Edit tour

Windows Analysis Report
phish_alert_sp2_2.0.0.0.eml

Overview

General Information

Sample name:	phish_alert_sp2_2.0.0.0.eml
Analysis ID:	1543763
MD5:	9bd574b882b28af5c9beab3daee6e57d
SHA1:	222da480e782f8f2d03df51e627f02f2ba9fb5b3
SHA256:	a96f33f9e0730c47457241b6fb829f46c67b13282123af107678cab592d63a7a
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

AI detected potential phishing Email

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 3508 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 6152 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "08B03CDE-B6B2-4F29-A91A-6647CD6718F4" "9CDC5E15-2274-4120-B43C-26F021788F11" "3508" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 3508, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: classification engine

Classification label: sus21.winEML@3/10@0/32

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241028T0712480729-3508.etl

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "08B03CDE-B6B2-4F29-A91A-6647CD6718F4" "9CDC5E15-2274-4120-B43C-26F021788F11" "3508" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "08B03CDE-B6B2-4F29-A91A-6647CD6718F4" "9CDC5E15-2274-4120-B43C-26F021788F11" "3508" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Persistence and Installation Behavior

AI detected potential phishing Email

Source: Email

LLM: Detected potential phishing email: Email contains repetitive nonsensical characters and patterns suggesting automated spam generation

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	LSASS Memory	12 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.113.194.132	unknown	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.208.16.92	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.109.32.97	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543763
Start date and time:	2024-10-28 12:12:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	phish_alert_sp2_2.0.0.0.eml
Detection:	SUS
Classification:	sus21.winEML@3/10@0/32
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.113.194.132
Excluded domains from analysis (whitelisted): ecs.office.com, s-0005.s-msedge.net, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, officeclient.microsoft.com, ecs.office.trafficmanager.net, ukw-azsc-config.officeapps.live.com, s-0005-office.config.skype.com, europe.configsvc1.live.com.akadns.net, ecs-office.s-0005.s-msedge.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: phish_alert_sp2_2.0.0.0.eml

LLM Input / Output

Input	Output
URL: Model: claude-3-5-sonnet-latest	{ "explanation": [ "Email contains repetitive nonsensical characters and patterns suggesting automated spam generation", "Sender email domain (saison-hoken.co.jp) doesn't match the content context", "Subject line is empty which is highly suspicious for legitimate business communication" ], "phishing": true, "confidence": 9 }
Is this email content a phishing attempt? Please respond only in valid JSON format: Email content converted to JSON: { "date": "Mon, 28 Oct 2024 13:37:20 +0300", "subject": " ", "communications": [ " ! . . . . : , . , 83, , , . , 83, ! . . . . : , . , 83, , , . , 83, ! . . . . ! . . . . : , . , 83, , , , . , 83, , . , 83, " ], "from": " <m-fukuhara_i2833@saison-hoken.co.jp>", "to": "Olena Kobryn <o.kobryn@gms-worldwide.com>" }
URL: Email Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": " : , , 83, ", "prominent_button_name": "unknown", "text_input_field_labels": [ " ,", " ", " ", " , . , 83, " ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": false, "has_visible_qrcode": false }

