Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
phish_alert_iocp_v1.3.98.eml

Overview

General Information

Sample name:phish_alert_iocp_v1.3.98.eml
Analysis ID:1500948
MD5:f00ee5d6f5b655fea920ca328fdf466a
SHA1:8d39cc56c619724570e784f29fac37656efee314
SHA256:f48951607bf1ade283601002adb9b95bd2f9460c41d59c488221e5f3f1bd54c4
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 6072 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_iocp_v1.3.98.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 6196 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "9F5C92DD-03E5-4AA4-A613-EBF977ACB98B" "86A069B2-EC86-4D1D-AFCF-25EA6C58A635" "6072" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6072, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: phish_alert_iocp_v1.3.98.emlString found in binary or memory: http://intterragroup.com/
Source: ~WRS{6DA2DB0C-3281-42E7-961A-8201D8B69FC3}.tmp.0.drString found in binary or memory: https://cdn.intterra.io/public/images/intterra-logo-refresh.png
Source: phish_alert_iocp_v1.3.98.emlString found in binary or memory: https://gcc02.safelinks.protection.outlook.com/?url=
Source: ~WRS{6DA2DB0C-3281-42E7-961A-8201D8B69FC3}.tmp.0.drString found in binary or memory: https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fintterragroup.com%2F&data=05%7C02%7
Source: ~WRS{6DA2DB0C-3281-42E7-961A-8201D8B69FC3}.tmp.0.drString found in binary or memory: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhelpdocs.intterragroup.com%2Fknowl
Source: ~WRS{6DA2DB0C-3281-42E7-961A-8201D8B69FC3}.tmp.0.drString found in binary or memory: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fiam.ngscout.org%2Faccount%2Fresetp
Source: ~WRS{6DA2DB0C-3281-42E7-961A-8201D8B69FC3}.tmp.0.drString found in binary or memory: https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.intterragroup.com%2F&data=05%7
Source: phish_alert_iocp_v1.3.98.emlString found in binary or memory: https://helpdocs.intterragroup.com/knowledge/intterra-quick-start
Source: phish_alert_iocp_v1.3.98.emlString found in binary or memory: https://iam.ngscout.org/account/resetpassword?id=
Source: phish_alert_iocp_v1.3.98.emlString found in binary or memory: https://www.intterragroup.com/
Source: classification engineClassification label: clean1.winEML@3/16@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240829T0055340255-6072.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_iocp_v1.3.98.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "9F5C92DD-03E5-4AA4-A613-EBF977ACB98B" "86A069B2-EC86-4D1D-AFCF-25EA6C58A635" "6072" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "9F5C92DD-03E5-4AA4-A613-EBF977ACB98B" "86A069B2-EC86-4D1D-AFCF-25EA6C58A635" "6072" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1500948 Sample: phish_alert_iocp_v1.3.98.eml Startdate: 29/08/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 66 137 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
phish_alert_iocp_v1.3.98.eml0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://intterragroup.com/0%Avira URL Cloudsafe
https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fintterragroup.com%2F&data=05%7C02%70%Avira URL Cloudsafe
https://www.intterragroup.com/0%Avira URL Cloudsafe
https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.intterragroup.com%2F&data=05%70%Avira URL Cloudsafe
https://iam.ngscout.org/account/resetpassword?id=0%Avira URL Cloudsafe
https://cdn.intterra.io/public/images/intterra-logo-refresh.png0%Avira URL Cloudsafe
https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhelpdocs.intterragroup.com%2Fknowl0%Avira URL Cloudsafe
https://helpdocs.intterragroup.com/knowledge/intterra-quick-start0%Avira URL Cloudsafe
http://intterragroup.com/0%VirustotalBrowse
https://www.intterragroup.com/0%VirustotalBrowse
https://iam.ngscout.org/account/resetpassword?id=0%VirustotalBrowse
https://gcc02.safelinks.protection.outlook.com/?url=0%Avira URL Cloudsafe
https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fiam.ngscout.org%2Faccount%2Fresetp0%Avira URL Cloudsafe
https://cdn.intterra.io/public/images/intterra-logo-refresh.png0%VirustotalBrowse
https://gcc02.safelinks.protection.outlook.com/?url=0%VirustotalBrowse
https://helpdocs.intterragroup.com/knowledge/intterra-quick-start0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://intterragroup.com/phish_alert_iocp_v1.3.98.emlfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fintterragroup.com%2F&data=05%7C02%7~WRS{6DA2DB0C-3281-42E7-961A-8201D8B69FC3}.tmp.0.drfalse
  • Avira URL Cloud: safe
unknown
https://www.intterragroup.com/phish_alert_iocp_v1.3.98.emlfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.intterragroup.com%2F&data=05%7~WRS{6DA2DB0C-3281-42E7-961A-8201D8B69FC3}.tmp.0.drfalse
  • Avira URL Cloud: safe
unknown
https://iam.ngscout.org/account/resetpassword?id=phish_alert_iocp_v1.3.98.emlfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://cdn.intterra.io/public/images/intterra-logo-refresh.png~WRS{6DA2DB0C-3281-42E7-961A-8201D8B69FC3}.tmp.0.drfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhelpdocs.intterragroup.com%2Fknowl~WRS{6DA2DB0C-3281-42E7-961A-8201D8B69FC3}.tmp.0.drfalse
  • Avira URL Cloud: safe
unknown
https://helpdocs.intterragroup.com/knowledge/intterra-quick-startphish_alert_iocp_v1.3.98.emlfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://gcc02.safelinks.protection.outlook.com/?url=phish_alert_iocp_v1.3.98.emlfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fiam.ngscout.org%2Faccount%2Fresetp~WRS{6DA2DB0C-3281-42E7-961A-8201D8B69FC3}.tmp.0.drfalse
  • Avira URL Cloud: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1500948
Start date and time:2024-08-29 06:54:28 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 30s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:8
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:phish_alert_iocp_v1.3.98.eml
Detection:CLEAN
Classification:clean1.winEML@3/16@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .eml

