority (SARTA) Adam SnyderIT ManagerStark Area Regional Transit Authority (SARTA) Adam SnyderIT ManagerStark Area Regional Transit Authority (SARTA) Adam SnyderIT ManagerStark Area Regional Transit Authority (SARTA) Adam SnyderIT ManagerStark Area Regional Transit Authority (SARTA) Adam Snyder IT Manager Stark Area Regional Transit Authority (SARTA) View message View message View message View message View message View message View message View message View message View message View message https://urldefense.com/v3/__https://bracket.email/signin/OAZ8Bdg9/verification/tRz9JwFSd2Fb6Fb8yXW2nh7B?continue=https*3A*2F*2Fbracket.email*2Fmessage_threads*2F16362917__;JSUlJSU!!I_DbfM1H!Clc6Cu_AS4YL0CG_mO19LT1xOth9icXagHKNwNtPRqj0Z3sbMgQSHGoITNj-j6OBDkDEmWDtxhPAtmlRyyto6o8r5U3j89RH5fVwKA$ Adam Snyder sent you a message with Bracket. Tap the button above to securely view the message.This button will only work from this device and will expire after 1 week. Once it has expired you'll need to sign in to view your message.Important: Do not reply to this notification. To send an encrypted response, view the message and securely reply from there. Adam Snyder sent you a message with Bracket. Tap the button above to securely view the message.This button will only work from this device and will expire after 1 week. Once it has expired you'll need to sign in to view your message.Important: Do not reply to this notification. To send an encrypted response, view the message and securely reply from there. Adam Snyder sent you a message with Bracket. Tap the button above to securely view the message.This button will only work from this device and will expire after 1 week. Once it has expired you'll need to sign in to view your message.Important: Do not reply to this notification. To send an encrypted response, view the message and securely reply from there. Adam Snyder sent you a message with Bracket. Tap the button above to securely view the message.This button will only work from this device and will expire after 1 week. Once it has expired you'll need to sign in to view your message.Important: Do not reply to this notification. To send an encrypted response, view the message and securely reply from there. Adam Snyder sent you a message with Bracket. Tap the button above to securely view the message.This button will only work from this device and will expire after 1 week. Once it has expired you'll need to sign in to view your message.Important: Do not reply to this notification. To send an encrypted response, view the message and securely reply from there. Adam Snyder sent you a message with Bracket. Tap the button above to securely view the message.This button will only work from this device and will expire after 1 week. Once it has expired you'll need to sign in to view your message.Important: Do not reply to this notification. To send an encrypted response, view the message and securely reply from there. Adam Snyder sent you a message with Bracket. Tap the button above to securely view the message. This button will only work from this device and will expire after 1 week. Once it has expired you'll need to sign in to view your message. sign in to view your message. https://urldefense.com/v3/__https://bracket.email/signin__;!!I_DbfM1H!Clc6Cu_AS4YL0CG_mO19LT1xOth9icXagHKNwNtPRqj0Z3sbMgQSHGoITNj-j6OBDkDEmWDtxhPAtmlRyyto6o8r5U3j89QdJX1v0w$ Important: Do not reply to this notification. To send an encrypted response, view the message and securely reply from there. Important: view the message