Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
phish_alert_sp2_2.0.0.0 (1).eml

Overview

General Information

Sample name:phish_alert_sp2_2.0.0.0 (1).eml
Analysis ID:1634062
MD5:6d375e97904edb0e364355904788b70f
SHA1:bff9bf8ff54f001cbba2e95226914acdbe307f50
SHA256:afba89a8de9c1e86c22b07bae7566b270f8973b021752ebeb9aa42b44254cbc6
Infos:

Detection

Score:48
Range:0 - 100
Confidence:100%

Signatures

AI detected suspicious elements in Email content
AI detected suspicious elements in Email header
IP address seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Sigma detected: Suspicious Office Outbound Connections
Suricata IDS alerts with low severity for network traffic

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 8904 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0 (1).eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 5524 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D247B595-C988-431A-9F38-28BA3BBEE6FE" "0E69CB0F-3467-4C0B-95EC-304C1B024ED2" "8904" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 8904, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1
Sigma detected: Suspicious Office Outbound Connections
Source: Network ConnectionAuthor: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.5, DestinationIsIpv6: false, DestinationPort: 49722, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, Initiated: true, ProcessId: 8904, Protocol: tcp, SourceIp: 52.123.128.14, SourceIsIpv6: false, SourcePort: 443

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2025-03-10T18:22:18.231468+010020283713Unknown Traffic192.168.2.54972252.123.128.14443TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
AI detected suspicious elements in Email content
Source: EmailJoe Sandbox AI: Detected potential phishing email: The sender email domain 'registrations-openai.com' is suspicious and not an official OpenAI domain. The links in the email point to 'web-login.malwarebouncer.com' which is clearly malicious. The email content is repetitive and contains multiple duplicate sections, indicating poor formatting typical of phishing attempts
AI detected suspicious elements in Email header
Source: EmailJoe Sandbox AI: Detected suspicious elements in Email header: Suspicious sender domain 'registrations-openai.com' attempting to impersonate OpenAI. Return-path domain doesn't match the actual KnowBe4 sending infrastructure (message-id shows knowbe4.com). Received headers show the email actually originated from KnowBe4's infrastructure (psm.knowbe4.com). This appears to be a phishing simulation/training email from KnowBe4 security awareness platform. Multiple authentication indicators and routing paths don't align with the claimed sender domain. The email is trying to masquerade as a workspace invitation while using suspicious domain variations
Source: EmailClassification: Credential Stealer
Source: Joe Sandbox ViewIP Address: 52.123.128.14 52.123.128.14
Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49722 -> 52.123.128.14:443
Source: phish_alert_sp2_2.0.0.0 (1).emlString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/4/4d/OpenAI_Logo.svg/320px-OpenAI_Logo.svg.png
Source: phish_alert_sp2_2.0.0.0 (1).emlString found in binary or memory: https://web-login.malwarebouncer.com/XU2U4QlVnUlRvZ0xjTmFLRWwvK29LOUlzRkJiVkxqUTFud2F3c2I0RnZjcEpUcH
Source: phish_alert_sp2_2.0.0.0 (1).emlString found in binary or memory: https://web-login.malwarebouncer.com/XV1pBTkl5TVgrV1o2enRmWGpjOXY1bjZMbElGSWlIMkNhWnZPUmFTbXlWSjZINk
Source: phish_alert_sp2_2.0.0.0 (1).emlString found in binary or memory: https://web-login.malwarebouncer.com/XcnA0dFhDSnM0V3l3MmN0N2taWitMUDVHQXNENEtlY2dXY3E2SitnUXlSN0xJWE
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
Source: classification engineClassification label: mal48.winEML@3/4@0/1
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250310T1320440148-8904.etlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0 (1).eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D247B595-C988-431A-9F38-28BA3BBEE6FE" "0E69CB0F-3467-4C0B-95EC-304C1B024ED2" "8904" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D247B595-C988-431A-9F38-28BA3BBEE6FE" "0E69CB0F-3467-4C0B-95EC-304C1B024ED2" "8904" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation11
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System2
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Process Injection		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager13
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-0005.dual-s-msedge.net
52.123.128.14
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://upload.wikimedia.org/wikipedia/commons/thumb/4/4d/OpenAI_Logo.svg/320px-OpenAI_Logo.svg.pngphish_alert_sp2_2.0.0.0 (1).emlfalse
      		high
      https://web-login.malwarebouncer.com/XV1pBTkl5TVgrV1o2enRmWGpjOXY1bjZMbElGSWlIMkNhWnZPUmFTbXlWSjZINkphish_alert_sp2_2.0.0.0 (1).emlfalse
        		high
        https://web-login.malwarebouncer.com/XU2U4QlVnUlRvZ0xjTmFLRWwvK29LOUlzRkJiVkxqUTFud2F3c2I0RnZjcEpUcHphish_alert_sp2_2.0.0.0 (1).emlfalse
          		high
          https://web-login.malwarebouncer.com/XcnA0dFhDSnM0V3l3MmN0N2taWitMUDVHQXNENEtlY2dXY3E2SitnUXlSN0xJWEphish_alert_sp2_2.0.0.0 (1).emlfalse
            		high

