Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
401K Information.eml

Overview

General Information

Sample name:401K Information.eml
Analysis ID:1500514
MD5:44afe25f018b58ac85866b147abf94e1
SHA1:eb317c7b7e8a789fe71263385e0971b8c5b5a0c0
SHA256:74a81ddead92a2904517b20e07332af5b4cd094fd631dbba7987904321dd361b
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Stores files to the Windows start menu directory

Classification

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 6400 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\401K Information.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 6212 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "258F636D-BC8C-49B4-A08D-0FC7532C0B40" "F4862158-F68E-495A-A931-CB0E3FEFC9E7" "6400" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
    • chrome.exe (PID: 1828 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://linkprotect.cudasvc.com/url?a=https%3a%2f%2femployeecenter.net%2froute%2fad4a33bebfe998976fb4f3bef6a6f82d83b6488a%2f&c=E,1,Gt-9zkq0L2c9_-RbNalin-y9zKKNKGFNcTZgEM6qEI1bzdQ9uZao2TthsyJTaKQB_phlhgaIjo-0NAse94nCZrswA8-3cL4gnBM9NHT4&typo=1 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 6752 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1952,i,12791176857807980012,13500640931778476753,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
    • chrome.exe (PID: 1732 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://linkprotect.cudasvc.com/url?a=https%3a%2f%2femployeecenter.net%2froute%2fad4a33bebfe998976fb4f3bef6a6f82d83b6488a%2f&c=E,1,ikcE_Q-2ykzekjQxLCyUE9os-WTlr6s95A4qPsThZ0KsNohdFre2Yg1AuoE_svmTjA-yo05MxYWx6eyOB6SmJNuNGleiNoSUjv9d3rFaGNQ,&typo=1 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
      • chrome.exe (PID: 5924 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=2000,i,13184550105852184081,16477811700311614895,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6400, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus detection for URL or domain
Source: http://employeecenter.net/concluded.php?k=ad4a33bebfe998976fb4f3bef6a6f82d83b6488aAvira URL Cloud: Label: phishing
Source: unknownHTTPS traffic detected: 40.126.32.74:443 -> 192.168.2.16:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49732 version: TLS 1.2
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknownTCP traffic detected without corresponding DNS query: 40.126.32.74
Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknownTCP traffic detected without corresponding DNS query: 3.209.70.247
Source: unknownTCP traffic detected without corresponding DNS query: 3.209.70.247
Source: unknownTCP traffic detected without corresponding DNS query: 3.209.70.247
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknownTCP traffic detected without corresponding DNS query: 20.114.59.183
Source: unknownTCP traffic detected without corresponding DNS query: 3.209.70.247
Source: unknownTCP traffic detected without corresponding DNS query: 3.209.70.247
Source: unknownTCP traffic detected without corresponding DNS query: 3.209.70.247
Source: unknownTCP traffic detected without corresponding DNS query: 3.209.70.247
Source: unknownTCP traffic detected without corresponding DNS query: 3.209.70.247
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 3.209.70.247
Source: unknownTCP traffic detected without corresponding DNS query: 3.209.70.247
Source: unknownTCP traffic detected without corresponding DNS query: 184.28.90.27
Source: global trafficHTTP traffic detected: GET /concluded.php?k=ad4a33bebfe998976fb4f3bef6a6f82d83b6488a HTTP/1.1Host: employeecenter.netConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global trafficDNS traffic detected: DNS query: linkprotect.cudasvc.com
Source: global trafficDNS traffic detected: DNS query: employeecenter.net
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49702 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49702
Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
Source: unknownHTTPS traffic detected: 40.126.32.74:443 -> 192.168.2.16:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.16:49732 version: TLS 1.2
Source: classification engineClassification label: mal48.winEML@26/11@12/143
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240828T0945510527-6400.etl
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\401K Information.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "258F636D-BC8C-49B4-A08D-0FC7532C0B40" "F4862158-F68E-495A-A931-CB0E3FEFC9E7" "6400" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "258F636D-BC8C-49B4-A08D-0FC7532C0B40" "F4862158-F68E-495A-A931-CB0E3FEFC9E7" "6400" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://linkprotect.cudasvc.com/url?a=https%3a%2f%2femployeecenter.net%2froute%2fad4a33bebfe998976fb4f3bef6a6f82d83b6488a%2f&c=E,1,Gt-9zkq0L2c9_-RbNalin-y9zKKNKGFNcTZgEM6qEI1bzdQ9uZao2TthsyJTaKQB_phlhgaIjo-0NAse94nCZrswA8-3cL4gnBM9NHT4&typo=1
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1952,i,12791176857807980012,13500640931778476753,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://linkprotect.cudasvc.com/url?a=https%3a%2f%2femployeecenter.net%2froute%2fad4a33bebfe998976fb4f3bef6a6f82d83b6488a%2f&c=E,1,Gt-9zkq0L2c9_-RbNalin-y9zKKNKGFNcTZgEM6qEI1bzdQ9uZao2TthsyJTaKQB_phlhgaIjo-0NAse94nCZrswA8-3cL4gnBM9NHT4&typo=1
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1952,i,12791176857807980012,13500640931778476753,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://linkprotect.cudasvc.com/url?a=https%3a%2f%2femployeecenter.net%2froute%2fad4a33bebfe998976fb4f3bef6a6f82d83b6488a%2f&c=E,1,ikcE_Q-2ykzekjQxLCyUE9os-WTlr6s95A4qPsThZ0KsNohdFre2Yg1AuoE_svmTjA-yo05MxYWx6eyOB6SmJNuNGleiNoSUjv9d3rFaGNQ,&typo=1
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=2000,i,13184550105852184081,16477811700311614895,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://linkprotect.cudasvc.com/url?a=https%3a%2f%2femployeecenter.net%2froute%2fad4a33bebfe998976fb4f3bef6a6f82d83b6488a%2f&c=E,1,ikcE_Q-2ykzekjQxLCyUE9os-WTlr6s95A4qPsThZ0KsNohdFre2Yg1AuoE_svmTjA-yo05MxYWx6eyOB6SmJNuNGleiNoSUjv9d3rFaGNQ,&typo=1
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2060 --field-trial-handle=2000,i,13184550105852184081,16477811700311614895,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dll
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7b8a2d94-0ac9-11d1-896c-00c04Fb6bfc4}\InprocServer32
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
Registry Run Keys / Startup Folder		1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Registry Run Keys / Startup Folder		1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin HookBinary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
Ingress Tool Transfer		Traffic DuplicationData Destruction