https://urldefense.com/v3/__https://bracket.email/signin/OAZ8Bdg9/verification/tRz9JwFSd2Fb6Fb8yXW2nh7B?continue=https*3A*2F*2Fbracket.email*2Fmessage_threads*2F16362917__;JSUlJSU!!I_DbfM1H!Clc6Cu_AS4YL0CG_mO19LT1xOth9icXagHKNwNtPRqj0Z3sbMgQSHGoITNj-j6OBDkDEmWDtxhPAtmlRyyto6o8r5U3j89RH5fVwKA$ Stark Area Regional Transit Authority (SARTA) 1600 Gateway Blvd SE, Canton, OH 44707 330-477-2782 https://www.sartaonline.com Stark Area Regional Transit Authority (SARTA) 1600 Gateway Blvd SE, Canton, OH 44707 330-477-2782 https://www.sartaonline.com Stark Area Regional Transit Authority (SARTA) 1600 Gateway Blvd SE, Canton, OH 44707 330-477-2782 https://www.sartaonline.com Stark Area Regional Transit Authority (SARTA) 1600 Gateway Blvd SE, Canton, OH 44707 330-477-2782 https://www.sartaonline.com Stark Area Regional Transit Authority (SARTA) 1600 Gateway Blvd SE, Canton, OH 44707 330-477-2782 https://www.sartaonline.com Stark Area Regional Transit Authority (SARTA) 1600 Gateway Blvd SE, Canton, OH 44707 330-477-2782 https://www.sartaonline.com Stark Area Regional Transit Authority (SARTA) 1600 Gateway Blvd SE, Canton, OH 44707 330-477-2782 https://www.sartaonline.com Stark Area Regional Transit Authority (SARTA) 1600 Gateway Blvd SE, Canton, OH 44707 330-477-2782 https://www.sartaonline.com https://urldefense.com/v3/__https://www.sartaonline.com__;!!I_DbfM1H!Clc6Cu_AS4YL0CG_mO19LT1xOth9icXagHKNwNtPRqj0Z3sbMgQSHGoITNj-j6OBDkDEmWDtxhPAtmlRyyto6o8r5U3j89Sa36mDsQ$ Stark Area Regional Transit Authority (SARTA) 1600 Gateway Blvd SE, Canton, OH 44707 330-477-2782 https://www.sartaonline.com Stark Area Regional Transit Authority (SARTA) 1600 Gateway Blvd SE, Canton, OH 44707 330-477-2782 https://www.sartaonline.com Stark Area Regional Transit Authority (SARTA) 1600 Gateway Blvd SE, Canton, OH 44707 330-477-2782 https://www.sartaonline.com Stark Area Regional Transit Authority (SARTA) 330-477-2782 https://www.sartaonline.com https://urldefense.com/v3/__https://www.sartaonline.com__;!!I_DbfM1H!Clc6Cu_AS4YL0CG_mO19LT1xOth9icXagHKNwNtPRqj0Z3sbMgQSHGoITNj-j6OBDkDEmWDtxhPAtmlRyyto6o8r5U3j89Sa36mDsQ$ Why am I receiving this?You received a new secure message from Adam Snyder via the Bracket encrypted email service. This notification is automated, so if you need technical support please contact your email administrator. Why am I receiving this?You received a new secure message from Adam Snyder via the Bracket encrypted email service. This notification is automated, so if you need technical support please contact your email administrator. Why am I receiving this?You received a new secure message from Adam Snyder via the Bracket encrypted email service. This notification is automated, so if you need technical support please contact your email administrator. Why am I receiving this?You received a new secure message from Adam Snyder via the Bracket encrypted email service. This notification is automated, so if you need technical support please contact your email administrator. Why am I receiving this?You received a new secure message from Adam Snyder via the Bracket encrypted email service. This notification is automated, so if you need technical support please contact your email administrator. Why am I receiving this?You received a new secure message from Adam Snyder via the Bracket encrypted email service. This notification is automated, so if you need technical support please contact your email administrator. Why am I receiving this?You received a new secure message from Adam Snyder via the Bracket encrypted email service. This notification is automated, so if you need technical support please contact your email administrator. Why am I receiving this?