URL: Email Model: claude-3-haiku-20240307	```json { "brands": [] }
	```json { "brands": [] }

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.3772438885107245
Encrypted:	false
SSDEEP:
MD5:	F1E142A07C7E7862BCFECCD51C85D345
SHA1:	BAEAD2117E08ED7671489120B0F2EA8F23948195
SHA-256:	92AD65B956D2A9E7B86D0D26EF8B061BC7F0F4352ACD2C5EE28633506FF5B4D2
SHA-512:	2BD60BF2CAADC28B35850CE78B7870F54B113072048C1FCC29A7C55684A138E9D3223360E87B61ADD264A112628906EAED222247A2B09B5EE023DD395FC545F8
Malicious:	false
Reputation:	unknown
Preview:	TH02...... . .yG)......SM01X...,...@.kG)..........IPM.Activity...........h...............h............H..h..?........?...h........xj..H..h\cal ...pDat...hXC..0.....?....hi.ZT...........h........_`Pk...h..ZT@...I.lw...h....H...8.Uk...0....T...............d.........2h...............k.........?.M..!h.............. h..{0....0.?...#h....8.........$hxj......8....."h........h.....'h..t...........1hi.ZT<.........0h....4....Uk../h....h.....UkH..h ...p.....?...-h .......\.?...+h..ZT......?................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\F9EB7AF4-4FA2-480F-BFB2-4F33EA212BD9

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	180288
Entropy (8bit):	5.290987209246076
Encrypted:	false
SSDEEP:
MD5:	5A5600666251907383A65D9175D6C29F
SHA1:	B569515B91E84934F09A4C37828B23C17BACAC0C
SHA-256:	161861342737AD3D55BCD6DEF1D12F3A0E4F8161CF0EA4E764A02A2016FB1053
SHA-512:	A180964E4136C2F2CFD13E19F770A482C167631058A361ECB15101E1CD69E0B1D0C6D21A11594863C241937C59AA47B628A72AA801E1F1EA39C5DD47892A3755
Malicious:	false
Reputation:	unknown
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-28T11:12:51">.. Build: 16.0.18222.40125-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.04604146709717531
Encrypted:	false
SSDEEP:
MD5:	6BD77A33F7F86F5F395D95E324129779
SHA1:	80F9BA2BF9E1657337BEEB5A11847B269EED1A48
SHA-256:	1A6799FDF958685C5862ACCA730A6B4F175111D7218DBA54AF039C7D153126AC
SHA-512:	922DA4B0A8C55F5CD7218DB80C01A188C0CADD98AB866A58E309F0E1D5FA120AF4BF973E708C153CA7F4D79BBB66E6DCE64D429D1D0601E9ECA9B39501B2FBCE
Malicious:	false
Reputation:	unknown
Preview:	..-......................x.......pS..b.re\v..:8..-......................x.......pS..b.re\v..:8........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	dropped
Size (bytes):	49472
Entropy (8bit):	0.48381599884461046
Encrypted:	false
SSDEEP:
MD5:	77CCEE44A96E739E5F44397F023E19B5
SHA1:	F1CD4553F7AB31F20167C2221C4C01DC2DDBA993
SHA-256:	63B6276B17414839A4E0A443D21423E111DCFBFCB1AC0FA02D9BCB9BBC8A94BB
SHA-512:	77EE42E23D977AACD487FC7748B9C4FF71D47B1B1657BA0DD22ED6B8A3B39CEB99188BCD6C9F29246BFFEBDE8CA7C6F2B1269237051B8C10DA49D5F4B81FA86D
Malicious:	false
Reputation:	unknown
Preview:	7....-...........pS..b.f:t............pS..b....+'".SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730113968980643300_5C7C7BA2-7A0E-49D6-861E-2F171D20D135.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (28766), with CRLF line terminators
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.1604194558504742
Encrypted:	false
SSDEEP:
MD5:	CC7CD8B15ED93D39E93A27E048FFBB9F
SHA1:	0A71D46CDAFA4ABC8E91DD95C9B4DA43CD5022FA
SHA-256:	581D9659F4B81CA0BDA3E6DB7F4245F0BFFAD0663D34D8FBD4039B645FF0B709