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
401K Information.eml0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://employeecenter.net/concluded.php?k=ad4a33bebfe998976fb4f3bef6a6f82d83b6488a100%Avira URL Cloudphishing

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
www.google.com
142.250.186.36
truefalse
    		unknown
    linkprotect.cudasvc.com
    		3.68.35.227
    		truefalse
      		unknown
      employeecenter.net
      		64.191.166.198
      		truefalse
        		unknown

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://employeecenter.net/concluded.php?k=ad4a33bebfe998976fb4f3bef6a6f82d83b6488atrue
        • Avira URL Cloud: phishing
        		unknown
        https://employeecenter.net/concluded.php?k=ad4a33bebfe998976fb4f3bef6a6f82d83b6488afalse
          		unknown

          World Map of Contacted IPs

          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs

          Public IPs

          IPDomainCountryFlagASNASN NameMalicious
          52.113.194.132
          		unknownUnited States
          		8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
          142.250.186.35
          		unknownUnited States
          		15169GOOGLEUSfalse
          1.1.1.1
          		unknownAustralia
          		13335CLOUDFLARENETUSfalse
          142.250.186.36
          		www.google.comUnited States
          		15169GOOGLEUSfalse
          3.68.35.227
          		linkprotect.cudasvc.comUnited States
          		16509AMAZON-02USfalse
          3.209.70.247
          		unknownUnited States
          		14618AMAZON-AESUSfalse
          239.255.255.250
          		unknownReserved
          		unknownunknownfalse
          51.116.246.106
          		unknownUnited Kingdom
          		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
          142.250.185.164
          		unknownUnited States
          		15169GOOGLEUSfalse
          64.191.166.198
          		employeecenter.netUnited States
          		13776QX-NET-ASN-1USfalse
          64.233.184.84
          		unknownUnited States
          		15169GOOGLEUSfalse
          142.250.184.227
          		unknownUnited States
          		15169GOOGLEUSfalse
          142.250.184.206
          		unknownUnited States
          		15169GOOGLEUSfalse
          172.217.16.142
          		unknownUnited States
          		15169GOOGLEUSfalse

          Private

          IP
          192.168.2.16

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1500514
          Start date and time:2024-08-28 15:45:02 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:defaultwindowsinteractivecookbook.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:11
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • EGA enabled
          Analysis Mode:stream
          Analysis stop reason:Timeout
          Sample name:401K Information.eml
          Detection:MAL
          Classification:mal48.winEML@26/11@12/143
          Cookbook Comments:
          • Found application associated with file extension: .eml

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe
          • Excluded IPs from analysis (whitelisted): 20.166.126.56
          • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtQueryValueKey calls found.
          • VT rate limit hit for: 401K Information.eml

          Created / dropped Files

          C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:data
          Category:dropped
          Size (bytes):231348
          Entropy (8bit):4.389402693883218
          Encrypted:false
          SSDEEP:
          MD5:059E69CB8B87CC97D1BB364D209C04E8
          SHA1:63BDF716FC8FC4B2805D6EF3BB7F279B5E8EB6F1
          SHA-256:D3B49D711DDCEDA3E9367FE195BDE263424A254915DA2C5F94A8BD1D002C6487
          SHA-512:8AB940BE1172CC4170AE7D4FDAC3486A9858BB3D60647278589007391DDF6D5A950F7E9B65EB961417F1CE48A087A82F8173D89A0D40B8B53E4F73D136AECC3A
          Malicious:false
          Reputation:unknown
          Preview:TH02...... ....P.......SM01X...,....k.P...........IPM.Activity...........h...............h............H..h........J+.....h........0 ..H..h\cal ...pDat...h....0...X......h.-.............h........_`/k...h.,..@...I.lw...h....H...8.4k...0....T...............d.........2h...............k..............!h.............. h.`&,....p.....#h....8.........$h0 ......8....."hpt.......t....'h..............1h.-..<.........0h....4....4k../h....h.....4kH..h.s..p.........-h .............+h:-................ ...... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

          C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

          Download File
          Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          File Type:data
          Category:modified
          Size (bytes):30
          Entropy (8bit):1.2389205950315936
          Encrypted:false
          SSDEEP:
          MD5:54CD0086E3D5EACCDA8F206E8E1669A1
          SHA1:E2682F46345461C26CD7948BFC645CD2514EB359
          SHA-256:3D3AA5A9A973066D3CA109501B64EA1249320854A00A745B3D8D33062DA8D61A
          SHA-512:D87ECC3C8EFE258D6C7D05B85168AF81B9CA3F8FF512092126A66E42397DBFBBD74EE26AC99BB6B4AD9504D2A290BF6CFFC36D71BDDA66BFBED34A5643ACDE20
          Malicious:false
          Reputation:unknown
          Preview:..............................