          Attachments:

            Headers

            Key Value
            Receivedfrom a32-174.smtp-out.amazonses.com (a32-174.smtp-out.amazonses.com [54.240.32.174]) by mx0c-001a4c01.pphosted.com (PPS) with ESMTPS id 43xy4es2ww-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT) for <clinton.taggart@vontas.com>; Tue, 07 Jan 2025 10:29:36 -0500 (EST)
            Authentication-Resultsspf=softfail (sender IP is 67.231.158.153) smtp.mailfrom=ses.bracket.email; dkim=fail (body hash did not verify) header.d=bracket.email;dmarc=fail action=none header.from=bracket.email;compauth=none reason=405
            Received-SpfSoftFail (protection.outlook.com: domain of transitioning ses.bracket.email discourages use of 67.231.158.153 as permitted sender)
            Authentication-Results-Originalppops.net; spf=pass smtp.mailfrom=010001944162b446-fabc2cc8-1535-4aea-ad1b-c87ff534e939-000000@ses.bracket.email; dkim=pass header.d=bracket.email header.s=dndczxe4xk66qualyqnmiitf6yudbe3w; dkim=pass header.d=amazonses.com header.s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; dmarc=pass header.from=bracket.email
            Dkim-Signaturev=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1736263775; h=Date:From:To:Message-ID:Subject:Mime-Version:Content-Type:Content-Transfer-Encoding:Feedback-ID; bh=ddm2j1n2aqW0hDOIBTtw42K3Dr6WaktRDGOuFRS3afE=; b=BJTcvL9zEsceJtUJAuu5jfFuFYSPltOTuIbecigf/z2xE64QYMHuA2M1cdzCHd9n mitt1YIPZTdc1wuEtLmm8b5qoFYrfGw2SPufbhDjkp9V0IY40ytwA5TsNw+FdC55dW+ QvAiUdRdmvD/f/KXMcT8c2oXcgUzJAwCF0FKnreg=
            DateTue, 07 Jan 2025 15:29:35 +0000
            From"Adam Snyder [Bracket]" <do.not.reply.with.email@bracket.email>
            ToClinton Taggart <clinton.taggart@vontas.com>
            Message-Id <010001944162b446-fabc2cc8-1535-4aea-ad1b-c87ff534e939-000000@email.amazonses.com>
            SubjectNew secure message: [RE: SARTA IP Address Assignments]
            Content-Typemultipart/mixed; boundary="----sinikael-?=_1-17362644712110.8517809401634022"
            Content-Transfer-Encoding7bit
            Feedback-Id ::1.us-east-1.CEfxDVN7YI9wgII6zjJBf8XYlWRFGcrzh0psGUgItkU=:AmazonSES
            X-Ses-Outgoing2025.01.07-54.240.32.174
            X-Proofpoint-Orig-Guid2nwHH4TqfFCQEuZQVp0XWdrpDmxsg-_f
            X-Clx-ShadesMLX