SHA-512:	BEE236431E53ABCAF60CF12E83FDD92EAC91021EC0DB3622DF42AC464537C6E2AFC68D07473E7CC265851587E2F5F170AA2C0E8A9590F907DB0967AE5A3005E7
Malicious:	false
Reputation:	unknown
Preview:	Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/28/2024 11:12:49.017.OUTLOOK (0xDB4).0x165C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-10-28T11:12:49.017Z","Contract":"Office.System.Activity","Activity.CV":"ont8XA561kmGHi8XHSDRNQ.4.9","Activity.Duration":19,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...10/28/2024 11:12:49.049.OUTLOOK (0xDB4).0x165C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-10-28T11:12:49.049Z","Contract":"Office.System.Activity","Activity.CV":"ont8XA561kmGHi8XHSDRNQ.4.10","Activity.Duration":10483,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorVer

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730113968981515400_5C7C7BA2-7A0E-49D6-861E-2F171D20D135.log

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:	9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:	CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:	7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241028T0712480729-3508.etl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	modified
Size (bytes):	110592
Entropy (8bit):	4.516173295276812
Encrypted:	false
SSDEEP:
MD5:	81114F0C26DA7F1B4D20B54782B2106D
SHA1:	0CA2CBF07338DF502B76EEDBDE517C9EB2FFF69F
SHA-256:	CB9F21F776E024BCBE7876E99D416F67C8AA23DFAEAB12621AE3F41E161E8F18
SHA-512:	2F3A022C7D2BD0773DC4CCD977C1960681EA49FF4082F2E0C6ECB92E7FFCC175D7DF6E3557BADE85ED129924EEEE0B373EF477324FBA9E701CEF5D90BA271DEA
Malicious:	false
Reputation:	unknown
Preview:	............................................................................^...\..........R)..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................e..Y.............R)..........v.2._.O.U.T.L.O.O.K.:.d.b.4.:.2.3.3.7.0.c.7.5.1.1.9.b.4.5.0.0.8.2.2.c.5.2.d.0.8.d.0.8.4.a.d.1...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.2.8.T.0.7.1.2.4.8.0.7.2.9.-.3.5.0.8...e.t.l.........P.P.\.......h1.R*)..........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	modified
Size (bytes):	30
Entropy (8bit):	1.2389205950315936
Encrypted:	false
SSDEEP:
MD5:	1708DEBB640E4DD35027EBC8F3A96826
SHA1:	287AC49B8CE0947E05D0FF6EC73DBE8F230F9F88
SHA-256:	B0202AE5C87D4899FE0F08EF77D765A8343E83AA32AE20C310F17DFFD280C60F
SHA-512:	B5B2828A25C84C110B9F8BA07E50A362E9F8760DDFC9D42DB112E15E4CECA19924F0768422BE6B27D5CFCBB79B671E8694B1454839B508943A71E5779CCDFF76
Malicious:	false
Reputation:	unknown
Preview:	..............................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	5.293056335418349
Encrypted:	false
SSDEEP:
MD5:	2B080A09DA08F1233550BC88A55BE633
SHA1:	4F345CE329C83D89E914A944D9ABE2515FA61FB5
SHA-256:	632C7465926F23BED92258E0C0E4E39DB3CAA62DF798CE29D01D927FE1378893
SHA-512:	FAEE3F94DC740F44BF97960A35A54309D925A7B7772B890A84EF12AF94A4078FA1BDB02A816FFCE9C41967A1D99B9AE842B984F2132D35E2E17529B8890C26CF
Malicious:	true
Reputation:	unknown