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 52.113.194.132, 184.28.90.27, 52.109.89.19, 2.19.126.151, 2.19.126.160, 20.189.173.13
  • Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, weu-azsc-000.roaming.officeapps.live.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, eur.roaming1.live.com.akadns.net, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com, login.live.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, a1864.dscd.akamai.net, ecs.office.com, fs.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, onedscolprdwus12.westus.cloudapp.azure.com, s-0005.s-msedge.net, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, mobile.events.data.trafficmanager.net
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

No simulations

LLM Input / Output

InputOutput
URL: Email Model: jbxai
{
"brand":["NG SCOUT"],
"contains_trigger_text":false,
"prominent_button_name":"Verify Account",
"text_input_field_labels":["Your username is: arroyov"],
"pdf_icon_visible":false,
"has_visible_captcha":false,
"has_urgent_text":false,
"has_visible_qrcode":false}

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):231348
Entropy (8bit):4.381307099051743
Encrypted:false
SSDEEP:3072:XE8gQRlgemiGu2gqoQOrt0FvoYwy8lk9S:02Jmi29fwy8lkg
MD5:6E9952152C2A200AA2CA03D43C1EC961
SHA1:A0ACE319B264CF8DD63838E715F6709A7AE26BA6
SHA-256:15AFBE10E0EE88CDFEBE4B3AD2B1E0ECB95CF28D32280597152D786F9468F2CD
SHA-512:C642312C0321F02D265423AA3BF7217D1EDB7AFAF76C7C56C3294766C9CEA553209366DC5DF65D4A7B4D465417FBAA24489B94D249879B96704218A8725D8F09
Malicious:false
Reputation:low
Preview:TH02...... .P.J.........SM01X...,....^<.............IPM.Activity...........h...............h............H..h<.......C.....h...........H..h\bro ...pDat...h....0..........hk..............h........_`9k...h....@...I.ew...h....H...8.>k...0....T...............d.........2h...............k..............!h.............. h.G4...........#h....8.........$h.......8....."h..............'h..............1hk...<.........0h....4....>k../h....h.....>kH..h....p...<.....-h ............+h.......0................... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:XML 1.0 document, ASCII text, with very long lines (1869), with no line terminators
Category:dropped
Size (bytes):1869
Entropy (8bit):5.085763792020755
Encrypted:false
SSDEEP:48:cGUdSyrznzyNdyndycSyrMnzyrAnzyrRdnzycASy6dyhJdyIkSyO:sdbH2NEnEcb42k21d2cAb6ELE3bO
MD5:D939EB102C033D3F1BE91B71C5349B2D
SHA1:430E0BB9CF29D7688B6A10BA2AD3EEAD2CCB47B3
SHA-256:14AE98151F70071083ACE36986D89FE233FE0445F6C9DFDA91C3647F8C84700F
SHA-512:6505440CAC6338B211AF1F988791C6423194E38D84A2B0B480B67741CC5792A3C4CF9E768ECF6728C8CC7CB7539D26F8376A0471DCC747F08D1C61A9CB977470
Malicious:false
Reputation:low
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?><root><version>1</version><Count>12</Count><Resource><Id>Aptos Narrow_26215424</Id><LAT>2024-08-29T04:55:34Z</LAT><key>31558910439.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos Display_45876480</Id><LAT>2024-08-29T04:55:34Z</LAT><key>30264859306.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos_45876480</Id><LAT>2024-08-29T04:55:34Z</LAT><key>27160079615.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos_26215680</Id><LAT>2024-08-29T04:55:34Z</LAT><key>29939506207.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_45876224</Id><LAT>2024-08-29T04:55:34Z</LAT><key>24153076628.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos Display_26215682</Id><LAT>2024-08-29T04:55:34Z</LAT><key>28367963232.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:ASCII text, with very long lines (65536), with no line terminators
Category:dropped
Size (bytes):322260
Entropy (8bit):4.000299760592446
Encrypted:false
SSDEEP:6144:dztCFLNyoAHq5Rv2SCtUTnRe4N2+A/3oKBL37GZbTSB+pMZIrh:HMLgvKz9CtgRemO3oUHi3SBSMZIl
MD5:CC90D669144261B198DEAD45AA266572
SHA1:EF164048A8BC8BD3A015CF63E78BDAC720071305
SHA-256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
SHA-512:16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
Malicious:false
Reputation:high, very likely benign file
Preview:51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):10
Entropy (8bit):2.9219280948873623
Encrypted:false
SSDEEP:3:LBc47:tn
MD5:6AFFE6E1B5AA1E8CF570770CB9B6B4DC
SHA1:2D9A4F11A8D6DBB0874428152E2160F535B73F14
SHA-256:92AC651150B9AE473C4CBC7271A9B04DB9A66367512EFD3A0FE2222EE8ED7592
SHA-512:A9C25E96B381FB71552E4BCB100DBB8BF834B2C03F50B4B271563403735B8FE4D04056910716FAEB0E03E7E24558EA4E13656C85B04CCC53207646BACEB45EEB
Malicious:false
Reputation:low
Preview:1724907338

