Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
phish_alert_sp2_2.0.0.0.eml

Overview

General Information

Sample name:	phish_alert_sp2_2.0.0.0.eml
Analysis ID:	1544782
MD5:	bcbad225620ec9c051e2c43ba43e4222
SHA1:	a9f7f0cd21c43def7c8c235ddde287b953df055a
SHA256:	2780aa3790511bc9d56a0a5c8f8a97882eb39d086aa9285bccf4bfdaf3ddc12e
Infos:

Detection

Score:	22
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

AI detected potential phishing Email

Creates a window with clipboard capturing capabilities

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Sigma detected: Office Macro File Download

Stores large binary data to the registry

Classification

×

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 6384 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 6728 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "3D6B3DF1-1449-4127-896E-421FCE98A590" "54EED02E-8E76-4A8A-BB61-34755FFA9002" "6384" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

cleanup

Yara Signatures

⊘No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6384, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Sigma detected: Office Macro File Download

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6384, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm

Sigma detected: Office Macro File Creation

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6384, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window created: window name: CLIPBRDWNDCLASS

Source: classification engine

Classification label: sus22.winEML@3/16@0/28

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241029T1338530982-6384.etl

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File read: C:\Users\desktop.ini

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "3D6B3DF1-1449-4127-896E-421FCE98A590" "54EED02E-8E76-4A8A-BB61-34755FFA9002" "6384" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "3D6B3DF1-1449-4127-896E-421FCE98A590" "54EED02E-8E76-4A8A-BB61-34755FFA9002" "6384" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Persistence and Installation Behavior

AI detected potential phishing Email

Source: Email

LLM: Detected potential phishing email: The email claims to be from a mail delivery subsystem but uses a suspicious non-standard domain (pphosted.com)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 Browser Extensions	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	1 Clipboard Data	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	12 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

⊘No Antivirus matches

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

⊘No contacted domains info

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
52.113.194.132	unknown	United States		8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
2.19.126.151	unknown	European Union		16625	AKAMAI-ASUS	false
52.109.32.7	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.109.76.144	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
20.50.201.204	unknown	United States		8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544782
Start date and time:	2024-10-29 18:38:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Sample name:	phish_alert_sp2_2.0.0.0.eml
Detection:	SUS
Classification:	sus22.winEML@3/16@0/28
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.113.194.132, 52.109.32.7, 2.19.126.151, 2.19.126.160, 184.28.90.27
Excluded domains from analysis (whitelisted): ecs.office.com, omex.cdn.office.net, ukw-azsc-000.roaming.officeapps.live.com, fs.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, osiprod-ukw-buff-azsc-000.ukwest.cloudapp.azure.com, s-0005-office.config.skype.com, eur.roaming1.live.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, s-0005.s-msedge.net, e16604.g.akamaiedge.net, ecs.office.trafficmanager.net, prod.fs.microsoft.com.akadns.net, omex.cdn.office.net.akamaized.net, a1864.dscd.akamai.net
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetValueKey calls found.
VT rate limit hit for: phish_alert_sp2_2.0.0.0.eml

LLM Input / Output

Input	Output
URL: Model: claude-3-5-sonnet-latest	{ "explanation": [ "The email claims to be from a mail delivery subsystem but uses a suspicious non-standard domain (pphosted.com)", "The subject line about 'returned mail' is a common phishing tactic to create urgency and curiosity", "Contains an attachment with generic name that doesn't match the 'returned mail' context" ], "phishing": true, "confidence": 8 }
{ "date": "Mon, 28 Oct 2024 14:51:53 -0400", "subject": "Returned mail: see transcript for details", "communications": [ "[You don't often get email from mailer-daemon@mx0a-005dcd01.pphosted.com. \nLearn why this is important at \nhttps://aka.ms/LearnAboutSenderIdentification ]\n\nCAUTION: THIS MESSAGE IS FROM AN EXTERNAL SENDER\nThis email originated from outside the organization. Do not click links, \nopen attachments, or share any information unless you recognize the sender \nand know the content is safe. Report suspicious emails using the \"Phish \nAlert\" button in Outlook or contact the Helpdesk.\n" ], "from": "Mail Delivery Subsystem <MAILER-DAEMON@mx0a-005dcd01.pphosted.com>", "to": "Natasha Thompson <Natasha.Thompson@marionfl.org>", "attachements": [ "GIS Day.eml" ] }
URL: Email Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "You don't often get email from mailer-daemon@mx0a-005dcd01.pphosted.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification", "prominent_button_name": "unknown", "text_input_field_labels": "unknown", "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false }