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Aug 28 12:46:03 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
          Category:dropped
          Size (bytes):2673
          Entropy (8bit):3.9859461323643988
          Encrypted:false
          SSDEEP:
          MD5:94D3923212EE4A51D1F9FADF79DE9D05
          SHA1:1ED2C71F85FED270782128FD6D2E5489066CE9EC
          SHA-256:14C59DD43BA627DDE855266ACBDE4EE5D01A105A4B746035557615FF5D97D789
          SHA-512:D262D18F973180D53164E16A3EF6EB56E86E66C474FFDEF4A34B629C00988527EC777D4BD649F48C078A5C09E946F5BFC3CDDA6E628A590232F7D6F7C1743543
          Malicious:false
          Reputation:unknown
          Preview:L..................F.@.. ...$+.,........P...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.m....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.m....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.m....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.m..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.m...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........=.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Aug 28 12:46:03 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
          Category:dropped
          Size (bytes):2675
          Entropy (8bit):4.000530746346376
          Encrypted:false
          SSDEEP:
          MD5:49AF430BA39A5A2E2F11297F9F7C749F
          SHA1:E9A63275807A3DC4DBFBE3E246B6E490E30F5CE1
          SHA-256:66B6E3D831591115FB1A6CAA7C8D0DF3D6719F290B285066599E133D8E3EF4CB
          SHA-512:1D04D8DBCDFF4EDFCEB71E6C92D3DFA6C30887997D5E6FABA4C118B70E7950A87F598743D04C2D56E16284B490C3081975B6F31B91E0E4B3ACCF966DF049115A
          Malicious:false
          Reputation:unknown
          Preview:L..................F.@.. ...$+.,....I..P...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.m....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.m....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.m....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.m..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.m...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........=.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:05:01 2023, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
          Category:dropped
          Size (bytes):2689
          Entropy (8bit):4.009361291900357
          Encrypted:false
          SSDEEP:
          MD5:07EB3C231B34813E1070D7B6BCA4D8A1
          SHA1:3FCB52BB42902540C7A9637702CAE0465477A033
          SHA-256:D69CD7E17F8866C617390E79472AC1ABEB1E955B1FF50AAFFDC94B102D32D4B8
          SHA-512:32FC5A8C2ACF544BD80DDB06AE8E551B9A0293E614C7B432F3513FA8155215F718BEE410AFC90ACBFE2864C7481376B7EBE11167365DF25C3D365965C05D721D
          Malicious:false
          Reputation:unknown
          Preview:L..................F.@.. ...$+.,.....Y.04...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.m....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.m....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.m....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.m..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.VFW.E...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........=.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Aug 28 12:46:03 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
          Category:dropped
          Size (bytes):2677
          Entropy (8bit):4.000446136946821
          Encrypted:false
          SSDEEP:
          MD5:296A3FFDF89359CABAFEEDAD4577CBB8
          SHA1:924C4312B8C6A36091DD46BB463D8867B56A849B
          SHA-256:4992D52B94AE4CCE58C2E9097F2CEA9812C788AFED299EEEA6B9A8E0C7CBF542
          SHA-512:4AF2274D0D7D220F69425F4733DA82BC500F1630B4C43B07DC3F41B91B34542685250C84D3FA490D689CDFB2073840F9C61DB807E3E5884D39302E7F6BE4B04D
          Malicious:false
          Reputation:unknown
          Preview:L..................F.@.. ...$+.,....w#.P...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.m....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.m....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.m....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.m..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.m...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........=.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Aug 28 12:46:03 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
          Category:dropped
          Size (bytes):2677
          Entropy (8bit):3.9886734123100744
          Encrypted:false
          SSDEEP:
          MD5:12DC491ADD207027014FAD5AA1CA9958
          SHA1:5F67BC3139584328D3A92F2B2EA0493A95B9E322
          SHA-256:DF1090FE25DEE8B9A602829ADD184D0F66D49D19FF001662160F70D3B3D07A6A
          SHA-512:C0F25FC07C036D57A8FF9D63E936B9F70E9F72B3E1F48D52E01AB2B3F62373189A1370023B353F0AD50C29E1E30DBA3E3F4BBC4097673A4C65266338F9E0F924
          Malicious:false
          Reputation:unknown
          Preview:L..................F.@.. ...$+.,....5...P...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.m....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.m....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.m....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.m..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.m...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........=.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Wed Aug 28 12:46:03 2024, atime=Wed Sep 27 04:28:28 2023, length=1210144, window=hide
          Category:dropped
          Size (bytes):2679
          Entropy (8bit):3.9961651947644716
          Encrypted:false
          SSDEEP:
          MD5:B7A7CA1E995F4936BC97DA2CD1413814
          SHA1:7B9528DC857FE46F034F57DBF6F21A6B61C6D93C
          SHA-256:3BDCEB9A74AC00BE6334EE9FA3C4E7137E9E7026225FEFF2B96C6D9671F20DA3
          SHA-512:7E5ACAEF2F1DA9E3D8637ED42B5FB8B5EBAD12387FD10AA9FA1C238636376DCED64D93D94F832667F1E9D7E6B9424963D57E81617C9A7A6D7D6D387857EB00EF
          Malicious:false
          Reputation:unknown
          Preview:L..................F.@.. ...$+.,....q..P...N.Yr.... w......................1....P.O. .:i.....+00.../C:\.....................1.....FW.J..PROGRA~1..t......O.I.Y.m....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y.m....L.....................p+j.G.o.o.g.l.e.....T.1.....CW.V..Chrome..>......CW.V.Y.m....M......................8..C.h.r.o.m.e.....`.1.....CW.V..APPLIC~1..H......CW.V.Y.m..........................."&.A.p.p.l.i.c.a.t.i.o.n.....n.2. w..;W.+ .CHROME~1.EXE..R......CW.V.Y.m...........................H..c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i...........=.......C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