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:SQLite 3.x database, last written using SQLite version 3034001, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
Category:dropped
Size (bytes):4096
Entropy (8bit):0.09304735440217722
Encrypted:false
SSDEEP:3:lSWFN3l/klslpEl9Xll:l9F8E+9
MD5:D0DE7DB24F7B0C0FE636B34E253F1562
SHA1:6EF2957FDEDDC3EB84974F136C22E39553287B80
SHA-256:B6DC74E4A39FFA38ED8C93D58AADEB7E7A0674DAC1152AF413E9DA7313ADE6ED
SHA-512:42D00510CD9771CE63D44991EA10C10C8FBCF69DF08819D60B7F8E7B0F9B1D385AE26912C847A024D1D127EC098904784147218869AE8D2050BCE9B306DB2DDE
Malicious:false
Reputation:moderate, very likely benign file
Preview:SQLite format 3......@ ..........................................................................K.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:SQLite Rollback Journal
Category:dropped
Size (bytes):4616
Entropy (8bit):0.1384465837476566
Encrypted:false
SSDEEP:3:7FEG2l+6x/ul/FllkpMRgSWbNFl/sl+ltlslN04l9Xll6xn:7+/lJmg9bNFlEs1E39S
MD5:4AB07A702132A50FBF7229C96EEA7CCA
SHA1:78BFDDF08CEBEBEE4DFD3748365F24BA299F12BB
SHA-256:7952ED9DCF2520667AE733702523EFC6C7E44AA39A87254FB5EC9BEC979DC1DE
SHA-512:E2752F7C47A07F3D87C6B14A87C236C8EB8A9A2CBD434E1BEF2ED29EED987E584680B085D5F212B3FBB4BEB1D66DD79BAF705808315009A4B691B6C2BCFC4206
Malicious:false
Reputation:low
Preview:.... .c.....g.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..........................................................................K.................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):32768
Entropy (8bit):0.0441720588658491
Encrypted:false
SSDEEP:6:G4l2jKSxgbpl2jKSxgbzML9XXPH4l942U:l2bxgbL2bxgbw5A0
MD5:9CBD9CB7A40AE6080739B0C279F21668
SHA1:37BDB1FAC555D839A981CEAC18A1334FBF8E0040
SHA-256:D4557CDC60687EAE823536E1F9B294CE45DD241C824A39D3C347F5E1B3BA6AB0
SHA-512:6F606535B2BCCC0B679C75DE190AA7BE76214ECA3BB75F104960DB2B092C1D4C6578B68C0EE6764097AAC111676B41E7C2EB5212EFD18EECD755FCD7786E0474
Malicious:false
Reputation:low
Preview:..-.......................w....X.`...e.Q..-...>\..-.......................w....X.`...e.Q..-...>\........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:SQLite Write-Ahead Log, version 3007000
Category:modified
Size (bytes):45352
Entropy (8bit):0.39383069825463557
Encrypted:false
SSDEEP:48:9RXTQj8YATeUill7DYM8FXCxO8VFDYM8x:8bAToll4RIjVG
MD5:BF764CC9E435DFDF51DA6A32BBB306EE
SHA1:8D271C6E85577469E9F02EF6B76BF934B78DDD5C
SHA-256:48F18D7B3BEC7A2334956C1580EB5CB57D074E990361516DD40E1F364251BD29
SHA-512:A81089CE8A1EEC0C6E1087824C8537217E5CB9E1E510918CA588275C3B9257D97252BF760010793DD628FB75E8A97E31CF9BB8A98D1EE2C80D3A4B34EF1DA3DE
Malicious:false
Reputation:low
Preview:7....-...........`...e.Q..c..............`...e.Q.b.d.6..SQLite format 3......@ ..........................................................................K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{6DA2DB0C-3281-42E7-961A-8201D8B69FC3}.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):9596
Entropy (8bit):3.67784047457538
Encrypted:false
SSDEEP:192:AzYD7CfmiXWWWDqWGl9eFCAkmO6RGCbpmhuulEC6m:AzYS5WWWDqWGusdKNb8uulX
MD5:450F81C9F8D8598F0859068ED849E5ED
SHA1:E538E073BE77A35BBC3772F50847742606A77649
SHA-256:B25B7EAB9E9DBFEE459BD10CC9E7FE0C195C79EEA6F1EAE532B1412E3C947FD2
SHA-512:6D06114E96CBA4F174429323299EB5EDB2792A514C8B56CBF1C18869F78446E0B2985399DE51304320EFA8FECF496FCDFFB011559E4AC04D3670C49858448306
Malicious:false
Preview:....T.h.i.s. .M.e.s.s.a.g.e. .i.s. .F.r.o.m. .a.n. .E.x.t.e.r.n.a.l. .S.e.n.d.e.r. ...T.h.i.s. .m.e.s.s.a.g.e. .c.a.m.e. .f.r.o.m. .o.u.t.s.i.d.e. .y.o.u.r. .o.r.g.a.n.i.z.a.t.i.o.n... ...........T.o. .a.c.t.i.v.a.t.e. .y.o.u.r. .a.c.c.o.u.n.t.,. .c.l.i.c.k. .o.n. .t.h.e. .l.i.n.k. .b.e.l.o.w. .................................................................................................................................................................................................................................................*..............."...........................................................................................................................................................................................................................................................................................................................*...$..$.If........!v..h.#v....:V.......t.....6......5.......4........4........a.........$.a$.............[$.\$.............[$.\$...