URL: Email Model: claude-3-haiku-20240307	```json { "contains_trigger_text": true, "trigger_text": "To view secured document, click here", "prominent_button_name": "DS1PEPF00017E07.namprd09.prod.outlook.com 2024-10-28T18:51:53.519Z 08DCF6EE6A4B8669", "text_input_field_labels": [ "pbowlin@marionso.com", "DS1PEPF00017E07.namprd09.prod.outlook.com 2024-10-28T18:51:53.519Z 08DCF6EE6A4B8669", "503 5.5.2 Need rcpt command" ], "pdf_icon_visible": false, "has_visible_captcha": false, "has_urgent_text": true, "has_visible_qrcode": false }

URL: Email Model: claude-3-haiku-20240307	```json { "brands": [ "Phish Alert" ] }
	```json { "brands": [ "Phish Alert" ] }
URL: Email Model: claude-3-haiku-20240307	```json { "brands": [ "outlook.com", "marionso-com.mail.protection.outlook.com" ] }

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.383768773770152
Encrypted:	false
SSDEEP:
MD5:	7FEF6CE98BA03DA5F95FF66177295E22
SHA1:	4F05F6117644817C951ADD999B7850EFE0837CE3
SHA-256:	D27B4B97DE451DDE3BDDD9CEF34D70C7B68F3A71B2F69470F24AD0B367F3DE7F
SHA-512:	6162CA6DEFA8C7BA421680928CCA9CB1ED0ADD5D5DCB7F6C7FEF2E89ECF78BED0DD78826A454E4751B7A80AA555E07A9DD9E6C4B39CB3D318FA4F94061CC99E8
Malicious:	false
Reputation:	unknown
Preview:	TH02...... .p.8b)......SM01X...,.....,b)..........IPM.Activity...........h...............h............H..h........a.....h........X.L.H..h\cal ...pDat...hp.L.0...`......h..>\|..K........h........_`Pk...h..>\|@...I.lw...h....H...8.Uk...0....T...............d.........2h...............k7.4.....;.7...!h.............. h...\|....x.....#h....8.........$hX.L.....8....."h`.K.......K...'h.. ...........1h..>\|<.........0h....4....Uk../h....h.....UkH..h.%K.p.........-h .............+h..>\|................ ...... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	322260
Entropy (8bit):	4.000299760592446
Encrypted:	false
SSDEEP:
MD5:	CC90D669144261B198DEAD45AA266572
SHA1:	EF164048A8BC8BD3A015CF63E78BDAC720071305
SHA-256:	89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
SHA-512:	16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
Malicious:	false
Reputation:	unknown
Preview:	51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	10
Entropy (8bit):	2.6464393446710157
Encrypted:	false
SSDEEP:
MD5:	7D8CBFEA336A266FDC86327F0A0B4E47
SHA1:	F4128FD98C62FDABFB119C76E71F88A3B6A64000
SHA-256:	6AE784A3A7CF4C7814424A472AD045F2C6E457D72E3697E13959E63DFB524021
SHA-512:	BFB959427578EF5ABB7A8CBB4F6872E8FC3A6C09972083C1A68CE9DF11157A7E37C7B773CF55687B9439E49C9B0C6C94D3B345F7655D87443EFF9535C6425BD1
Malicious:	false
Reputation:	unknown
Preview:	1730223538

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	0.09216609452072291
Encrypted:	false
SSDEEP:
MD5:	F138A66469C10D5761C6CBB36F2163C3
SHA1:	EEA136206474280549586923B7A4A3C6D5DB1E25
SHA-256:	C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6
SHA-512:	9D25F943B6137DD2981EE75D57BAF3A9E0EE27EEA2DF19591D580F02EC8520D837B8E419A8B1EB7197614A3C6D8793C56EBC848C38295ADA23C31273DAA302D9
Malicious:	false
Reputation:	unknown
Preview:	SQLite format 3......@ .......................................................................... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Rollback Journal
Category:	dropped
Size (bytes):	4616
Entropy (8bit):	0.13760166725504608
Encrypted:	false
SSDEEP:
MD5:	1EBE743E23DC0AA496A1301C80186C76