          Chrome Cache Entry: 68

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:HTML document, ASCII text, with CRLF line terminators
          Category:downloaded
          Size (bytes):1238
          Entropy (8bit):4.786364389161572
          Encrypted:false
          SSDEEP:
          MD5:4C37CE3E7BDC68D3C168AF6EB1BE726C
          SHA1:25ED4B6602C41756E6EC28EA03712E22B20B7C60
          SHA-256:02939E2AA3742339BEB97E90AC6B6724E88A398D07C105F2BA80E26459D53D1B
          SHA-512:EB7BDAFE64178F955EC80F1F92354D8ECC58CF68AA8D352710A6A02C18AB4569E9C188C946F3D18B14E951594FD7B0147FFC58611216FC9C11998E20F76AF067
          Malicious:false
          Reputation:unknown
          URL:https://employeecenter.net/concluded.php?k=ad4a33bebfe998976fb4f3bef6a6f82d83b6488a
          Preview:.. <!DOCTYPE html>.. <html>.. <title>CoreRecon</title>.. <head>.. <link href="https://3.209.70.247//stylesheet.css" media="screen" rel="Stylesheet" type="text/css"/>.. <link type="text/css" rel="stylesheet" href="/assets/css/bootstrap.min.css" />.. <link rel="apple-touch-icon" href="/assets/img/apple-touch-icon.png" />.. <link rel="shortcut icon" href="/assets/img/phishingbox1.ico" />.. </head>.. <body class="body" style="background: url(/assets/lp/hybridwater/img/header.jpg) no-repeat center center fixed !important">.. <div id="login-box">.. <div class="box-border box-border-radius box-shadow" style="max-width:500px; margin: auto; margin-top: 20%">.. <div class="box-padding">.. <h2 id="login-logo"><a href="https://portal.hooksecurity.net" style="color:white"><span>CoreRecon Test Has Concluded</span></a></h2>.. <div class="successCont box-border box-padding box-margin-bottom box-border-radi

          Chrome Cache Entry: 70

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:ASCII text, with very long lines (65371)
          Category:downloaded
          Size (bytes):121200
          Entropy (8bit):5.0982146191887106
          Encrypted:false
          SSDEEP:
          MD5:EC3BB52A00E176A7181D454DFFAEA219
          SHA1:6527D8BF3E1E9368BAB8C7B60F56BC01FA3AFD68
          SHA-256:F75E846CC83BD11432F4B1E21A45F31BC85283D11D372F7B19ACCD1BF6A2635C
          SHA-512:E8C5DAF01EAE68ED7C1E277A6E544C7AD108A0FA877FB531D6D9F2210769B7DA88E4E002C7B0BE3B72154EBF7CBF01A795C8342CE2DAD368BD6351E956195F8B
          Malicious:false
          Reputation:unknown
          URL:https://employeecenter.net/assets/css/bootstrap.min.css
          Preview:/*!. * Bootstrap v3.3.7 (http://getbootstrap.com). * Copyright 2011-2016 Twitter, Inc.. * Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE). *//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-webkit-text-size-adjust:100%;-ms-text-size-adjust:100%}body{margin:0}article,aside,details,figcaption,figure,footer,header,hgroup,main,menu,nav,section,summary{display:block}audio,canvas,progress,video{display:inline-block;vertical-align:baseline}audio:not([controls]){display:none;height:0}[hidden],template{display:none}a{background-color:transparent}a:active,a:hover{outline:0}abbr[title]{border-bottom:1px dotted}b,strong{font-weight:700}dfn{font-style:italic}h1{margin:.67em 0;font-size:2em}mark{color:#000;background:#ff0}small{font-size:80%}sub,sup{position:relative;font-size:75%;line-height:0;vertical-align:baseline}sup{top:-.5em}sub{bottom:-.25em}img{border:0}svg:not(:root){overflow:hidden}figure{margin:1em 40px}hr