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            52.123.128.14
            		s-0005.dual-s-msedge.netUnited States
            		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

            General Information

            Joe Sandbox version:42.0.0 Malachite
            Analysis ID:1634062
            Start date and time:2025-03-10 18:19:33 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 4m 25s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:8
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:phish_alert_sp2_2.0.0.0 (1).eml
            Detection:MAL
            Classification:mal48.winEML@3/4@0/1
            Cookbook Comments:
            • Found application associated with file extension: .eml

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe
            • Excluded IPs from analysis (whitelisted): 52.109.28.46, 20.189.173.1
            • Excluded domains from analysis (whitelisted): ecs.office.com, onedscolprdwus00.westus.cloudapp.azure.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, g.bing.com, mobile.events.data.microsoft.com, dual-s-0005-office.config.skype.com, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, uks-azsc-config.officeapps.live.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtQueryAttributesFile calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtReadVirtualMemory calls found.

            Simulations

            Behavior and APIs

            No simulations

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            52.123.128.14R.D. Bitzer Co., Inc.xlsmGet hashmaliciousUnknownBrowse
              R.D. Bitzer Co., Inc.xlsmGet hashmaliciousUnknownBrowse
                Fw Invitation for Eligibilitytrackingcalculators to Participate in Asset Growth.msgGet hashmaliciousUnknownBrowse
                  221036299-043825-sanlccjavap0004-6531.xlsGet hashmaliciousUnknownBrowse
                    phish_alert_sp2_2.0.0.0.emlGet hashmaliciousHTMLPhisherBrowse
                      desaremix.exeGet hashmaliciousKillMBRBrowse
                        desaremix.exeGet hashmaliciousKillMBRBrowse
                          phish_alert_sp2_2.0.0.0.msgGet hashmaliciousunknownBrowse
                            Urgent Suspicious Scam Email.emlGet hashmaliciousUnknownBrowse
                              phish_alert_iocp_v1.4.48 - 2025-03-04T101341.702.emlGet hashmaliciousUnknownBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                s-0005.dual-s-msedge.netR.D. Bitzer Co., Inc.xlsmGet hashmaliciousUnknownBrowse
                                • 52.123.128.14
                                R.D. Bitzer Co., Inc.xlsmGet hashmaliciousUnknownBrowse
                                • 52.123.128.14
                                Fw Invitation for Eligibilitytrackingcalculators to Participate in Asset Growth.msgGet hashmaliciousUnknownBrowse
                                • 52.123.128.14
                                Would you please take a look at this for Miss Robin.msgGet hashmaliciousUnknownBrowse
                                • 52.123.129.14
                                R.D. Bitzer Co. Inc.xlsmGet hashmaliciousUnknownBrowse
                                • 52.123.129.14
                                inbound CaIIer left (2) 0033secsCaII__[MSG-ID-df8a922f18abc71f9a730a93c234d77c.emlGet hashmaliciousUnknownBrowse
                                • 52.123.129.14
                                221036299-043825-sanlccjavap0004-6531.xlsGet hashmaliciousUnknownBrowse
                                • 52.123.128.14
                                221036299-043825-sanlccjavap0004-6531.xlsGet hashmaliciousUnknownBrowse
                                • 52.123.128.14
                                L#U00f6senordet f#U00f6r tommy.mobrin@skolverket.se g#U00e5r ut idag!.msgGet hashmaliciousUnknownBrowse
                                • 52.123.129.14
                                FW 188355..msgGet hashmaliciousHTMLPhisherBrowse
                                • 52.123.129.14