SHA1:	1820E51ECD583F75157CCFA7FB8D307E3C73F7D9
SHA-256:	5B6FCD65909E3673C26BE0C1F7ADAC67A8A2368F04FB50E5389641D04EA0C479
SHA-512:	92212205586334245345AE576D6FAB3E55917CD6A1D0AA0A8514E17D1CFC79362639E04866A19E7B6CA3054A1B30419991757557CA7648BA924996E1C720CF4A
Malicious:	false
Reputation:	unknown
Preview:	.... .c.....z..6....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .......................................................................... .................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.0426119472420908
Encrypted:	false
SSDEEP:
MD5:	560BB1523A395B907A028C62BCE17546
SHA1:	CF02706B40FBF59F1A16507597155FA8ACC57E72
SHA-256:	7A0AD39DA9E3BF8FC1F6FA331B36132A5BBE838876DFD1D5D4DED556C4A3ADE7
SHA-512:	2D94FFAB71E7CF0430B3B23AEB067A7ECD9F1D8AAC6A99545E2639CC488ABA320585E5E233CCCC137CFB7341335AFC1260D669D59CC13AEB4F3360D55D49FF3D
Malicious:	false
Reputation:	unknown
Preview:	..-.....................:......k4i.......g.U...`..-.....................:......k4i.......g.U...`........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	SQLite Write-Ahead Log, version 3007000
Category:	modified
Size (bytes):	45352
Entropy (8bit):	0.3935882582949242
Encrypted:	false
SSDEEP:
MD5:	B1C13788BE831AC812482D9F1BC4023E
SHA1:	7D38B59F6D353C1900BD7AACD8476304B4F40385
SHA-256:	6DE6B64DB9E2B294F5A41AA5922F37ABBA00BC2E09D3E28DDCD8D72A853FC454
SHA-512:	E0687FD08F9D834B2C9E5E908C8DDCC86FF90F80E233729B631B1FD00F30A69D8840ADE7F8DAFE0992AE739007CA6D12A71ADCBA52EB6817726D92172B925F5C
Malicious:	false
Reputation:	unknown
Preview:	7....-..........4i........lG..\k........4i.........9YA..SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730223534179667400_039C9800-DC49-4729-905E-073E1713899F.log

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	ASCII text, with very long lines (858), with CRLF line terminators
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.007111885697373018
Encrypted:	false
SSDEEP:
MD5:	60617CE5E84C986D2FE212714EC987F4
SHA1:	A4D6EEE0B184ACC610A601FD36B83FB777434CF6
SHA-256:	12A54E5232584946A3E8A25C5DD8E601D071449F400B4EF697C8057EDB26E1E9
SHA-512:	268A902496B6E9466D24AF9918D2F218F322E698675885A6CB6D8A4943EC409AE67D36B585B9821A5242879C7AA6F514C901E1F062C4B3EE393C14C115D9FFD7
Malicious:	false
Reputation:	unknown
Preview:	Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/29/2024 17:38:54.204.OUTLOOK (0x18F0).0xEE4.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.System.GracefulExit.GracefulAppExitDesktop","Flags":33777014402039809,"InternalSequenceNumber":21,"Time":"2024-10-29T17:38:54.204Z","Data.PreviousAppMajor":16,"Data.PreviousAppMinor":0,"Data.PreviousAppBuild":16827,"Data.PreviousAppRevision":20130,"Data.PreviousSessionId":"736CA085-DA09-493F-90F1-650B5DF6AB9E","Data.PreviousSessionInitTime":"2024-10-29T17:38:35.681Z","Data.PreviousSessionUninitTime":"2024-10-29T17:38:38.993Z","Data.SessionFlags":2147483652,"Data.InstallMethod":0,"Data.OfficeUILang":1033,"Data.PreviousBuild":"Unknown","Data.EcsETag":"\"\"","Data.ProcessorArchitecture":"x64"}...10/29/2024 17:38:54.235.OUTLOOK (0x18F0).0x1A88.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":27,

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1730223534180337200_039C9800-DC49-4729-905E-073E1713899F.log

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	20971520