            X-Clx-Response 1TFkXGRkdEQpMehcaEQpZRBdiRxpJfn5/XER4aREKWFgXa2Z/aGcFcHtkR04 RCnhOF3pNHhJ8SGdMHh1dEQp5TBdiRU5gH2RdSXBFaBEKQ0gXBxsdGhEKQ1kXBxkYGxEKQ0kXGg QaGhoRCllNF2dmchEKWUkXGnEaEBp3BhkbHXEbHhMaEBp3BhgaBhoRClleF2xseREKSUYXXEVGS 1hDWXVCRVleT04RCklHF3hPTREKQ04XGERdYmIefltMbGl7b19we3xaGnJ9TlhabkdSWU0HdUwR ClhcFx8EGgQZEhwFGxoEGxsaBBsZHgQZGRAbHhofGhEKXlkXT1lfUB0RCk1cFx4YGxEKTFoXaWh tTU1NEQpMRhdva2tra2sRCkJPF2B+HGJgQVprXxpfEQpDWhcfHgQYHhoEGRgEGx0eEQpCXhcbEQ pCXBcbEQpeThcbEQpCSxd6TR4SfEhnTB4dXREKQkkXek0eEnxIZ0weHV0RCkJFF2BFeXJgbHl4b HtyEQpCThd6TR4SfEhnTB4dXREKQkwXa2Z/aGcFcHtkR04RCkJsF2tOXFlIYxNyaVgBEQpCQBds QQUffUFdW29zExEKQlgXYx9NQAUcUm19ZwERClpYFxsRCnlDF2lQfkZhYlkdT1tOEQpZSxcYEhs TEQpwaBdpHFhJflNlRXtJHxAeEhEKcGgXZXJnUF0dcG98aFwQGRoRCnBoF29oZnwFZVgTUkRIEB IfEQpwaBdgflwFZE9+XUZfcxAaEQpwaBducH8FfV4SUERuZRAdEhEKcGgXaEJrZXtffFtsemYQG hEKcGgXYBhiSXpoHxpDH3IQGhEKcGgXbXlLU29leBtvHkcQGhEKcH0Xb1llXWNeeVJrBXwQGhEK cH0Xbn9laWltTWJrTHAQGhEKcH0XektBTkhuX1IaSWkQGxsbEQpwfRdhWXJaG0cfZhpHGRASHxE KcH0XaR4Tb2tfQHBwGFkQGxoSEQpwfRduAWJcaUxPGRMaHRAaEQpwfxdtUxNJfmRJG0NJRhAbGx IRCnBfF21FH3BjXmx+Q2xmEBoRCnB/F2YcQ29dXkVcTmdkEBoRCnBfF25/ZWlpbU1ia0xwEBoRC nBfF2VpZ1lcThlfcAVNEBsbHxEKcF8XZmFmX11nS2VvX2AQEh8RCnBfF2tlf2RLBUFrS21QEBsb HxEKcF8XYEFoHVIfZEhlSF4QGhEKcGwXa3gSe3l8TE1TUhMQGhEKbX4XGhEKWE0XSxEg
            X-Proofpoint-Guid2nwHH4TqfFCQEuZQVp0XWdrpDmxsg-_f
            MIME-Version1.0
            X-ProofpointheaderYes
            X-Proofpoint-Virus-Versionvendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1057,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-01-07_03,2025-01-06_02,2024-11-22_01
            X-Proofpoint-Spam-Detailsrule=inbound_notspam policy=inbound score=0 bulkscore=0 adultscore=0 unknownsenderscore=20 phishscore=0 mlxscore=0 priorityscore=0 lowpriorityscore=0 mlxlogscore=802 clxscore=337 impostorscore=0 suspectscore=0 spamscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.21.0-2411120000 definitions=main-2501070129 domainage_hfrom=2819
            Return-Path 010001944162b446-fabc2cc8-1535-4aea-ad1b-c87ff534e939-000000@ses.bracket.email
            X-Ms-Exchange-Organization-Expirationstarttime07 Jan 2025 15:29:38.4401 (UTC)
            X-Ms-Exchange-Organization-ExpirationstarttimereasonOriginalSubmit
            X-Ms-Exchange-Organization-Expirationinterval1:00:00:00.0000000
            X-Ms-Exchange-Organization-ExpirationintervalreasonOriginalSubmit
            X-Ms-Exchange-Organization-Network-Message-Id 7bed9fa6-7964-470b-447f-08dd2f301936
            X-Eopattributedmessage0
            X-Eoptenantattributedmessage75c696ec-5bfb-4892-9a0c-9187a9061cd6:0
            X-Ms-Exchange-Organization-MessagedirectionalityIncoming
            X-Ms-PublictraffictypeEmail
            X-Ms-Traffictypediagnostic DU6PEPF00009527:EE_|AM7P191MB0947:EE_|BN0PR07MB8896:EE_|BYAPR07MB4645:EE_
            X-Ms-Office365-Filtering-Correlation-Id 7bed9fa6-7964-470b-447f-08dd2f301936