          Chrome Cache Entry: 72

          Download File
          Process:C:\Program Files\Google\Chrome\Application\chrome.exe
          File Type:MS Windows icon resource - 6 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel
          Category:dropped
          Size (bytes):46646
          Entropy (8bit):2.684885710287902
          Encrypted:false
          SSDEEP:
          MD5:574E3AC085A6FF12FA2E5D00C06A6EE1
          SHA1:65C420C2336F00CE3703A9051CAF56ACDC5030A6
          SHA-256:A1D3104B7823270185523F97D3B073638F9EF2541B23A7EFEDA57CBBC15992ED
          SHA-512:F3F4CEAC19FB5CD45820034893C892495AA21ACB1CA6053B7C1D99DE41E363853E57F87EEC050DDBEDFA730DBB69E34700529C30B8A7813F073C459F0FC39BAA
          Malicious:false
          Reputation:unknown
          Preview:............ .h...f......... ......... .... .....V...00.... ..%......66.... .h/...D..@@.... .(B...t..(....... ..... ......................................................................................................................................................................................................................................U...^...`...U...........................^...^.&.Z.%.............\...`...`...^...@...................[.*._...`...`...........^..._...`...`...`...]...I..........f3..._..`..._..b...I...]..._..`...`...`...`...`..._...U...U..._...`..._..`.......].{._...[.*.^...`...`...`...`...`...^...i...e...d...].7........._.._...[.*.^...`...`...`...`...`...^.............9.........Z...]..._..`...`...`...`...`..._...U..............................^..._...`...`...`...]...I.......................................\...`...`...^...@....................*......................U...^...`...U...............................&..%..........................

          Static File Info

          General

          File type:RFC 822 mail, ASCII text, with very long lines (2605), with CRLF line terminators
          Entropy (8bit):6.037633769430947
          TrID:
          • E-Mail message (Var. 5) (54515/1) 100.00%
          File name:401K Information.eml
          File size:11'917 bytes
          MD5:44afe25f018b58ac85866b147abf94e1
          SHA1:eb317c7b7e8a789fe71263385e0971b8c5b5a0c0
          SHA256:74a81ddead92a2904517b20e07332af5b4cd094fd631dbba7987904321dd361b
          SHA512:65099d33e9db6c7b2609bf6d63a9e57bde3a93a16f0ab43f2c99001f1e5d813bb23cec77190b40b4d3e188c91d7e4f7b806e3961f90e1321791ce4514df60891
          SSDEEP:192:bfn69IwrmPlmlD9wRKT7J+XUp6SMKPOLJEofdxEGqD/kf7We0ftoG:Ln6KwqPlmB9w0T7J+H7KPYEofdxnqD62
          TLSH:FF326CB2DD14081CAB46D1EDC4005841FAE270D19AA3E5E5399E4AC921EF463BFAF1DF
          File Content Preview:Received: from SA2PR16MB4154.namprd16.prod.outlook.com.. (2603:10b6:806:14b::20) by DM5PR16MB2197.namprd16.prod.outlook.com with.. HTTPS; Thu, 22 Aug 2024 18:48:18 +0000..Received: from BN9P223CA0024.NAMP223.PROD.OUTLOOK.COM.. (2603:10b6:408:10b::29) by S

          Static Mail

          General

          Subject:401K Information
          From:HR Department <hr@employeecenter.net>
          To:Carrie Downs <cdowns@murexltd.com>
          Cc:
          BCC:
          Date:Thu, 22 Aug 2024 14:48:07 -0400
          Communications:
          • Hi Carrie Downs,We are working on the 401K documentation and it seems like the social security number we have on file for you may be incorrect. We have XXX-XX-8498 for you. Is it correct? Please let us know ASAP, we need to submit the paperwork by EOD.Best,HR DepartmentClick here to provide correct information Hi Carrie Downs,We are working on the 401K documentation and it seems like the social security number we have on file for you may be incorrect. We have XXX-XX-8498 for you. Is it correct? Please let us know ASAP, we need to submit the paperwork by EOD.Best,HR DepartmentClick here to provide correct information Hi Carrie Downs,We are working on the 401K documentation and it seems like the social security number we have on file for you may be incorrect. We have XXX-XX-8498 for you. Is it correct? Please let us know ASAP, we need to submit the paperwork by EOD.Best,HR DepartmentClick here to provide correct information Hi Carrie Downs,We are working on the 401K documentation and it seems like the social security number we have on file for you may be incorrect. We have XXX-XX-8498 for you. Is it correct? Please let us know ASAP, we need to submit the paperwork by EOD.Best,HR DepartmentClick here to provide correct information Hi Carrie Downs,We are working on the 401K documentation and it seems like the social security number we have on file for you may be incorrect. We have XXX-XX-8498 for you. Is it correct? Please let us know ASAP, we need to submit the paperwork by EOD.Best,HR DepartmentClick here to provide correct information Hi Carrie Downs,We are working on the 401K documentation and it seems like the social security number we have on file for you may be incorrect. We have XXX-XX-8498 for you. Is it correct? Please let us know ASAP, we need to submit the paperwork by EOD.Best,HR DepartmentClick here to provide correct information Hi Carrie Downs,We are working on the 401K documentation and it seems like the social security number we have on file for you may be incorrect. We have XXX-XX-8498 for you. Is it correct? Please let us know ASAP, we need to submit the paperwork by EOD.Best,HR DepartmentClick here to provide correct information Hi Carrie Downs,We are working on the 401K documentation and it seems like the social security number we have on file for you may be incorrect. We have XXX-XX-8498 for you. Is it correct? Please let us know ASAP, we need to submit the paperwork by EOD.Best,HR DepartmentClick here to provide correct information Hi Carrie Downs, We are working on the 401K documentation and it seems like the social security number we have on file for you may be incorrect. We have XXX-XX-8498 for you. Is it correct? Please let us know ASAP, we need to submit the paperwork by EOD. submit the paperwork https://linkprotect.cudasvc.com/url?a=https%3a%2f%2femployeecenter.net%2froute%2fad4a33bebfe998976fb4f3bef6a6f82d83b6488a%2f&c=E,1,Gt-9zkq0L2c9_-RbNalin-y9zKKNKGFNcTZgEM6qEI1bzdQ9uZao2TthsyJTaKQB_phlhgaIjo-0NAse94nCZrswA8-3cL4gnBM9NHT4&typo=1 Best, HR Department Click here to provide correct information here https://linkprotect.cudasvc.com/url?a=https%3a%2f%2femployeecenter.net%2froute%2fad4a33bebfe998976fb4f3bef6a6f82d83b6488a%2f&c=E,1,ikcE_Q-2ykzekjQxLCyUE9os-WTlr6s95A4qPsThZ0KsNohdFre2Yg1AuoE_svmTjA-yo05MxYWx6eyOB6SmJNuNGleiNoSUjv9d3rFaGNQ,&typo=1 https://linkprotect.cudasvc.com/url?a=https%3a%2f%2femployeecenter.net%2ffound.php%3fk%3dad4a33bebfe998976fb4f3bef6a6f82d83b6488a&c=E,1,G_45fa0j_Rj-KUa86-KxuuXaD7xAltK9nndsBZ1AXAXvBmc9VJ30eZUqqgk6w3OkR6sRvVdFx83aPgTmF0V71Z1ZHKtqHZlE0NX5P9osbWeWObdM&typo=1
          Attachments:

            Headers

            Key Value
            Receivedfrom mr-iwire.testingcenter.net (mr-iwire.testingcenter.net [64.191.166.196]) by mx-inbound8-205.us-east-2a.ess.aws.cudaops.com (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Thu, 22 Aug 2024 18:48:07 +0000
            Authentication-Resultsspf=fail (sender IP is 209.222.82.35) smtp.mailfrom=employeecenter.net; dkim=fail (body hash did not verify) header.d=employeecenter.net;dmarc=fail action=none header.from=employeecenter.net;compauth=none reason=405
            Received-Spfpass (mx-inbound8-205.us-east-2a.ess.aws.cudaops.com: domain of hr@employeecenter.net designates 64.191.166.196 as permitted sender)
            DateThu, 22 Aug 2024 14:48:07 -0400
            ToCarrie Downs <cdowns@murexltd.com>
            FromHR Department <hr@employeecenter.net>
            Reply-Tohr@employeecenter.net
            Subject401K Information
            Message-Id <o5DX52HGWogpKT5PTDCx7DsGUuHJsrRiIVLTUIlzoaw@portal.phishingbox.com>
            X-MailerPHPMailer 6.6.5 (https://github.com/PHPMailer/PHPMailer)
            X-Phishkeyad4a33bebfe998976fb4f3bef6a6f82d83b6488a
            X-PhishtestPhishingBox
            X-Special-Actionad4a33bebfe998976fb4f3bef6a6f82d83b6488a
            MIME-Version1.0
            Content-Typemultipart/mixed; boundary="----sinikael-?=_1-17243624596220.1448137113830832"
            Dkim-Signaturev=1; d=employeecenter.net; s=pbox; a=rsa-sha256; q=dns/txt; t=1724352487; c=relaxed/simple; h=Date:To:From:Reply-To:Subject:Message-ID:X-Mailer:MIME-Version:Content-Type; i=hr@employeecenter.net; z=Date:Thu,=2022=20Aug=202024=2014:48:07=20-0400 |To:cdowns@murexltd.com |From:HR=20Department=20<hr@employeecenter.net> |Reply-To:hr@employeecenter.net |Subject:401K=20Information |Message-ID:<o5DX52HGWogpKT5PTDCx7DsGUuHJsrRiIVLTUIlzoaw@portal.phishingbo x.com> |X-Mailer:PHPMailer=206.6.5=20(https://github.com/PHPMailer/PHPMailer) |MIME-Version:1.0 |Content-Type:multipart/alternative=3B=20boundary=3D"b1_o5DX52HGWogpKT5PTD Cx7DsGUuHJsrRiIVLTUIlzoaw"; bh=d9Qb+u+rcVZMzxf4GBCudwN1tBBkzJXwDsn2791igdM=; b=lWe544ecf/AHF6pzew9Wk7WKaXZhvhG406qlFArc/xpGQcit0aEShVrEbG2PHTjaAW6yjnKKd oXWRW5cOiWwxgUeIZiGDGnGnD1/c1noKETZUSsN00F/3LKxp1J1lyQEAab1SFH22EC7rRk/LS DmmZxaaHTjDE2x3oYmGVsfMgE27AksAvzP0Gb+26NCibCSC7Dy7dMWrNgBzCO5U4/0KvNIpdf /2SuQgZpxjxg15NEqAy/h8fMxvl3OQetMo9SRwMT79C3iNs7bLqshM2voNVE/uJEOOWAfd2qL tf8vE5Qiioqn6yFtLzUSu7IvEF+ruJuDD9tTLCZG5lAYYISQ2g==
            X-Bess-Id1724352487-102253-12649-3540-1
            X-Bess-Ver2019.1_20240812.1719
            X-Bess-Apparent-Source-Ip64.191.166.196
            X-Bess-Parts H4sIAAAAAAACAzXLOwrDQAxF0b2odjGar+SthBT6jHFjXGSKQPDeM4XdPC4Pzu sH/TtghTF3gfMDayKasc+vB1GUbNGJYjNHEmdLQbxtKtXhWh6+j+PmGDncPoljKa3XGq xgRhZOObAVVvW+KVzvP2o3bYKAAAAA
            X-Bess-Spam-StatusSCORE=0.01 using domain:184201 scores of QUARANTINE_LEVEL=3.0 KILL_LEVEL=5.0 tests=HTML_SHORT_LINK_IMG_2, HTML_MESSAGE, BSF_SC7_SG0146_1, HTML_IMAGE_ONLY_16