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:	9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:	CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:	7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241029T1338530982-6384.etl

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	modified
Size (bytes):	122880
Entropy (8bit):	4.620806887801978
Encrypted:	false
SSDEEP:
MD5:	C0955AADD70CF1690E6B0546EF350B6D
SHA1:	24F548D6B60603818EFD1030A2BA6A5A5CEBFD96
SHA-256:	4608B0D396B2BD4181B45CDC0DEB44288E5685EB672D6AAE7996F998E3AA3B94
SHA-512:	5C5B42EB17F49A701B292AC1CABBCE9A5E9182D2F5D838F902EFAE4F0D458571D3B44EA0DAC6EC896697B777A019866061589FB4061BAF00008DF5ABFBA826E3
Malicious:	false
Reputation:	unknown
Preview:	............................................................................`...........?.~l)..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1.............................................................D}.Y..........?.~l)..........v.2._.O.U.T.L.O.O.K.:.1.8.f.0.:.2.6.c.9.a.4.5.8.6.8.a.6.4.5.8.e.9.c.f.9.d.7.b.6.0.4.9.8.3.2.6.a...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.2.9.T.1.3.3.8.5.3.0.9.8.2.-.6.3.8.4...e.t.l.......P.P.........?.~l)*..........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	30
Entropy (8bit):	1.2389205950315936
Encrypted:	false
SSDEEP:
MD5:	A32DC842AAB1759B9D8E03FFF58FDF4F
SHA1:	7C752D7A77BB554BD1040E19E9E5193EA6BA9BA9
SHA-256:	0166D517C166A9DF70DAC45593FE422A07BC943B757580DAACF8B176978395CE
SHA-512:	FAA61ECC38488C5A983822E7343519981985B526696F1C71C254F0098A1FCDE488719D033298EF95436E6EC6FC6308BF63D51D0B0BEFA2E74563EE419E5DDB79
Malicious:	false
Reputation:	unknown
Preview:	..............................

C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	2.0163683205203604
Encrypted:	false
SSDEEP:
MD5:	80BEF503BCD9D3365C353F407823141F
SHA1:	FA9C7C9A39168E196240D9D074E5BE67AEF82794
SHA-256:	0D34DE94B61B7DC2D1ECF7E39C396BEEEAEC04DB31DB5518DAAA7DCFA464D7C2
SHA-512:	66563ED6B3B0B4755346B777E8DBFFB4D83CC4AA4B63817004332946FC58D072F5C4D8452ED140C807789C6FC870F98662775A0F8AED30086BF5EAB314A45BBE
Malicious:	true
Reputation:	unknown
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Templates\NormalEmail.dotm (copy)

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	0216B93E1B68C2293FE41C342D3AEECC
SHA1:	A16FE679D59BB5AEAAD5DEEF08F130506A855023
SHA-256:	C9E0ED83467D3753725C0B46EF581A6DCF704121E61A245C0958A2469625F8DC
SHA-512:	E6326052486CABA723C17A84E13340CBE1E2FA48AD1CD74FCB1AD4871F5E6718181DAEBB022B78206375A82E77FBB1D0925EE747B8F3D6B383B0F6E0A5EEBBAF
Malicious:	true
Reputation:	unknown
Preview:	PK..........!.Q3.p............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-J\X ......J..0....K......H...R.D.g..3.H....M!`.l.....J.j;...>.b.Fa...B....wz...<`F..K6.._s.r.F`.<X.T....7....U.._t:.\:...<&....A%&:f.9..H.hd..*1y.Lx.k)".........e..k.g.....)....&......A...3..WNN.U..e...<....'4(.....x.....nh.t.....p7..j..s...I@.w6.X..C.Tp...r+..^..F.N...".az...h.[!F.!...g...i"...C..n9.~l...3.....H..V..9.2.,)s..GZD..mo6M..a.!...q$.......O..r-.........PK..........!.........N......

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	3.7267634405561245
Encrypted:	false
SSDEEP:
MD5:	82F4462BFB36D8E9F425ABFE33859748
SHA1:	7B8255DB17598CEDB7C262D3F38AC310D52CFEBD
SHA-256:	29F08C130A6D16587B3ECA58A8277D5B32046B28CB05CA04154A3F63E63F7784