            X-Ms-Exchange-Organization-Scl-1
            X-Microsoft-Antispam BCL:3;ARA:13230040|5062899012|5073199012|5063199012|82310400026|3072899012|2092899012|32142699015|12012899012|69100299015|1032899013|4123199012|46300299015|4076899003|2066899003|8096899003;
            X-Forefront-Antispam-Report CIP:67.231.158.153;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:NSPM;H:mx0c-001a4c01.pphosted.com;PTR:mx0c-001a4c01.pphosted.com;CAT:NONE;SFS:(13230040)(5062899012)(5073199012)(5063199012)(82310400026)(3072899012)(2092899012)(32142699015)(12012899012)(69100299015)(1032899013)(4123199012)(46300299015)(4076899003)(2066899003)(8096899003);DIR:INB;
            X-Ms-Exchange-Crosstenant-Originalarrivaltime07 Jan 2025 15:29:38.0494 (UTC)
            X-Ms-Exchange-Crosstenant-Network-Message-Id 7bed9fa6-7964-470b-447f-08dd2f301936
            X-Ms-Exchange-Crosstenant-Id75c696ec-5bfb-4892-9a0c-9187a9061cd6
            X-Ms-Exchange-Crosstenant-Authsource DU6PEPF00009527.eurprd02.prod.outlook.com
            X-Ms-Exchange-Crosstenant-AuthasAnonymous
            X-Ms-Exchange-Crosstenant-FromentityheaderInternet
            X-Ms-Exchange-Transport-CrosstenantheadersstampedAM7P191MB0947
            X-Ms-Exchange-Organization-Authsource DU6PEPF00009527.eurprd02.prod.outlook.com
            X-Ms-Exchange-Organization-AuthasAnonymous
            X-Ms-Exchange-Transport-Endtoendlatency00:00:04.1041984
            X-Ms-Exchange-Processed-By-Bccfoldering15.20.8314.015
            X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
            X-Microsoft-Antispam-Message-Info XuugTZ6kXKN+FItRJjYKjd+0uwhUj7X5LQBvMVEJ8wssNH9ki1o1fs6BLra4+t8seYQuorIwpqLsH143AkFgbpGagzdaV/sqT00etEP02PPld1Tm+y58jrcL/chcBKodGMjHBxDUKJCNfJTZcsHtUbuf2ciJ+Zej5bRxTWTYg1tDkE0auMp/ufDdRts+pdt1D0A9NJASeU65lkvbublZGpO8ljRqnDQgQzFVTo6yA9Xi3vTdHI+AUKkHHycufwyYBsg03xJMHa+QkS+Bqm5rHQEQQHn8QMowLt2VWzki+FJQTVtycJQH9ZaAhBLsPD16o8xeHBwps8+c9vGReKPQwsI9ExJfgWboqJIRUI7wij+uaLlx3HBMRgWqqD+A2tB2CHX665jjZzehvd95fccew3vw5CRsoEr0wDPU8/7bQFDxA/CZVMB0b142vuSA9rrNbXGZxbK9sTeyGBVHt9ZXW91Yn4qdy6Haj/hn/njMrtDO6t4E5dI33By8+lP6UW70cGWka5nhuBXK507c+7tHmIqh13Tsw4Q3X1/wMFks3T/88hs0nFJBIFHkH7aJnHi1w+BBn+Myd5CdeG10LzG4j1fNl1xh2WvFAax+XALTltxW05/ScMckJfgCz5LSQSWXNpqNEypfd+AH5If9gQTL1Ms7T9FcG1BvOKTsfWOD8zLuGzWD15DUYWS7T2WQg3EHFqzqQHW+tG9nQP3aWsBqs6Nq/+ndCtrtk+oq6H8CcjSGP0pXLRioa3Vi8Le/2U/oSo65d9Hl6YP34YVpKEYIJyllYj9JdYX30iFECNZ+90ZJRitVzywuG/TlMTDCWWvPfnLkMQ60JKbG29H22qKBx7TRePYZ163BwWZ/tCdnuGUrQwweCb9PVyRxdU1Wotd2A8OxPDlC/uWgDAtZVnPeifYfMqu2aCn6T5wP+16UrqS2T0z4T05fiiGHfT7cv05gBH3+7RwhOabpJNT8SkebMzD1/HvJD7CALEkUr2S3OLOhHR69soFCwHLJBM44f3RmvloQuN90f+egDX3oFGD