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1724907334612080600_3ED997EE-75D9-40D2-B37B-2A762D776EB5.log

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:ASCII text, with very long lines (28740), with CRLF line terminators
Category:dropped
Size (bytes):20971520
Entropy (8bit):0.16320567721425472
Encrypted:false
SSDEEP:1536:qn14YI8bKJhAxHtwILpT+MQp77leHazzpPhMrO7BFxamJInZbUVUvsjikYn6yJLs:mD7dI7ltpRHQ
MD5:8FD649A9288CA9FFA24F0E948DB690C3
SHA1:D989713D73E3E7C9326907AF7E643C72A41CE31E
SHA-256:3E4D6CF5C8F2CE408838AC304317C528BB2FD134576FADEAE1B260861766C5E6
SHA-512:6B7AD531A792299BF6E102D94AF4EDB9D089B25FDD8ADFC29F36612C6B79EEF0D1232700CB8E93765132E75D602BE38E92C281770BD52D6ECA2636A06184E06A
Malicious:false
Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..08/29/2024 04:55:34.662.OUTLOOK (0x17B8).0x18BC.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":25,"Time":"2024-08-29T04:55:34.662Z","Contract":"Office.System.Activity","Activity.CV":"7pfZPtl10kCzeyp2LXdutQ.4.11","Activity.Duration":12,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...08/29/2024 04:55:34.677.OUTLOOK (0x17B8).0x18BC.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":27,"Time":"2024-08-29T04:55:34.677Z","Contract":"Office.System.Activity","Activity.CV":"7pfZPtl10kCzeyp2LXdutQ.4.12","Activity.Duration":10894,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajor

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1724907334614078600_3ED997EE-75D9-40D2-B37B-2A762D776EB5.log

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):20971520
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:false
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240829T0055340255-6072.etl

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):106496
Entropy (8bit):4.5098329473950685
Encrypted:false
SSDEEP:768:uwXVYCZb40J6nKxU3I43rU59V68UvAsTXq+MK5WbWpWiWgniik4c:bTT43459V68UIsTX7nM
MD5:16DB4FDA26270F363C324E4C028C3F57
SHA1:4D0CDC776B7F69A58F48E1C215FE6E97CF96D664
SHA-256:720B88B09BFEC72A46B183F688C23E2585D0FEFF334A971E29D84840E19A96A3
SHA-512:2C681EE6B46F0B1990AEEC47F2289F3901708D67B8B156A55C8B398E640EED29A6741F38084A1EEA031F9B0F20CB6E813C3E3D153917CD9022EAEF3F970615B9
Malicious:false
Preview:............................................................................`...........b6......................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................Mg...........b6..............v.2._.O.U.T.L.O.O.K.:.1.7.b.8.:.1.8.2.e.7.4.4.7.2.5.c.7.4.0.1.c.b.2.3.a.e.d.e.b.e.c.c.0.5.7.9.6...C.:.\.U.s.e.r.s.\.b.r.o.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.8.2.9.T.0.0.5.5.3.4.0.2.5.5.-.6.0.7.2...e.t.l.......P.P.........b6..............................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):30
Entropy (8bit):1.2389205950315936
Encrypted:false
SSDEEP:3:ZAnh/X:+nh/
MD5:DD56BB7410E1E0F240F123EB7586EBA8
SHA1:7EA393CF6D5274AA8BB7EC7359F816FC7FE2A04E
SHA-256:56070CEE7DE2E5818DA8F5CD77E90969801358593A316C4D210C6DF1410DECED
SHA-512:56A3FD906CE6E87D115386426ACCD886A0AE0330D738DE751A9AD137CD5F3E3FD2FA8104BE186AB48867F0A5CA291D0EA316FED84178B205576C6E2876A091F4
Malicious:false
Preview:.....%........................