SHA-512:	E611F529371ADB69909D37CBDC0A7406E5D0E7D4F86263989CC0033B444D6CD87F15A69742D495333B9FE1153847C8A672C3715176EA4842F302303012E90A78
Malicious:	true
Reputation:	unknown
Preview:	.user...................................................c.a.l.i....F...<.u....`5..@.J..\..Xz.dM...@G.....b....`5..@.J..m..HH...\|^..\|^.M............\|^.`5...\...m..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	19622
Entropy (8bit):	7.47677971729166
Encrypted:	false
SSDEEP:
MD5:	0216B93E1B68C2293FE41C342D3AEECC
SHA1:	A16FE679D59BB5AEAAD5DEEF08F130506A855023
SHA-256:	C9E0ED83467D3753725C0B46EF581A6DCF704121E61A245C0958A2469625F8DC
SHA-512:	E6326052486CABA723C17A84E13340CBE1E2FA48AD1CD74FCB1AD4871F5E6718181DAEBB022B78206375A82E77FBB1D0925EE747B8F3D6B383B0F6E0A5EEBBAF
Malicious:	false
Reputation:	unknown
Preview:	PK..........!.Q3.p............[Content_Types].xml ...(.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-J\X ......J..0....K......H...R.D.g..3.H....M!`.l.....J.j;...>.b.Fa...B....wz...<`F..K6.._s.r.F`.<X.T....7....U.._t:.\:...<&....A%&:f.9..H.hd..*1y.Lx.k)".........e..k.g.....)....&......A...3..WNN.U..e...<....'4(.....x.....nh.t.....p7..j..s...I@.w6.X..C.Tp...r+..^..F.N...".az...h.[!F.!...g...i"...C..n9.~l...3.....H..V..9.2.,)s..GZD..mo6M..a.!...q$.......O..r-.........PK..........!.........N......

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	Microsoft Outlook email folder (>=2003)
Category:	dropped
Size (bytes):	271360
Entropy (8bit):	2.648144067074783
Encrypted:	false
SSDEEP:
MD5:	F142C3B8E8A47476888A9C5E570E62DD
SHA1:	C98675C817CE53B7E4337DA6F1B6E7BF6717E006
SHA-256:	BA8A129CC98FE864B5CACBB173FD9E3F6338281B18E295FDC0F775C94FA51B77
SHA-512:	08610EE91755F402E35860E344ACEDFC0D31B7A094D639AB27AFFE6C65F44356D0883DB23A84E9B994502E70798AF00572783CB6D5CD5D96BFF3DB464194D41B
Malicious:	true
Reputation:	unknown
Preview:	!BDN.g?wSM......\...............[.......f................@...........@...@...................................@...........................................................................$.......D......@...............E...............W...........................................................................................................................................................................................................................................................................................\|........b..Q-......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	131072
Entropy (8bit):	3.1359347386756937
Encrypted:	false
SSDEEP:
MD5:	D78EFF35BE290819CC90FEED869DEE1E
SHA1:	65713720D8ABAAA1777393A1DA3B7E3405CA6B94
SHA-256:	3B3F10A6A492086DBFF021B0EC7C65A89B3C0458217658AB25E671F961FFF47A
SHA-512:	A5B83C85C2C3D480D1333D4BA7024A83D54B59689D71D47B3C3765FAEDDD453029A5EC103B3908CAD7BA17136F06443B0E6A6E4301785E8DE63379D0E61ADCDA
Malicious:	true
Reputation:	unknown
Preview:	#.s.0...s.............bl).......D............#...................<..........?...?.........................................................................................................................?............................................................?...............................................................................................................................................................................................................................................................................................D......l...0...t.............bl).......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	RFC 822 mail, ASCII text, with very long lines (1241), with CRLF line terminators