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                MICROSOFT-CORP-MSN-AS-BLOCKUSR.D. Bitzer Co., Inc.xlsmGet hashmaliciousUnknownBrowse
                                • 52.123.128.14
                                R.D. Bitzer Co., Inc.xlsmGet hashmaliciousUnknownBrowse
                                • 52.123.128.14
                                Fw Invitation for Eligibilitytrackingcalculators to Participate in Asset Growth.msgGet hashmaliciousUnknownBrowse
                                • 104.208.16.95
                                https://tjjrotk.bishirian.my/Get hashmaliciousHTMLPhisherBrowse
                                • 40.114.177.156
                                Theresa Badham_blmgmxdkjbwlx.htmlGet hashmaliciousUnknownBrowse
                                • 40.114.177.156
                                Online Notification.pdfGet hashmaliciousHTMLPhisherBrowse
                                • 13.107.42.14
                                Would you please take a look at this for Miss Robin.msgGet hashmaliciousUnknownBrowse
                                • 52.123.129.14
                                R.D. Bitzer Co. Inc.xlsmGet hashmaliciousUnknownBrowse
                                • 52.123.131.14
                                R.D. Bitzer Co. Inc.xlsmGet hashmaliciousUnknownBrowse
                                • 52.123.129.14
                                inbound CaIIer left (2) 0033secsCaII__[MSG-ID-df8a922f18abc71f9a730a93c234d77c.emlGet hashmaliciousUnknownBrowse
                                • 52.123.129.14

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250310T1320440148-8904.etl

                                Download File
                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):106496
                                Entropy (8bit):4.513330807449583
                                Encrypted:false
                                SSDEEP:768:t17vad6JctN4GALnPI4KE98olKDZdXdQsMlqcjAl6BzJJ8g/WrW6tV:uiLQ4KE98olKPXdQsMlqcjAl6VJJ87
                                MD5:96BE9940D02DA2F0E738076E2829DDE8
                                SHA1:17701F7ECB26E39B75AA3EE7D21A8EB5CFDC8FEC
                                SHA-256:DFF8428728136C8B05F2C4B19A5DC199A2335969D98EF41479B895D0D9A8D8D1
                                SHA-512:3A5003EE2999312DB1DCB53C49C43D72AA09E901593E800BAE0FFF473B5D798B85094181C03998ECD4285A412AAE6EBA946C775CCC92FB5081D81674476AB242
                                Malicious:false
                                Reputation:low
                                Preview:............................................................................d...."..."....n.....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...............................................................T.............n.............v.2._.O.U.T.L.O.O.K.:.2.2.c.8.:.4.a.b.a.7.2.6.e.d.0.7.1.4.0.3.8.9.6.a.5.0.c.4.9.c.b.8.3.f.a.e.1...C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.3.1.0.T.1.3.2.0.4.4.0.1.4.8.-.8.9.0.4...e.t.l...........P.P.."..."....n.....................................................................................................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\Temp\mso4D6A.tmp

                                Download File
                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                File Type:GIF image data, version 89a, 15 x 15
                                Category:dropped
                                Size (bytes):663
                                Entropy (8bit):5.949125862393289
                                Encrypted:false
                                SSDEEP:12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
                                MD5:ED3C1C40B68BA4F40DB15529D5443DEC
                                SHA1:831AF99BB64A04617E0A42EA898756F9E0E0BCCA
                                SHA-256:039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
                                SHA-512:C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview:GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,*.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()*+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;

                                C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                                Download File
                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                File Type:Microsoft Outlook email folder (>=2003)
                                Category:dropped
                                Size (bytes):271360
                                Entropy (8bit):2.1162594074718144
                                Encrypted:false
                                SSDEEP:1536:5gTphyuQm0W0KmrFsmguw0cccswC/uW53jEpEHP4qQ10PAwr1:i/QVcccpRp9
                                MD5:AB90131D4336BD6F1196AE744AE722B0
                                SHA1:248ADFFD899E8AAA49A1C0FF6720102E399D8341
                                SHA-256:B6E0CE45E3D514783350E1AFB70DB9E605F12A20AE722AE933F854D12CE3F91B
                                SHA-512:10C807C96B991BE7A3ECA82BB52AFCBA7F9B771837F4F45CD50216D13669C35913E07A4A943620360D7192B4D2C77390E4C7E5D4C847D93F9C7B3206FABA4B14
                                Malicious:true
                                Reputation:low
                                Preview:!BDN....SM......\....H..................Y................@...........@...@...................................@...........................................................................$.......D...............................................v..................................................................................................................................................................................................................................................................................L..........,........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                                Download File
                                Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):131072
                                Entropy (8bit):3.4857884669734474
                                Encrypted:false
                                SSDEEP:1536:QUW0KmrKrWmggaZ82YwW53jEpEHP4qQ10PAwr1M/YoscccVQ:fZp9ucccVQ
                                MD5:EB7576AC8FFFF0607C4EBF17ADB2739A
                                SHA1:1C153EB5ACBF6D2216FC69585E9F83853F36C66E
                                SHA-256:A269C2FCD1997854AC2C708B3517C72B1F6B0BA288D2D3C2C8ADB43D591EFCF3
                                SHA-512:BDF94CF3E7938452FB8F85F41A38FDE0996FB6D4A8321120EBEAA2121D68EB6AF550DE4CE6871515C0E30F358F2AE54B8FD21AA8D88B62DFCD8FFE9A9BC6072F
                                Malicious:true
                                Reputation:low
                                Preview:..J.C...[........"....N.......................#.!BDN....SM......\....H..................Y................@...........@...@...................................@...........................................................................$.......D...............................................v..................................................................................................................................................................................................................................................................................L..........,......N.......................#............................PT.............................PT.............................PT.........................."...PT..............................PT..............................PT..............................PT.."......................."...PT..-...........................PT..............................PT../...........................PT..B.......(..............."...PT..M.......