            X-Bess-Spam-Score0.01
            Authentication-Results-Original mx-inbound8-205.us-east-2a.ess.aws.cudaops.com; spf=pass (sender IP is 64.191.166.196) smtp.mailfrom=hr@employeecenter.net; dkim=pass header.d=employeecenter.net; dmarc=none header.from=hr@employeecenter.net
            X-Bess-Spam-ReportCode version 3.2, rules version 3.2.2.258522 [from cloudscan11- 185.us-east-2a.ess.aws.cudaops.com] Rule breakdown below pts rule name description ---- ---------------------- -------------------------------- 0.00 HTML_SHORT_LINK_IMG_2 META: HTML is very short with a linked image 0.00 HTML_MESSAGE BODY: HTML included in message 0.01 BSF_SC7_SG0146_1 META: Custom rule SG0146_1 0.00 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words
            X-Bess-Brts-Status1
            Return-Pathhr@employeecenter.net
            X-Ms-Exchange-Organization-Expirationstarttime22 Aug 2024 18:48:13.8912 (UTC)
            X-Ms-Exchange-Organization-ExpirationstarttimereasonOriginalSubmit
            X-Ms-Exchange-Organization-Expirationinterval1:00:00:00.0000000
            X-Ms-Exchange-Organization-ExpirationintervalreasonOriginalSubmit
            X-Ms-Exchange-Organization-Network-Message-Id 86021ad3-0eed-4f92-5182-08dcc2dafa5e
            X-Eopattributedmessage0
            X-Eoptenantattributedmessaged5ea0ba6-3c9e-43c2-9d1e-fffeb0d842e5:0
            X-Ms-Exchange-Organization-MessagedirectionalityIncoming
            X-Ms-PublictraffictypeEmail
            X-Ms-Traffictypediagnostic BN3PEPF0000B374:EE_|SA2PR16MB4154:EE_|DM5PR16MB2197:EE_
            X-Ms-Exchange-Organization-Authsource BN3PEPF0000B374.namprd21.prod.outlook.com
            X-Ms-Exchange-Organization-AuthasAnonymous
            X-Ms-Office365-Filtering-Correlation-Id 86021ad3-0eed-4f92-5182-08dcc2dafa5e
            X-Ms-Exchange-Organization-Scl-1
            X-Ipw-GroupmemberFalse
            X-Microsoft-Antispam BCL:0;ARA:13230040|31092699021|69100299015|5073199012|43540500003;
            X-Forefront-Antispam-Report CIP:209.222.82.35;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:NSPM;H:outbound-ip167a.ess.barracuda.com;PTR:outbound-ip167a.ess.barracuda.com;CAT:NONE;SFS:(13230040)(31092699021)(69100299015)(5073199012)(43540500003);DIR:INB;
            X-Ms-Exchange-Crosstenant-Originalarrivaltime22 Aug 2024 18:48:13.6099 (UTC)
            X-Ms-Exchange-Crosstenant-Network-Message-Id 86021ad3-0eed-4f92-5182-08dcc2dafa5e
            X-Ms-Exchange-Crosstenant-Idd5ea0ba6-3c9e-43c2-9d1e-fffeb0d842e5
            X-Ms-Exchange-Crosstenant-Authsource BN3PEPF0000B374.namprd21.prod.outlook.com
            X-Ms-Exchange-Crosstenant-AuthasAnonymous
            X-Ms-Exchange-Crosstenant-FromentityheaderInternet
            X-Ms-Exchange-Transport-CrosstenantheadersstampedSA2PR16MB4154
            X-Ms-Exchange-Transport-Endtoendlatency00:00:05.1046414