Entropy (8bit):	6.066218840964391
TrID:	E-Mail message (Var. 5) (54515/1) 100.00%
File name:	phish_alert_sp2_2.0.0.0.eml
File size:	14'136 bytes
MD5:	bcbad225620ec9c051e2c43ba43e4222
SHA1:	a9f7f0cd21c43def7c8c235ddde287b953df055a
SHA256:	2780aa3790511bc9d56a0a5c8f8a97882eb39d086aa9285bccf4bfdaf3ddc12e
SHA512:	a66db10b61e5472409e3fa117c8312f7e8ae1af4b4dc60b08e701c6c5cd97bf84a61109d7fe704ae9a616843bf468c8d367ecb50c564e320610cf9286b52be5d
SSDEEP:	192:wReetJqkeRTR1TR7ySk+YVBZrPsC3S2tX3HiWaFkdrtlHbzRgRpcJpHxjn:e0RWSYVvPsqS25H9RlHbzRgIxn
TLSH:	51527D134A6BE021AF9CF18776037E4603A5B5C747F39CC43EEED19801DB64999B640E
File Content Preview:	Received: from DS0PR09MB11297.namprd09.prod.outlook.com.. (2603:10b6:8:171::13) by SJ0PR09MB11319.namprd09.prod.outlook.com with.. HTTPS; Mon, 28 Oct 2024 18:56:28 +0000..Received: from CYXPR09CA0011.namprd09.prod.outlook.com.. (2603:10b6:930:d4::12) by D

Static Mail

General

Subject:	Returned mail: see transcript for details
From:	Mail Delivery Subsystem <MAILER-DAEMON@mx0a-005dcd01.pphosted.com>
To:	Natasha Thompson <Natasha.Thompson@marionfl.org>
Cc:
BCC:
Date:	Mon, 28 Oct 2024 14:51:53 -0400
Communications:	[You don't often get email from mailer-daemon@mx0a-005dcd01.pphosted.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] CAUTION: THIS MESSAGE IS FROM AN EXTERNAL SENDER This email originated from outside the organization. Do not click links, open attachments, or share any information unless you recognize the sender and know the content is safe. Report suspicious emails using the "Phish Alert" button in Outlook or contact the Helpdesk.
Attachments:	GIS Day.eml

Headers

Key	Value
Received	from localhost (localhost) by mx0a-005dcd01.pphosted.com (8.18.1.2/8.18.1.2) id 49SIpr3c016665; Mon, 28 Oct 2024 14:51:53 -0400
Authentication-Results	spf=none (sender IP is 205.220.166.113) smtp.helo=mx0a-005dcd01.pphosted.com; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mx0a-005dcd01.pphosted.com;compauth=pass reason=105
Received-Spf	None (protection.outlook.com: mx0a-005dcd01.pphosted.com does not designate permitted sender hosts)
Date	Mon, 28 Oct 2024 14:51:53 -0400
From	Mail Delivery Subsystem <MAILER-DAEMON@mx0a-005dcd01.pphosted.com>
Message-Id	<202410281851.49SIpr3c016665@mx0a-005dcd01.pphosted.com>
To	Natasha Thompson <Natasha.Thompson@marionfl.org>
MIME-Version	1.0
Subject	Returned mail: see transcript for details
Auto-Submitted	auto-generated (failure)
X-Proofpoint-Guid	nIfnMKDSItIp-aAXdZtiVv8iYvY7nOpu
X-Proofpoint-Orig-Guid	nIfnMKDSItIp-aAXdZtiVv8iYvY7nOpu
X-Proofpoint-Virus-Version	vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1051,Hydra:6.0.680,FMLib:17.12.62.30 definitions=2024-10-28_08,2024-10-28_02,2024-09-30_01
X-Proofpoint-Spam-Details	rule=outbound_notspam policy=outbound score=0 phishscore=0 impostorscore=0 bulkscore=0 adjustscore=0 adultscore=0 suspectscore=0 spamscore=0 malwarescore=0 ndrscore=0 mlxlogscore=999 lowpriorityscore=0 priorityscore=1501 mlxscore=0 clxscore=1012 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.21.0-2409260000 definitions=main-2410280148