C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):16384
Entropy (8bit):0.6690346980911667
Encrypted:false
SSDEEP:12:rl3baFVfsqLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheCw3Ym:r+3mnq1Py961I
MD5:C417841FD72E932D55B0F8311087C67E
SHA1:375DE41B4328E2E2313B40B4B9BA6D1D914577F9
SHA-256:C54AC55A67EC2A848C46B8807093C29D96E457C8AC4EB25B808F4E2E6C782818
SHA-512:EC6374DD2223722CB5362973C9E36CF2F8EF1E29BC84FCD03E5EF7F9D94BDFADA6E9205DD50BAFEC70CF7929F3D61D78D90BE2F37ABAF80265BB9C57BEE05FFF
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:Microsoft Outlook email folder (>=2003)
Category:dropped
Size (bytes):271360
Entropy (8bit):2.7969977124615566
Encrypted:false
SSDEEP:1536:RrToqsIZRMWrk9x0ELs2AtZA2kR60rqlNCKlNmncZR08qHw7xW53jEpEHP4qQ10r:ZoqxZRMWyATA2kRfncZRt/p9zpp9
MD5:CF397BC2CE7A49EE4460570E710E43AB
SHA1:C2D6B7C20417DF4335E2A72BE722DB66E821C127
SHA-256:3B22DA7046267AB4A825E3637F00F40C1C9B50F4E391351BBC2A0E0E7FAA188C
SHA-512:1DDB3C6732A2DCD9B3AE4141934E153FE6D862E357C67FDA3C7A24DC60535C8B383F88F5170CAE14351EBCD57C6C815BC67037974FE4200F2D74B10FDFB65E2B
Malicious:false
Preview:!BDN.B8.SM......\...M#..........A.......`................@...........@...@...................................@...........................................................................$.......D......................?...............<........z...........................................................................................................................................................................................................................................................................................C..dF+.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):131072
Entropy (8bit):3.1923563501438297
Encrypted:false
SSDEEP:1536:uW53jEpEHP4qQ10PAwr1hDO6RSZRgnv9xJlNCKlNNW53jEpEHP4qQ10PAwr3eUTH:cp9zJZRgnvp9uddf
MD5:0E8AB4DE901F23FF9D9F91909CA4FBFE
SHA1:B96F3CB764883DE23B2A92F4DF0FF822C0D8355E
SHA-256:4DFC642ABF6D9D0FBEEF16191D8A362B1CFC5E6971DBD1CF42E7AE920D62725D
SHA-512:36C283F155411A281B6060C9AF2FB928AF97A4BC1877D83EA648677B66C3880E958B5DFE8F21210859D277AE7A6CDE58811348B39671070506A45199BF41314A
Malicious:false
Preview:Oq..C...h............,}.......................#.!BDN.B8.SM......\...M#..........A.......`................@...........@...@...................................@...........................................................................$.......D......................?...............<........z...........................................................................................................................................................................................................................................................................................C..dF+..,}..........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:RFC 822 mail, ASCII text, with very long lines (339), with CRLF line terminators
Entropy (8bit):5.840367419465634
TrID:
  • E-Mail message (Var. 5) (54515/1) 100.00%
File name:phish_alert_iocp_v1.3.98.eml
File size:23'356 bytes
MD5:f00ee5d6f5b655fea920ca328fdf466a
SHA1:8d39cc56c619724570e784f29fac37656efee314
SHA256:f48951607bf1ade283601002adb9b95bd2f9460c41d59c488221e5f3f1bd54c4
SHA512:ee9a4bdb158f83f1ea7112627fb1de8f210456c5d54ea16a9111675fb7f1e0ac4dd49840c71c2f5479175e6780df87783587c6127eef03ce3c6c665ee7860b9f
SSDEEP:192:8gL3PNZGPuXlA2i/FbAWz54h/ujOKoS8Q7g/fQszRCwbGxvHqFiyk2D6HoC5nGeS:j/auSya4/Sl7kQMxsf1SXI28w3J5V1
TLSH:D7A23C54DB91181A6EB3616EB5027B2BF2A50C9F872348F0FDADA1121F4F8625B51FCC
File Content Preview:Received: from DS0PR09MB11083.namprd09.prod.outlook.com.. (2603:10b6:8:177::17) by SA0PR09MB7324.namprd09.prod.outlook.com with.. HTTPS; Wed, 28 Aug 2024 23:51:15 +0000..Received: from BL0PR0901CA0023.namprd09.prod.outlook.com.. (2603:10b6:208:1c0::33) by