Preview:	!BDN.a.SM......\.......................Z................@...........@...@...................................@...........................................................................$.......D.......h...................................................................................................................................................................................................................................................................................................................................bs.L.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	262144
Entropy (8bit):	4.777984009997744
Encrypted:	false
SSDEEP:
MD5:	A4428AC21DE35D90585798380F50A7F2
SHA1:	1C9A69747BA17DEFE942D86D00579DFA220C2CD5
SHA-256:	C65587A5DACF1C33E11DF3F2A2391F440647CD19718455E45A63972C254D467B
SHA-512:	8EAF482408386925A62661ACA9AE625725C6E16B27B008683081156B9EE105912825C5A4C63E438E6724CE7409060BE03778EEA7C93492642DDE0313FD85F559
Malicious:	true
Reputation:	unknown
Preview:	....C...y.............XR)....................#.!BDN.a.SM......\.......................Z................@...........@...@...................................@...........................................................................$.......D.......h...................................................................................................................................................................................................................................................................................................................................bs.L.....XR).......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	RFC 822 mail, ASCII text, with very long lines (2049), with CRLF line terminators
Entropy (8bit):	6.083483449150425
TrID:	E-Mail message (Var. 5) (54515/1) 100.00%
File name:	phish_alert_sp2_2.0.0.0.eml
File size:	136'021 bytes
MD5:	9bd574b882b28af5c9beab3daee6e57d
SHA1:	222da480e782f8f2d03df51e627f02f2ba9fb5b3
SHA256:	a96f33f9e0730c47457241b6fb829f46c67b13282123af107678cab592d63a7a
SHA512:	db682241a74a1bf0c9f98c200b2a1eeac76a997dbcc2f22783ebee72948b1cd84b13618fcdd8beb5fc09bfb7eaa52f0ade4f5ead53c91a7af696690f96a6b91f
SSDEEP:	3072:S9jFD12MY2NqmLhKRJi0rQ7UFN5fkhG/iltMH/8jfnH2gC:S972MY2VLhKRJjIhGMMH/D
TLSH:	70D3C027DD770D4693021BFB02CEA6C9A43FB75942DF20FE12B6AB63E065562D2C8701
File Content Preview:	Received: from DB8P189MB0716.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:12f::7).. by AM8P189MB1394.EURP189.PROD.OUTLOOK.COM with HTTPS; Mon, 28 Oct 2024.. 10:39:19 +0000..Received: from AS9PR06CA0287.eurprd06.prod.outlook.com.. (2603:10a6:20b:45a::21) by DB8P

Static Mail

General

Subject:
From:	<m-fukuhara_i2833@saison-hoken.co.jp>
To:	Olena Kobryn <o.kobryn@gms-worldwide.com>
Cc:
BCC:
Date:	Mon, 28 Oct 2024 13:37:20 +0300
Communications:	! . . . . : , . , 83, , , . , 83, ! . . . . : , . , 83, , , . , 83, ! . . . . ! . . . . : , . , 83, , , , . , 83, , . , 83,
Attachments:	_21337429345.pdf

Headers

Key	Value
Received	from unknown (HELO 212.8.252.56) (m-fukuhara?i2833@saison-hoken.co.jp@197.250.15.208) by dc28.etius.jp (119.245.204.209) with ESMTPA; 28 Oct 2024 19:37:27 +0900
Authentication-Results	spf=pass (sender IP is 119.245.204.209) smtp.mailfrom=saison-hoken.co.jp; dkim=none (message not signed) header.d=none;dmarc=bestguesspass action=none header.from=saison-hoken.co.jp;compauth=pass reason=109