Return-Path	<>
X-Ms-Exchange-Organization-Expirationstarttime	28 Oct 2024 18:56:23.8459 (UTC)
X-Ms-Exchange-Organization-Expirationstarttimereason	OriginalSubmit
X-Ms-Exchange-Organization-Expirationinterval	1:00:00:00.0000000
X-Ms-Exchange-Organization-Expirationintervalreason	OriginalSubmit
X-Ms-Exchange-Organization-Network-Message-Id	68f364f8-504b-4fba-bb6f-08dcf7823814
X-Eopattributedmessage	0
X-Eoptenantattributedmessage	25a1914d-7aca-40d5-91d5-cd84a5137a31:0
X-Ms-Exchange-Organization-Messagedirectionality	Incoming
X-Ms-Publictraffictype	Email
X-Ms-Traffictypediagnostic	DS4PEPF00000170:EE_\|DS0PR09MB11297:EE_\|SJ0PR09MB11319:EE_
X-Ms-Exchange-Organization-Authsource	DS4PEPF00000170.namprd09.prod.outlook.com
X-Ms-Exchange-Organization-Authas	Anonymous
X-Ms-Office365-Filtering-Correlation-Id	68f364f8-504b-4fba-bb6f-08dcf7823814
X-Ms-Exchange-Atpmessageproperties	SA\|SL
Content-Type	multipart/mixed; boundary="----sinikael-?=_1-17302069336730.17590309763309797"
X-Ms-Exchange-Organization-Scl	1
X-Microsoft-Antispam	BCL:0;ARA:13230040\|1930700014\|222023001;
X-Forefront-Antispam-Report	CIP:205.220.166.113;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mx0a-005dcd01.pphosted.com;PTR:mx0a-005dcd01.pphosted.com;CAT:NONE;SFTY:9.25;SFS:(13230040)(1930700014)(222023001);DIR:INB;SFTY:9.25;
X-Ms-Exchange-Crosstenant-Originalarrivaltime	28 Oct 2024 18:56:23.6584 (UTC)
X-Ms-Exchange-Crosstenant-Network-Message-Id	68f364f8-504b-4fba-bb6f-08dcf7823814
X-Ms-Exchange-Crosstenant-Id	25a1914d-7aca-40d5-91d5-cd84a5137a31
X-Ms-Exchange-Crosstenant-Authsource	DS4PEPF00000170.namprd09.prod.outlook.com
X-Ms-Exchange-Crosstenant-Authas	Anonymous
X-Ms-Exchange-Crosstenant-Fromentityheader	Internet
X-Ms-Exchange-Transport-Crosstenantheadersstamped	DS0PR09MB11297
X-Ms-Exchange-Transport-Endtoendlatency	00:00:04.4313544
X-Ms-Exchange-Processed-By-Bccfoldering	15.20.8093.023
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
X-Microsoft-Antispam-Message-Info	xoWBryXiFh/ZkNo9c+1Feuh0CeHlm68EAxmzbkduUESALSuTn2mdJhCCrHh5vQpAoonEppUPtpjvMrFiyjBTXG/Vco4CBcTN4OLZm7aLCm9cTvIjUKPJ5ExGCem/6us56NejbG3tXbVv0pgYxstG/L/ENTPvJFIpUQrIOJDj/Eln9S7msKJAZg3MKSMIlcuwZi8DOAsRgEkX6h80ReZZuBEuPdw1irpaI10PDperFd3OXUn+hzd3OhO0ehGbADhpeUqYItcjiSa3il9Iay34kM2W7uhSJ9g9zRE++idJqaZieo1WoC7sPX/MGIdwcdKzfZyPVgORxpE4sAeSe+zlQOUDctX7LAcLxzaPNI1Wjt9GIL3ooWp0G6iK24afIIjfqzcyPSsfpJu+fMDvQRYDiR5EhU2s4R3MzOIBLP4IC904VBLZFHewukuijLw1s5TJoeH+IV6pVJjv6UUlcEm+giFdJNvbWXLqQG7nCIIUzUCdy5gryCgm6aNkaBfQZ6RDBRDRssFv0l9anXC27YHd4AP9z5wflU7Qagl+5ikU53SnKxG+o3Ap5vg21LuRSNnmS3Yk+ZTAggitRJ74PdlTp2qcXO1TKZOr/l8sHEReg1o/elHBV9UNMQ7ffI7D0e4DEs5CpVSuldBLGSmqzqmrmXqkYO95igGKv6iMHV0r8Z3F2ZYvKUfEBABS5r36/DfLLQkBmUC4ZAWLecHE1Z6gq2VKDIKJFxWe4rp5PCD2WnOs6c0eyRXhPFOsANVXBS0Otb6F0t55UQz9JR4rJ5x9sWtuz0SDIyo4eYSz8RYqhks/v6K2Ru3woERpAkpCwWyxHrcVzM05G7c6IuFl76Juyf2CRWwA228hOsRQMW5pkVdBSI8lTaS3WI7ZhJOlsZ6SkdY5Fm0PdFHugmJzUG4WRAhfUPRfKNB0tkOYSjkkWqIKT2CSV7JkM1jrT4E8K90/6KRxkPKm415FOytBGRdm+1g9LSkDjgwBwvYeV+IVvgL2sWUkTfP3Z4yUGB+1dTynXA2+LdnGy9VTvSqT3GbCz02vh/Oe6MOBOyHMxzOfqom7hVMTdp9grkm0Y4W/fw+g34vymah/ZhdP/Tf05SrpEzk01L65xgwRqKHKnwnJP2LPffs+c2nSIZlk1WEaIww5Z2qo6XRTnbv5NwdoAud3H2PpOmJgzgg20ESuuJoif6Spv0wfVVUkQ8Gbdu0y8vZLv8PRKLOgfjhNRlncRINvvA==
Content-Transfer-Encoding	7bit

File Icon


Icon Hash:	46070c0a8e0c67d6