Static Mail

General

Subject:New NG SCOUT account created
From:NG SCOUT <no-reply@ngscout.org>
To:"Arroyo, Van@CalOES" <Van.Arroyo@CalOES.ca.gov>
Cc:
BCC:
Date:Wed, 28 Aug 2024 16:51:11 -0700
Communications:
  • This Message is From an External Sender This message came from outside your organization. To activate your account, click on the link below <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.intterragroup.com%2F&data=05%7C02%7CVan.Arroyo%40CalOES.ca.gov%7C82c7f9c456234d9d4a4808dcc7bc4c17%7Cebf268ae303647149f69c9fd0e9dc6b9%7C1%7C0%7C638604858758601383%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=yoG6ypysKkC6eofOQl7aptxL5W7z8VvDwVPzuWTjGPM%3D&reserved=0> Welcome to NG SCOUT! A new account has been created for you. In order to login for the first time, you'll need to verify your email address by clicking on the link below. Your username is: arroyov Verify Account <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fiam.ngscout.org%2Faccount%2Fresetpassword%3Fid%3Dd05ffe24-cb73-4f03-bf4f-9e9ff83127f7%26code%3Dcc2ff9ab-5352-4ab7-90d6-7459bc6ea5db&data=05%7C02%7CVan.Arroyo%40CalOES.ca.gov%7C82c7f9c456234d9d4a4808dcc7bc4c17%7Cebf268ae303647149f69c9fd0e9dc6b9%7C1%7C0%7C638604858758615463%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=F2Dzmn9rP1HCmgtIGf3qs7ZKrrApEObXsNEAcy6tVi4%3D&reserved=0> Start off on the right track. Review the Intterra Quickstart Guide <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fhelpdocs.intterragroup.com%2Fknowledge%2Fintterra-quick-start&data=05%7C02%7CVan.Arroyo%40CalOES.ca.gov%7C82c7f9c456234d9d4a4808dcc7bc4c17%7Cebf268ae303647149f69c9fd0e9dc6b9%7C1%7C0%7C638604858758624995%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=x9ZsT6ezcj624CFWtTTXGC7zDiSAMcV%2FTXeTlUGvDIg%3D&reserved=0> to learn the basics. Intterra, 3740 Dacoro Ln, Ste 200, Castle Rock CO 80109 Powered by Intterra <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fintterragroup.com%2F&data=05%7C02%7CVan.Arroyo%40CalOES.ca.gov%7C82c7f9c456234d9d4a4808dcc7bc4c17%7Cebf268ae303647149f69c9fd0e9dc6b9%7C1%7C0%7C638604858758632508%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=tOdbxLadacLGnkWj4s2pnaALXDXP3qGyKqaQE87m%2BDM%3D&reserved=0> WARNING: Do not click links or attachments unless you recognize the sender and know the email is safe.
Attachments:

    Headers

    Key Value
    ReceivedWed, 28 Aug 2024 16:51:16 -0700
    authentication-resultsspf=pass (sender IP is 23.251.242.6) smtp.mailfrom=us-west-1.amazonses.com; dkim=pass (signature was verified) header.d=amazonses.com;dmarc=none action=none header.from=ngscout.org;compauth=pass reason=101
    received-spfPass (protection.outlook.com: domain of us-west-1.amazonses.com designates 23.251.242.6 as permitted sender) receiver=protection.outlook.com; client-ip=23.251.242.6; helo=e242-6.smtp-out.us-west-1.amazonses.com; pr=C
    dkim-signaturev=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=iek43urnex4zqv5t3opageoatkmhcael; d=amazonses.com; t=1724889071; h=Content-Type:From:To:Subject:Message-ID:Content-Transfer-Encoding:Date:MIME-Version:Feedback-ID; bh=ip0njd2aFcz5uAoTyV6oDS1872Udgmk4YhdfsUyKgQo=; b=T67f2Vn/r/hA8DppfLpd1IwPWpbTtZn5fAuIYoaL/7IzKfvvoOjn7mY1shaq9cAB OopDCwRrUJGHJhxOZjdcBe/X7IbE7NNoHJuzX9U4TwGwJkezL6gpnZhTpS0DkY/bC26 YGjfIo4WgyGA3JeiAhrFgyFUiFNQ38w/shJAXn7E=
    Feedback-ID ::1.us-west-1.zVB+VpWcfh+9ETNzT2ipxh06AzP2QxpVLKqRXXl3T5Q=:AmazonSES
    X-SES-Outgoing2024.08.28-23.251.242.6
    Return-Path 011101919b667f4b-7456183f-e086-4ef8-9a33-39833f9157e7-000000@us-west-1.amazonses.com
    X-MS-Exchange-Organization-ExpirationStartTime28 Aug 2024 23:51:12.4141 (UTC)
    X-MS-Exchange-Organization-ExpirationStartTimeReasonOriginalSubmit
    X-MS-Exchange-Organization-ExpirationInterval1:00:00:00.0000000
    X-MS-Exchange-Organization-ExpirationIntervalReasonOriginalSubmit
    X-MS-Exchange-Organization-Network-Message-Id 82c7f9c4-5623-4d9d-4a48-08dcc7bc4c17
    x-eopattributedmessage0
    x-eoptenantattributedmessageebf268ae-3036-4714-9f69-c9fd0e9dc6b9:0
    X-MS-Exchange-Organization-MessageDirectionalityIncoming
    x-ms-publictraffictypeEmail
    x-ms-traffictypediagnostic DS1PEPF00017E08:EE_|DS0PR09MB11083:EE_|SA0PR09MB7324:EE_
    x-ms-exchange-organization-authsource DS1PEPF00017E08.namprd09.prod.outlook.com
    x-ms-exchange-organization-authasAnonymous
    x-ms-office365-filtering-correlation-id 82c7f9c4-5623-4d9d-4a48-08dcc7bc4c17
    x-ms-exchange-atpmessagepropertiesSA|SL
    X-MS-Exchange-Organization-SCL1
    x-microsoft-antispam BCL:0;ARA:13230040|1032899013|32142699015|69100299015;
    x-forefront-antispam-report CIP:23.251.242.6;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:e242-6.smtp-out.us-west-1.amazonses.com;PTR:e242-6.smtp-out.us-west-1.amazonses.com;CAT:NONE;SFS:(13230040)(1032899013)(32142699015)(69100299015);DIR:INB;
    x-ms-exchange-crosstenant-originalarrivaltime28 Aug 2024 23:51:12.1797 (UTC)
    x-ms-exchange-crosstenant-network-message-id 82c7f9c4-5623-4d9d-4a48-08dcc7bc4c17
    x-ms-exchange-crosstenant-idebf268ae-3036-4714-9f69-c9fd0e9dc6b9
    x-ms-exchange-crosstenant-authsource DS1PEPF00017E08.namprd09.prod.outlook.com
    x-ms-exchange-crosstenant-authasAnonymous
    x-ms-exchange-crosstenant-fromentityheaderInternet
    x-ms-exchange-transport-crosstenantheadersstampedDS0PR09MB11083
    x-ms-exchange-transport-endtoendlatency00:00:03.5966869
    x-ms-exchange-processed-by-bccfoldering15.20.7897.027
    X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003)(1420198);