                                Static File Info

                                General

                                File type:RFC 822 mail, ASCII text, with very long lines (2713), with CRLF line terminators
                                Entropy (8bit):6.017159346571694
                                TrID:
                                • E-Mail message (Var. 5) (54515/1) 100.00%
                                File name:phish_alert_sp2_2.0.0.0 (1).eml
                                File size:12'598 bytes
                                MD5:6d375e97904edb0e364355904788b70f
                                SHA1:bff9bf8ff54f001cbba2e95226914acdbe307f50
                                SHA256:afba89a8de9c1e86c22b07bae7566b270f8973b021752ebeb9aa42b44254cbc6
                                SHA512:ac2fa9240659ad6268ed6740c0cb98bc009b5a88387608340bc7b40baf5a42dcb8e85546433ea93205cb828dd2d72220b5360418579ce95322bd02c245435eab
                                SSDEEP:192:LDzrX3el80UTlcoTfqdH2GaPOopxNKKm2pCo1cwNeGwSNcaketzI:LDzrXq80UZc4AH5JopxMKmqCSNkuzI
                                TLSH:F5426CA186C4781E2BE1D58BC6103A44D3B440AA83F36CD5FF6F51F602C256D4BA768E
                                File Content Preview:Received: from DU4P191MB2720.EURP191.PROD.OUTLOOK.COM.. (2603:10a6:10:571::13) by PR3P191MB0987.EURP191.PROD.OUTLOOK.COM with.. HTTPS; Mon, 10 Mar 2025 14:52:12 +0000..Received: from DU2P251CA0019.EURP251.PROD.OUTLOOK.COM.. (2603:10a6:10:230::26) by DU4P1