            X-Ms-Exchange-Processed-By-Bccfoldering15.20.7897.007
            X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
            X-Microsoft-Antispam-Message-Info SKUlT9utjks5wZ+1XSrZ4mnYC8YdWDoobhS+45ItXxnDQ0cwFDdQ9yj90mPnqXy4JKQ1VW777BmydzEG69guYQBtRDOBTD2jlCy3Js/uLdKPwE4sBkyvvwXScJgVQpNUjkdCb8kdnXjL8Z7LCzVKG/PMn7UxO/ROKaqcvjr6APp8/9lBi0z3N7undVN8kCgB4BgYF3JCR802dUBG61cifdhjt26zmXhk6PXUdTbfihr7YJ4FUM9HOSHS0kvoAc7RsyirZSj7hzMG8kjTWVJ9kMnD0BAefSTjBB1fZ+ZNQYnBAIeEahbyelSRKDU/e9p2HkHGXL+tAq0tH2gVonSlo1+YaiWshj4dfPrpSyubSjr9Aj5br71cwLIjnSBn3W/DraIpXTNOwk0vwLAZn6LuarSeUM15xHLpFG6+wM9natld6m9tkyuDTmy3n4xqaBF1Oq+KEJXFly2DB21xICRXlI5etto3ctwKQEJ1AiLKF7u/nDwrMcUVx+XsOgr62e8JgJJNNbJJF7oFuo05Dbkpl4kpRBhNrFirUfeUAGqymTTcMYNIp//Zkxn1nWRX36yDr+aOK88cdsmQ74MOv4PDrPQ18qXhQ1FSMAdfKyXgfWiqwVTcG0VkmhLUJ4d9i+QRiuOBbh+eqtPp0CaoiL/X2nJlo7DS9aRMFFDiTlt75ehpukS3vnxMpRDdcI+UehWTUe0UgizBJvuyNzQB8U53SnPAf0Ek+mLb6NOOT6vNylFpkgFXjeyd/B6NrIsGCNrhXSLmdJrgU0Cu3vRDwbda8e9MGOHM9BngPYXeRGYS+rjhcUgnA25xFnQzcUmM7RtNVgx6GDKp4ujF3bJXNOSjYx46Y8zFcXf3J8kFDZQoIDnki9vrRUHn+c5cNtFB7EQXWg5yXDbMS+3oUqNK0ba0uTFPBR3vRK5TOlqJppyulfx1p52sppHY9mdc/+jA72zhqQgo6PO+NHTNFpMsPELlFCaKmZwK5Wo+/EHQLSzL3zhax1sPrr6NZdUHX2GKUlUGwaoUYOrE8YcwO2rr4uJV/FhZkZKmGXgd6B5G1yExRIDZN0t8D3H5Vc2ONHbKYTmO0/ktRPX2vy9dvczODBjkuqBfMfIOjYQZxI13w887Vwflg5R2oiVUbJqX0q+7TVG3pJmzuOb9IB1MIy7UiXU6Nb1h7ejZzSuPZvgx0yqy9aIedSfvO/6oU5JfHmHQ8rVYRE73QND+Jgf+zS8yvq6OwMrzqG4PimaBmutBxaJrPj/guyUzeFSzm8v2kIMnB21syUnbGLyr2ypNFo4MtfgTGyWNPUDTVGi/bjDoS5ZncZvoVK4BZJIx+2ICteCdNrI8mT+hCBJMdYjcZt9+f+8GzasEJCOPwBw1BHKwF0R7tvfFd3oIXZZYwGlGoLm9KkNpJoxkC9hE0U9RGIOe/eDOKvgSZZbZsimioXoqeum6nl/BPVtiMnRDwjhyXSkCytVVZRYdKGU6vupv70dRT0naD11Z8bV5U2zhcEjQUGlSBkKhv3uYtSHsN8JyFU/GeeLC/UT2kHWtQ/kk+KevrrNJdbw2FpOninq3LGCo9Bl3VzCKoQzJKoUqbjIcSGefJbu6uHG9ZH7IIcLJTIICjICNEx9z5gdpEOSCfwVQIeyE2uCSKI2p0mgN4VdEh+nskg5nm/+vx694Gx1XIOQAAlFSFx/0OK5Kim+DUl2X+HjSs4jO7uY5cQnRXkZ1hMEHI7fQZZnSM0C/1fMCOrn3lKUtPhk2AL7iQjqJrqUlu5l+Wm6EGVIaWMSzbRmtBuoepNEChHy9Q3+DQreI0DAnIkJvLq9GHGgBDkhBnABNFQ32r5xBL7cq8DnFVPb0S8LQjpYcqcwE1/I9pPdKOt9DAx8BSpm8Zn5zScQ+0XdP2zenUdhytEi4Im24bJNq3qnDNNudWbfy12v0iU/zX7aofIiZlGaHwRNDw/7MTfEqPPAl8+eIf+tsy06WSktmYstOb8m5Wieq7R+0rKfp7cj4qG72RuVLYsyVcdTLf3ypRC7S3NCxy3tqDpbB+409h25lGV1qpOnr2nFc7AI1aWlr9+x2yKbe3M6AvoCk1SGJgAZO0qExpAXh8hdjGDpkrpKTatFMb5zWbpSJ4Di+f4IXJ68MO5XUwNPk+7W+oNcGeKaSj905GSf9Ba6PTiDUAE6/XZ3LQ/urytMBd90NSrbuCZII22DmHhw7I66F22CORBghFdP7JF6mnJ9WUhEjnCc1QyAj4pBJIN6n2E0UMJtva7AJxdg+4GAipT2tQA/FHoT4vByxw6xZ4k5/c+hlG6+H7klHSJgH5BQ5DWWpDTRpyPZGaqHkZtFFehNEMwJBGWNOUcbAH7hkWU3rvFMzrjLUgTXqNuKcyFuDPHVQc8no/5GnL3sGntn9AOr4JeCFzh0FyUdujU9VV9LlJOEpObtqOZYFGcPLwz4wzghp80TlJFgdcG5gd5wfuGCxt5pUMyE/8z6Cvaoi5CcU8FKB26956Ino4bEpBKvHawjcQAIK/+/WD10BupPrIUdh78XTd2uRZvcduZL+0vEcMydl6BfQoWo4hgjGaa4ZquyoiebbDbEUL6mLwsqvHOeU+HAI2EpbaOA=
            Content-Transfer-Encoding7bit

            File Icon

            Icon Hash:46070c0a8e0c67d6