    X-Microsoft-Antispam-Message-Info JEh9UhpVAK8CezTeZg7xL8CT1hvSbh31BgveBAXG9yxVH+0VY05XK7rDQGgVw6jDgT8KTS+0uv56Q8ROTUtvfrDi6S49LnJk/Z+XymLXsj7dHqkNnrPtMaVgq2WhqsuTn3r+bsFu1Ut5jjfnoh40yTkGZ+NquVQJBqYGx0ihEkh6KBFK8grbJutYZeZdl4SsUoLmK6809GU5xbIMM1wHlt6DxScgHR2IUDx6dwLG0A/OC3xZOMlswvdTWO1dUPGOY/OqQ1DbDytt29D436/CTbe/449hvDhHBaOzu5x5cpZGgX3xkSJr9SM3ZeBAYUTgBfxR2fY4cCWSYo5fpPUXuTAHfRA68+yCTr/m2bmCrLfltafWt0kKVV2wi8hSsWmnAOwRQiLSOvkvPbyxm6zVYqwGsGRVHEb2SaMLwo6FeohF/lurFMmeaU1+004qkh8rjNnlrlqv+tkJnDF983umARudRqmxa9VA+RoqFItg3KGLhis5goPFcOaQXF5R17hBbP3wGnfTXACkqipQfUgiNOqPfVzFvFq9cdmagHg8SKza/eJosMPHAdTbbQZUSgwBBC7HlqdmGTcMw63eGi1WB+OEAtezvOA5k99wEQSENb/EABJq7Qn9/8CmJesoHFixbERLD4JO6MYGkO8HAx+Z/aTdPgOZjVv+OCfppy7JM710SH1YpQXGj5Ndb1pcBTG7YsschoXgZSjd1yj1nsOZ98YP7Et2NV1z/UCd89/iFm4MBqmiAE3eiBNNIlqj0C94Yx+xY9oG+yCNYKoRw0RjlPYqs1xf+qss0fO09msTJZWmuvE4JAtgJKtcNqgZAgPwKw37IG72uVB/eLSas2VKuBM5+2nxRzg9DnDid3CMeAqr3PCOhXCOsu5F9N0QPr2IL4oPgfCjahHjUociDNTcvpV/P4xAgl7eDFOTYBWMBHy6PGWnvQVEx0v/pYZ9oc4QjsZIYTGMIpq6Y1F9stu25aRdD8haBErXL6vv2IspSlPceu8zFmRsckO96FFaQTKyc7A7DjIgxOezAvwkCFLqXWzGkMHoONcSFSUq9YhysbtalzIDIwd6gr6VmuxbzII7JsLFikqFE/ntrJ3mWtzvFDa4M/2LlfKMYgf1HYqXksDRdayB4ZLySn5rQguQhf+/YYQr8omgUiPHlV/BqFfMcOU9MxIpf/wvsuemKgxHojssStUJ57Nu1jycUoUYYcbLSl/W+fo0p7f5SIaWqjkGwufxW6dFaaxdbDSFoNs+Lgmms7qQ37QfIslTo8uNkyIuZpw6HrIYRw2REQsuqvm9AjbFUo1YdhCfjgaVtsDId5HkL6mve4BGf4c/MVW4zXQ1O0YsBJcovRrjCyqQIHb5zULachzV3hDAn+1GZcBshmUtwtrD11kgIuIcE6JAldWqhPB0YUF9ULZEKtkk4GIRpwlDnBJU6Cxj4qQ5+qRa8o0f/DDclxbsD9RRaygBg2rvhVXYPMxQiOAFGA54M2z9Jov4Lth0JJejU5Aabn5v91fEegfk/YcC6TxmpgA6hzX/zo7goVdAkAluLAYfB/9ZhMpy3rCZLk4ZAGJiygtc/otWwbNY2P2iAZbv+5ImHoA5LiLjpwmAort5IOur5t2EITW/PdJqXx1vTPfsJSqCL7QeGbpi0Jrf/CxNICupSIhkflTqJneLaD5qtCosAg5ccukYe5Mzod7GESLNYycJfOo0Nuj5/LJnfLYauGfvT2s5wOahcYvRSNMh0JIRVLQ3YIi7oo/oTbwxtE026+X50XL4UEuTRGQVKxPqsBvcZzGZ+nJZwXg14Lhw3CAaN709DSlHUpY2KzPnIQUCjWXG9mgaReEHGeJu7v8nxuehwAPC3isS8IDgbE2v8yRn1qW5BCRAbJKfHNx5f+Shlfaw7Zz3VHoZZfVYAFPO24VWVwHey/GsDR+NHW3eNOsaIt+3xQKS2BudzK0bHYZMfMd4JumvZ8oaasZbTuvgaWmUobaD9WeyUuJhlRKce/hKdcQ+mcBl+XwiJC6PLB+qSiy/pAhqcL8PED+L3nfXJtNi118U
    x-ms-exchange-organization-originalclientipaddress23.251.242.6
    x-ms-exchange-organization-originalserveripaddress10.167.18.165
    X-Priority3
    X-MSMail-PriorityNormal
    Thread-IndexAQHa+aUrkeltNqnFoUSNIEA6XEkEAQ==
    Message-ID <011101919b667f4b-7456183f-e086-4ef8-9a33-39833f9157e7-000000@us-west-1.amazonses.com>
    FromNG SCOUT <no-reply@ngscout.org>
    To"Arroyo, Van@CalOES" <Van.Arroyo@CalOES.ca.gov>
    SubjectNew NG SCOUT account created
    DateWed, 28 Aug 2024 16:51:11 -0700
    MIME-Version1.0
    Content-typeMultipart/alternative; charset="iso-8859-1"; boundary="00B0FEED_message_boundary"
    Content-DescriptionMultipart message

    File Icon

    Icon Hash:46070c0a8e0c67d6

    Network Behavior

    No network behavior found

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:00:55:30
    Start date:29/08/2024
    Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    Wow64 process (32bit):true
    Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_iocp_v1.3.98.eml"
    Imagebase:0xf90000
    File size:34'446'744 bytes
    MD5 hash:91A5292942864110ED734005B7E005C0
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    General

    Target ID:2
    Start time:00:55:35
    Start date:29/08/2024
    Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
    Wow64 process (32bit):false
    Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "9F5C92DD-03E5-4AA4-A613-EBF977ACB98B" "86A069B2-EC86-4D1D-AFCF-25EA6C58A635" "6072" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
    Imagebase:0x7ff69cd20000
    File size:710'048 bytes
    MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high
    Has exited:false

    Disassembly

    No disassembly