                                Static Mail

                                General

                                Subject:You have been invited to a ChatGPT Team - Modaxo America
                                From:OpenAI Registrations <noreply-workspaceinvtation@registrations-openai.com>
                                To:Yoshiro Nakasato <yoshiro.nakasato@modaxo.com>
                                Cc:
                                BCC:
                                Date:Mon, 10 Mar 2025 14:52:08 +0000
                                Communications:
                                • EXTERNAL: Do not click links or open attachments if you do not recognize the sender.Nima Sheka has invited you to collaborate using ChatGPT Team in the workspace Modaxo America.Please follow the steps below to register your account.Click the button below to register your account.Under the Workspace dropdown, select "Modaxo America".Enter your organization email address and create a strong password.Request a registration code to your email address and verify your account.Join workspace This invitation link will expire within 72 hours. If you have any questions, please contact us.Best,OpenAI Registrations Team <!-- body {background-color:#ffffff; font-family:sans-serif; font-size:16px} @media only screen and (max-width: 600px) { .wrapper {width:95%!important} } --> EXTERNAL: Do not click links or open attachments if you do not recognize the sender.Nima Sheka has invited you to collaborate using ChatGPT Team in the workspace Modaxo America.Please follow the steps below to register your account.Click the button below to register your account.Under the Workspace dropdown, select "Modaxo America".Enter your organization email address and create a strong password.Request a registration code to your email address and verify your account.Join workspace This invitation link will expire within 72 hours. If you have any questions, please contact us.Best,OpenAI Registrations Team EXTERNAL: Do not click links or open attachments if you do not recognize the sender. EXTERNAL: Do not click links or open attachments if you do not recognize the sender. EXTERNAL: Do not click links or open attachments if you do not recognize the sender. Nima Sheka has invited you to collaborate using ChatGPT Team in the workspace Modaxo America.Please follow the steps below to register your account.Click the button below to register your account.Under the Workspace dropdown, select "Modaxo America".Enter your organization email address and create a strong password.Request a registration code to your email address and verify your account.Join workspace This invitation link will expire within 72 hours. If you have any questions, please contact us.Best,OpenAI Registrations Team Nima Sheka has invited you to collaborate using ChatGPT Team in the workspace Modaxo America.Please follow the steps below to register your account.Click the button below to register your account.Under the Workspace dropdown, select "Modaxo America".Enter your organization email address and create a strong password.Request a registration code to your email address and verify your account.Join workspace This invitation link will expire within 72 hours. If you have any questions, please contact us.Best,OpenAI Registrations Team Nima Sheka has invited you to collaborate using ChatGPT Team in the workspace Modaxo America.Please follow the steps below to register your account.Click the button below to register your account.Under the Workspace dropdown, select "Modaxo America".Enter your organization email address and create a strong password.Request a registration code to your email address and verify your account.Join workspace This invitation link will expire within 72 hours. If you have any questions, please contact us.Best,OpenAI Registrations Team Nima Sheka has invited you to collaborate using ChatGPT Team in the workspace Modaxo America.Please follow the steps below to register your account.Click the button below to register your account.Under the Workspace dropdown, select "Modaxo America".Enter your organization email address and create a strong password.Request a registration code to your email address and verify your account.Join workspace This invitation link will expire within 72 hours. If you have any questions, please contact us.Best,OpenAI Registrations Team Nima Sheka has invited you to collaborate using ChatGPT Team in the workspace Modaxo America.Please follow the steps below to register your account.Click the button below to register your account.Under the Workspace dropdown, select "Modaxo America".Enter your organization email address and create a strong password.Request a registration code to your email address and verify your account.Join workspace This invitation link will expire within 72 hours. If you have any questions, please contact us.Best,OpenAI Registrations Team Nima Sheka has invited you to collaborate using ChatGPT Team in the workspace Modaxo America.Please follow the steps below to register your account.Click the button below to register your account.Under the Workspace dropdown, select "Modaxo America".Enter your organization email address and create a strong password.Request a registration code to your email address and verify your account.Join workspace This invitation link will expire within 72 hours. If you have any questions, please contact us.Best,OpenAI Registrations Team Nima Sheka has invited you to collaborate using ChatGPT Team in the workspace Modaxo America.Please follow the steps below to register your account.Click the button below to register your account.Under the Workspace dropdown, select "Modaxo America".Enter your organization email address and create a strong password.Request a registration code to your email address and verify your account.Join workspace This invitation link will expire within 72 hours. If you have any questions, please contact us.Best,OpenAI Registrations Team Nima Sheka has invited you to collaborate using ChatGPT Team in the workspace Modaxo America.Please follow the steps below to register your account.Click the button below to register your account.Under the Workspace dropdown, select "Modaxo America".Enter your organization email address and create a strong password.Request a registration code to your email address and verify your account.Join workspace This invitation link will expire within 72 hours. If you have any questions, please contact us.Best,OpenAI Registrations Team Nima Sheka has invited you to collaborate using ChatGPT Team in the workspace Modaxo America.Please follow the steps below to register your account.Click the button below to register your account.Under the Workspace dropdown, select "Modaxo America".Enter your organization email address and create a strong password.Request a registration code to your email address and verify your account.Join workspace This invitation link will expire within 72 hours. If you have any questions, please contact us.Best,OpenAI Registrations Team Nima Sheka has invited you to collaborate using ChatGPT Team in the workspace Modaxo America.Please follow the steps below to register your account.Click the button below to register your account.Under the Workspace dropdown, select "Modaxo America".Enter your organization email address and create a strong password.Request a registration code to your email address and verify your account.Join workspace This invitation link will expire within 72 hours. If you have any questions, please contact us.Best,OpenAI Registrations Team Nima Sheka has invited you to collaborate using ChatGPT Team in the workspace Modaxo America.Please follow the steps below to register your account.Click the button below to register your account.Under the Workspace dropdown, select "Modaxo America".Enter your organization email address and create a strong password.Request a registration code to your email address and verify your account.Join workspace This invitation link will expire within 72 hours. If you have any questions, please contact us.Best,OpenAI Registrations Team Nima Sheka has invited you to collaborate using ChatGPT Team in the workspace Modaxo America.Please follow the steps below to register your account.Click the button below to register your account.Under the Workspace dropdown, select "Modaxo America".Enter your organization email address and create a strong password.Request a registration code to your email address and verify your account.Join workspace This invitation link will expire within 72 hours. If you have any questions, please contact us.Best,OpenAI Registrations Team Nima Sheka has invited you to collaborate using ChatGPT Team in the workspace Modaxo America.Please follow the steps below to register your account.Click the button below to register your account.Under the Workspace dropdown, select "Modaxo America".Enter your organization email address and create a strong password.Request a registration code to your email address and verify your account.Join workspace This invitation link will expire within 72 hours. If you have any questions, please contact us.Best,OpenAI Registrations Team Nima Sheka has invited you to collaborate using ChatGPT Team in the workspace Modaxo America. ChatGPT Team Please follow the steps below to register your account. Click the button below to register your account.Under the Workspace dropdown, select "Modaxo America".Enter your organization email address and create a strong password.Request a registration code to your email address and verify your account. Click the button below to register your account. Under the Workspace dropdown, select "Modaxo America". Enter your organization email address and create a strong password. Request a registration code to your email address and verify your account. Join workspace Join workspace Join workspace Join workspace Join workspace Join workspace Join workspace Join workspace Join workspace Join workspace Join workspace Join workspace Join workspace https://web-login.malwarebouncer.com/XV1pBTkl5TVgrV1o2enRmWGpjOXY1bjZMbElGSWlIMkNhWnZPUmFTbXlWSjZINk53NmZxQ3orcVVDRHA2WTBhLzFVc3o1SGxwTFdJRlNsc2w1cGp3SWlmMHJ6RHJJYzNsR2lBUmwyZlBCL0RIMXFwZTJUSmg3ajZVK1hLMEsvbzlRSllwNmlEclVWV3NBT3BvYTVVS1FTb1pKNkRobUZodU5TVWVHRnFvWUlwWW0yNWRnV2lpRHBYaVdIVHhCTVpwNU1zPS0tWVZmZXNPTlRDZk1qZXN6Uy0tR2tvUEZ5dzVrL0ZnQ1B2WThOQjdMdz09?cid=2438941152 This invitation link will expire within 72 hours. If you have any questions, please contact us. https://web-login.malwarebouncer.com/XcnA0dFhDSnM0V3l3MmN0N2taWitMUDVHQXNENEtlY2dXY3E2SitnUXlSN0xJWE1zZWtJbGpGVXFMNDZweXNNQkFTR3VqVFMrTVpvVVVwWko0VWVxbGtLcXFuY2VGcU9ub1BWcWFUbmZiTnRaSjdIYnZpL3F0V1ZNeUg4VllmWmhncmVrKzVMR2IzMjdiMWNMTlpHSG5qRHZpTnl1ckNUM2lvbldtV1ZveHVkQk92RTUySVFnTnVURHNETGNZQ0NzUU5BS3ZoRFFzQmM9LS1oc2pZZmNWZlFrdjYrVmViLS1Yck04K3B5M01pV3E2dlRWbzArRkdnPT0=?cid=2438941152 contact us https://web-login.malwarebouncer.com/XV1pBTkl5TVgrV1o2enRmWGpjOXY1bjZMbElGSWlIMkNhWnZPUmFTbXlWSjZINk53NmZxQ3orcVVDRHA2WTBhLzFVc3o1SGxwTFdJRlNsc2w1cGp3SWlmMHJ6RHJJYzNsR2lBUmwyZlBCL0RIMXFwZTJUSmg3ajZVK1hLMEsvbzlRSllwNmlEclVWV3NBT3BvYTVVS1FTb1pKNkRobUZodU5TVWVHRnFvWUlwWW0yNWRnV2lpRHBYaVdIVHhCTVpwNU1zPS0tWVZmZXNPTlRDZk1qZXN6Uy0tR2tvUEZ5dzVrL0ZnQ1B2WThOQjdMdz09?cid=2438941152 Best,OpenAI Registrations Team
                                Attachments:

                                  Headers

                                  Key Value
                                  Receivedfrom psm.knowbe4.com (psm.knowbe4.com [23.21.109.197]) by mx0c-001a4c01.pphosted.com (PPS) with ESMTPS id 458g47r70q-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for <yoshiro.nakasato@modaxo.com>; Mon, 10 Mar 2025 10:52:10 -0400 (EDT)
                                  Authentication-Resultsspf=none (sender IP is 67.231.151.23) smtp.mailfrom=registrations-openai.com; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=registrations-openai.com;compauth=none reason=405
                                  Received-SpfNone (protection.outlook.com: registrations-openai.com does not designate permitted sender hosts)
                                  Authentication-Results-Originalppops.net; spf=none smtp.mailfrom=noreply-workspaceinvtation@registrations-openai.com; dmarc=none
                                  Message-Id<12384256d.a526be65@psm.knowbe4.com>
                                  DateMon, 10 Mar 2025 14:52:08 +0000
                                  FromOpenAI Registrations <noreply-workspaceinvtation@registrations-openai.com>
                                  Reply-ToOpenAI Registrations <noreply-workspaceinvtation@registrations-openai.com>
                                  ToYoshiro Nakasato <yoshiro.nakasato@modaxo.com>
                                  SubjectYou have been invited to a ChatGPT Team - Modaxo America
                                  MIME-Version1.0
                                  Content-Typemultipart/mixed; boundary="----sinikael-?=_1-17416267186160.15836393094748247"
                                  Content-Transfer-Encoding7bit
                                  X-Phish-Crid2438941152
                                  X-PhishtestThis is a phishing security test from KnowBe4 that has been authorized by the recipient organization
                                  X-ProofpointheaderYes
                                  Return-Pathnoreply-workspaceinvtation@registrations-openai.com
                                  X-Ms-Exchange-Organization-Expirationstarttime10 Mar 2025 14:52:11.1610 (UTC)
                                  X-Ms-Exchange-Organization-ExpirationstarttimereasonOriginalSubmit
                                  X-Ms-Exchange-Organization-Expirationinterval1:00:00:00.0000000
                                  X-Ms-Exchange-Organization-ExpirationintervalreasonOriginalSubmit
                                  X-Ms-Exchange-Organization-Network-Message-Id c31fe9a3-ae31-46c8-3260-08dd5fe32357
                                  X-Eopattributedmessage0
                                  X-Eoptenantattributedmessage75c696ec-5bfb-4892-9a0c-9187a9061cd6:0
                                  X-Ms-Exchange-Organization-MessagedirectionalityIncoming
                                  X-Ms-PublictraffictypeEmail
                                  X-Ms-Traffictypediagnostic DU2PEPF00028D0F:EE_|DU4P191MB2720:EE_|PR3P191MB0987:EE_
                                  X-Ms-Exchange-Organization-Authsource DU2PEPF00028D0F.eurprd03.prod.outlook.com
                                  X-Ms-Exchange-Organization-AuthasAnonymous
                                  X-Ms-Office365-Filtering-Correlation-Id c31fe9a3-ae31-46c8-3260-08dd5fe32357
                                  X-Ms-Exchange-Organization-Scl-1
                                  X-Microsoft-Antispam BCL:0;ARA:13230040|82310400026|5073199012|34002699019|69100299015|4076899003|8096899003|13003099007|18906007;