Received-Spf	Pass (protection.outlook.com: domain of saison-hoken.co.jp designates 119.245.204.209 as permitted sender) receiver=protection.outlook.com; client-ip=119.245.204.209; helo=saison-hoken.co.jp; pr=C
X-Vade-Tracker	score=0, verdict=clean, state=0 spamcause=gggruggvucftvghtrhhoucdtuddrgeeftddrvdejkedgudejucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecupffvvffrveenuceurghilhhouhhtmecufedttdenucenucfjughrpefkrhfhvffuffggtgesmhdtreertddtjeenucfhrhhomhepvfhomhgrpiihkhcupihomhgvphcuvfipgihohhhoueippicuoehmqdhfuhhkuhhhrghrrggpihdvkeeffeesshgrihhsohhnqdhhohhkvghnrdgtohdrjhhpqeenucggtffrrghtthgvrhhnpefftdejfedtteeuvddujeefveeggedugeevieeihedtieduveegudduieeitdeiudenucfkphepudeljedrvdehtddrudehrddvtdekpddvuddvrdekrddvhedvrdehieenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepihhnvghtpeduleejrddvhedtrdduhedrvddtkedphhgvlhhopedvuddvrdekrddvhedvrdehiedpmhgrihhlfhhrohhmpehmqdhfuhhkuhhhrghrrggpihdvkeeffeesshgrihhsohhnqdhhohhkvghnrdgtohdrjhhppdhnsggprhgtphhtthhopedupdhrtghpthhtohepohdrkhhosghrhihnsehgmhhsqdifohhrlhgufihiuggvrdgtohhmpdhmohguvgepshhmthhpohhuth
Message-Id	<00eea70c96ab818e3d97de7672b78fac8496@saison-hoken.co.jp>
Reply-To	<m-fukuhara_i2833@saison-hoken.co.jp>
From	<m-fukuhara_i2833@saison-hoken.co.jp>
To	Olena Kobryn <o.kobryn@gms-worldwide.com>
Subject
Date	Mon, 28 Oct 2024 13:37:20 +0300
MIME-Version	1.0
Content-Type	multipart/mixed; boundary="----sinikael-?=_1-17301120116220.8441386438834804"
Return-Path	m-fukuhara_i2833@saison-hoken.co.jp
X-Ms-Exchange-Organization-Expirationstarttime	28 Oct 2024 10:37:35.1699 (UTC)
X-Ms-Exchange-Organization-Expirationstarttimereason	OriginalSubmit
X-Ms-Exchange-Organization-Expirationinterval	1:00:00:00.0000000
X-Ms-Exchange-Organization-Expirationintervalreason	OriginalSubmit
X-Ms-Exchange-Organization-Network-Message-Id	4d24fab7-0f6d-45a4-3118-08dcf73c8933
X-Eopattributedmessage	0
X-Eoptenantattributedmessage	b257b72a-b83c-4005-915b-ce5ce92eaad2:0
X-Ms-Exchange-Organization-Messagedirectionality	Incoming
X-Ms-Publictraffictype	Email
X-Ms-Traffictypediagnostic	AMS0EPF000001AB:EE_\|DB8P189MB0716:EE_\|AM8P189MB1394:EE_
X-Ms-Exchange-Organization-Authsource	AMS0EPF000001AB.eurprd05.prod.outlook.com
X-Ms-Exchange-Organization-Authas	Anonymous
X-Ms-Office365-Filtering-Correlation-Id	4d24fab7-0f6d-45a4-3118-08dcf73c8933
X-Ms-Exchange-Atpmessageproperties	SA\|SL
X-Ms-Exchange-Organization-Scl	1
X-Microsoft-Antispam	BCL:0;ARA:13230040\|8096899003;
X-Forefront-Antispam-Report	CIP:119.245.204.209;CTRY:JP;LANG:uk;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:saison-hoken.co.jp;PTR:saison-hoken.co.jp;CAT:NONE;SFS:(13230040)(8096899003);DIR:INB;
X-Ms-Exchange-Crosstenant-Originalarrivaltime	28 Oct 2024 10:37:34.2637 (UTC)
X-Ms-Exchange-Crosstenant-Network-Message-Id	4d24fab7-0f6d-45a4-3118-08dcf73c8933
X-Ms-Exchange-Crosstenant-Id	b257b72a-b83c-4005-915b-ce5ce92eaad2
X-Ms-Exchange-Crosstenant-Authsource	AMS0EPF000001AB.eurprd05.prod.outlook.com
X-Ms-Exchange-Crosstenant-Authas	Anonymous
X-Ms-Exchange-Crosstenant-Fromentityheader	Internet
X-Ms-Exchange-Transport-Crosstenantheadersstamped	DB8P189MB0716
X-Ms-Exchange-Transport-Endtoendlatency	00:01:45.1789142