2QbIOWxdtMhicUKe0fJWYr3RyKz33vknp8kdxXHwTna1Vu4fWjayMpnOi3wTBGwfyNNaTnaGKqcZfxX4MRHg5hU0dXSrKdSB1sin/crWN0mxVX9lbH72T/PUDILNdb4cm2oneqxxeoe6X+/HgNFLVlfRIpCvIO3D66tU+RdyJT+EWD38i+amYztiOmipyY1QDwgC7deEsmGjJKXYnKNzm9Pl5rRTh+cS/Grk8U4Y6LkK/urtN/S7c97jyHZTFyMY1f8z69BY5/3SHhV8PscEhlDEiYHXqcroVt3EFDyJ+XIBXY3wNet8nIrHSZAwbKIQYbiZuaENltV9iWPPYqero0utRiduCSg8IU3xbK88qHs8eijg+BR6H5rrTfZl0i2hXR0znRZyWsTpv8cWivkZWNlxilCpHpeXU/SCH9DecuwpjM62CBM/vsE117AuU/fkAcP0idxBD/1ZLb0/dI1eqomyNMtudSHEj3/0IPkodghIifz6TktpWUilbENFmhaNxG9LN2hDWb/7gb5+Uqav6vroWPPKEEYHE35IStKeR5gaozVj7mrTVW2x6R3p2L/+/896J0RjdZ2PuoTjgnwa8Xzw+vnEUt+MEWJwN0egiMpmsX57ost9p32JTzSIq0XCKzgH4EDn7iF4eVcTSoyPBNrDQaJAE/6MSnQFm0FH+OKEx/X7PBuMLanQX+xiRLIju1MufV6F8L2PR7S9uPMhav9epCrwByu7tLtQumJhlte0FFTVF6FNtBK/CRI0dnMQHnq5on8uhp5I8aRMiaMBTc8ZFDcHkkc36YrKFEH48MjIKWrMzFGwunevfLULgnyZnF//neHe3/heZxu3VnSGcoOYheuwhASO0nMlKn23uqysffX9V/FhUXhM9tto6lITz5HzdGZdoCRPynjyb4sufZbiMFseM7SIcW4XObDPj4PBb+0HeC87pnrt0AEn3NYHKe3PNPM4e5E9HzGPhGxpstb9d29s4wuIrk7cP9A4ROZKt7gLtbdk3E6Hptjby64TZvb5h3T9/31jn4dKBKPJrSe8RAVfkuYr7ssD/j1rMUwLiQN3AiY4d8/LNUmdxGTqVspJbQu2oNdyizazl5PtNMbKzl9kiFPyotSaEabH8tw8CLhLILCM1B5wQI0m4HcpdJrwrjKTeB5PaVyPZ9AqGa4vmiBxOCUnqOmZKDvwgKQq12myIK1w8jXR1JML3MKtGGs0WZLImxSOalaq58KmZXH7tzgX5aoN/G5I7OSmxiZmxA4wPrx4+hfRPMYBeLZpNVo1hMWW3zPOoycyxDQtO+1Y=

            File Icon

            Icon Hash:46070c0a8e0c67d6

            Network Behavior

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Jan 7, 2025 20:22:46.154380083 CET1.1.1.1192.168.2.70x3773No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
            Jan 7, 2025 20:22:46.154380083 CET1.1.1.1192.168.2.70x3773No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:1
            Start time:14:22:48
            Start date:07/01/2025
            Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
            Wow64 process (32bit):true
            Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0 (12).eml"
            Imagebase:0x4f0000
            File size:34'446'744 bytes
            MD5 hash:91A5292942864110ED734005B7E005C0
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            General

            Target ID:3
            Start time:14:22:53
            Start date:07/01/2025
            Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "BF5E7705-B5BE-4FDA-9650-2500CED26608" "448E66F3-4C72-41AE-9621-9CD5E869A73C" "8148" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
            Imagebase:0x7ff736690000
            File size:710'048 bytes
            MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            Disassembly

            No disassembly