X-Ms-Exchange-Processed-By-Bccfoldering	15.20.8093.014
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003)(1420198);
X-Microsoft-Antispam-Message-Info	sjx0mCTVgPwql9QtE5UAKy1zj+QrJ64IUlfx8QWNsOKroSOf26wHO25PMdGnvgSzODHD8YCR2HhP7sM05ZTTDY/ww8vd+VxpSN7p7tbxC3wsY90MkfowS8Ly2NOS0tjs3LLL9WIUv/C6q69M127/GH7X6jOGROnZ8qbYz96c77zbTGxO33uy9vtbOtpP86h62/prRoIMpw2cCYp0YEJuro0sSZC4dXtqNGTOHK8wUTOiSYG4w5py+fTtFqPO5GA2PRUWm4H2XHGs60ksiaszES89pvddcqWZ5t0jhXVn/m9e6IW/Cu5gD61BxyZgtPosoKSw+dfQxpu5PM8/30FzIGuxZpnzojDc6xgZ0UH+0yf2ZkOSKWZOY9wxi3AalY2gFwfMhqk5iAyOxl3/JUKajL6/YqzNkFewJX9QZZGCkIcVtORLiLurXHQyXcGnnYAaRC1D+BvQFrODnbamNjoyFp6CbADWNGKtcW/z85F+IZh1uznc3J7qZZ0lAy+pWVa1mWcybs6SNr8pu10qiMNU9PFrvovWXEc1h+znZoXSYRVdwz8YWsZJyEVCE+C1s5BPenBlWf8zacbIesCORtY0ZNghQKdFmxF0iCEroiFCZP0xrLrKo3gJwZWp3btGMLTmuAoo9+c/gc2kaBU3FN5fGtpm+nJZEu4EVKv0U3vrxRlm+g8osuIL0Y6vTSjIPF/g6VB1iJBjcu/oZalZvbrYVJCdp1nHCMT2wIwD2X7KXh+JKCxPJ+Ynpn5fk20ZwETPkYd/WxrmULh4RbjzQGYapxjEpf0WkM95yabeIRNehqx9yhYo6d/NRSGaBd1fLOwIn6gUXVSNWyB7BlDK3tvgBast5xcC2dwtwdON/6uGUzVBSDPERBheF+TKB+JgZ0P0bOx7ZKYn+Gq26t5awMmQwh0fanwLdCcO/JCzco3acWlcvTQVQkKwPDge9w/8L+rua4xRBK3ctjJtQVSy58olUL49z8Atzb6nCPSRqXMgMcEA2tySJYRr767oBsJn3MeVVpe1QDwMXPGnk41nFuTc98TEkrtEXE70nMUocN+DQDLiy0WXOH/tyi2A40afHbwOMUY0F2BXPiTgSUD0b6pTEQQF5dvjRDF69kofxKo8C+JUG1XnDFzyJRAaPeYm5eQxsaYX/Pd0bxpWWW26LREqslPvStqSrcpecKkJFpu3xRs8No+VMwAck7dQb22ur1aKqJ1hwF3QFMlhVT49Eg7lMEeKRqrae7/GHTmGAG25q6U+5H1vj4xG+Ad6Dlhn2P7UhsuM7L/A5dpkyKJ9VrYTfEpyFfvfwz1dw7uO3+JSsHCHEXqgP8buGI+vM8fzr8YXumPHTSOxjpdBmEPx7F6JcQSFCmnvTsTNoVpUW589U0dCY0Buq7/rBBkfwoqeFSsvee0OMZgyReO/Vj8M4n5voxjY+B+dbdozE27dPPDGrME2RNJ641TIBtBTPKJYae+DYNET2N+Q4z9yQVXyuVWTC4JEWq/GP6eYDM9leCuZOsXNH1Yj73HexHBGcYRWLQ6m73CIP/YkRkD6bh+csKKnqTsn9ffGHyMM3JOhS9iA4PSNgayDdr4gnaQnmxWXGsSFA5kwjRsRVlU3LpPdPlUp8qblYBJ7U3nph/Z/ey2M1RrHBJYEeH55Iz+dL/JcAwpU3ENA/e+ou57QHlHBw4wVUUwtg6tHdrIcGrSvnV9d7KKSOsgphTynUys5iJXBMZS19cnNM0Dt7EQ7otPdmNuqkSRmTOFR9yDM+2lg8GUoEnzBr9LpAlRvk4pYRZi72AwqgIjU5fz4Exn+UiFdCjjcAVgxKzKEl1fBYJswKvSRD9UEq08WDwy/ntP1WHB7OFBgYAq7lfArs40qwISguT5EUZOeq5Mu4yjw0dJGdulPQ1sZ/swK1qU/dEr3fPBQiyLO3H3Ds9I5bsdSyn8u8dqYqXvkW56wb+UgY9Y8GafGRzGwtg/ybZfgLBhYeePz/E9OGWTEvTVZIfMEXYCuhJ0b+1EqE52dmtSxEbMzDYb2zpxz9xdYfpFW48lsvG5tBdK/
Content-Transfer-Encoding	7bit

File Icon


Icon Hash:	46070c0a8e0c67d6

Description:	Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser's app store and generally have access and permissions to everything that the browser can access.
Tactics:	Persistence
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Process: Process Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report phish_alert_sp2_2.0.0.0.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\F9EB7AF4-4FA2-480F-BFB2-4F33EA212BD9

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730113968980643300_5C7C7BA2-7A0E-49D6-861E-2F171D20D135.log

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730113968981515400_5C7C7BA2-7A0E-49D6-861E-2F171D20D135.log

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241028T0712480729-3508.etl

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Static File Info

General

Static Mail

General

Headers

File Icon

Windows Analysis Report
phish_alert_sp2_2.0.0.0.eml