                                  X-Forefront-Antispam-Report CIP:67.231.151.23;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:NSPM;H:mx0d-001a4c01.pphosted.com;PTR:mx0d-001a4c01.pphosted.com;CAT:NONE;SFS:(13230040)(82310400026)(5073199012)(34002699019)(69100299015)(4076899003)(8096899003)(13003099007)(18906007);DIR:INB;
                                  X-Ms-Exchange-Crosstenant-Originalarrivaltime10 Mar 2025 14:52:10.8641 (UTC)
                                  X-Ms-Exchange-Crosstenant-Network-Message-Id c31fe9a3-ae31-46c8-3260-08dd5fe32357
                                  X-Ms-Exchange-Crosstenant-Id75c696ec-5bfb-4892-9a0c-9187a9061cd6
                                  X-Ms-Exchange-Crosstenant-Authsource DU2PEPF00028D0F.eurprd03.prod.outlook.com
                                  X-Ms-Exchange-Crosstenant-AuthasAnonymous
                                  X-Ms-Exchange-Crosstenant-FromentityheaderInternet
                                  X-Ms-Exchange-Transport-CrosstenantheadersstampedDU4P191MB2720
                                  X-Ms-Exchange-Transport-Endtoendlatency00:00:01.4806796
                                  X-Ms-Exchange-Processed-By-Bccfoldering15.20.8511.025
                                  X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910005)(944506478)(944626604)(4710117)(4712020)(4716014)(920097)(930097)(140003);
                                  X-Microsoft-Antispam-Message-Info 6YM+9CoVUAxc+FtF6DtAZ9OqndjEbvRVF3l4b44bdMdMYme4Ymce8xe8bVyf3pBEKSm2QQE+VamDqhXmk8tQoYdastmjISqAx9b/ZkOC75xmYOIcznHjWIZRJUV9d3CsQohIlTX1KyAdLSnqMRJs4RgyJuFiOKqEw9Um4FafvxZpQhJQkxP+qhGf60ROloLfK379uzQZ6PBvZgBg/r8zNnl7ePiXXyY9r4+mXTdKUB1nhZFkDgmVfn62WYhV/Wu1MDYTB/IUzvzgEN4n5VFFxHHsUkuU7qj7Pb6f+XJCAqWepkHYnRbghdFH3w9oVjLUFnSr3LrQ7tG8anGfSb61pgv1u5RiMECZGcAiHg2owKAHqtmSTKuAs16vgLAQQOSawN5/Ws/56NWf5YmAEqCgaTLsZ4/M6bmbs21Bnz97FCQ2T6oq09NlvS/PQUF6RvhoV0rNOVAw9bSAKY65w+tkbBaUewO1KopucSD00yZy4xHdkcwgpsdCMXtcdPpSJHGYq6yRyVZc2UkP1H7Zfah6351bvmGV6U9ctqA6G4udMZnJMSuFly0eBpO1GdPrBcZ9uXl65qsKlsF463pMTbBqZH0SaCCxJs7jVi+51MWHLX/paJ1zPRv+GJAR/6ta1k3ajVGHzn70lUzJPYITWOxUG+NH98SsFcwdpTPZIVBJbO+5+UqqTta7IdpVrFErBWnJk21yTRrNrwuMukphccUrBNYHznyA5heoRtzxhLInfE3752BLIK3nCiuq/StGleSbc+b8DsZTxTJ6BLIKdQUuVbsP08LB6NpO7eRqEbyWi9fNV+zi+dGAEqE+gpa3rw9s/uPH+WJPwQ/6jILjs/1+uOzf/Ee2JosDyuO+vPOaDe8ke/X0CT2ZmyaaFmYh8D8oQruSD+odAs4BBSdE9XPb2irkNnUkDzf2J9ixsAh/ofW21oQ4kTk7pxaryb5dFf1d0W2J++6v3EsZP67SxwoswRTNPQM2cdYfvmFsrHoztSODADTXo5+PAbRS8EXlD/FaJ5bVHrMwJVRmzxPL8BZs8Z0uxM/utdIj6PNIfV6VF1ncvCkTD+Vjq8v7ILxWgIPvG7244iR4YdIX9yOuNedzaSJ4v8sRcsCd+0C6OUqPmpdUzP3IvETv6oenmfxhkfRohSH9Rti5lUUq1rOZLtrZH6O4tfvodjDKUy+g/efPEE834xKhGPCYdUAVNhLIrF6Z0CKUpq3l/hMRW9cZM88ymHTWrpyIwH+Req7OXbWvtZqbiwVHrNg3EjDAwA/UoT8DvcM2YcSYgopum2TOIlLJwIa5jfX+uz9liOdPLL4FIaF/cW+AgCi010lPhgS9RQ3z2YSqckhTYL/xXDmxIXmnMvHJ1YSCW1KOFn1AbgvoHbFcy6cugPZGNncbRFiNxOf812uhm9lwyF2VwpoVDxq6Ntz4U+RnvDI6OohOxXKY0pO42oTNaLD0avdXx3tVtoJcUIXoz0VdcbvXUHbRn0tErfzanHOwhp4A2QyKa/xyfmoKPPZ3HaEBprJntcvfi1L3ZWEuMwgzdTij67phg1HElnNMZaKzEz+qZMjdC+GDaxCa6LIvT2hMDjR92bzWf/qDzYGumkqxI6oRMn9pE9aX0KjH31/bSOd1BvZpG+Xyy7EgB2hfeC5lbAk4nDxSVBUr3YwkC2fEEsrYjMIRNgkcYcu4DNeBe8CBfkN15oK+9oS1MhlgeChpDtAlcrPKBQT+q0ZrnctQFElybh9opCy9XTr6XdM1hR0etLLZYh/OtVUsfNkPjrez0+0oIM/lVXwKeoLZQZllqExVI7qB11CKm4FwAllTp3xmk7oXXa21iGOSWE8bDY9/Hv2AHBUIp1Y2NwVP2TL98u/LprFMSYvL5kTGqJxId60trAbBCfKXvtLQCs8w7pO+sEiuav21WjU5MGs0WM5L5PFW8o4Z23B9MsyUKNU+9JZcBrtejb2xRMra1bQNwVu4/imxxJ+iJuutbF6crSA1WPRumHRgcl2iFIfwe/i6WpojhilpdE4XWronWC7iuVaJmd6uJ7h3jRy9HoT8qHN3/XMvJvD+DFSeKFcAS2HhBoaRrK9kKV5KJJ1bIp6xsNEYT1IicVSWE7kuP9QO6E5vx6ur8gZ6ytY51C1u/LubdGsPy5XKJDYLpw9+V5u4QmmAlACj/NxT+y4ZpMe1jcIanjrdkGPihugJxhwBARRq4rPtB+t95zVFBSdcX2TxUAwu2gR2WgleP32aUmyxewZvbDfYSYjoiIaXjMpXuyrZoOlYAL++2LU3VxKcBnp5ZjSlUp+DcFDo+Xae+XKwJnudGchBqLLEaNs0R2dFtoe7GwtVW6oJrFRlvRpvuZQawCPTKeS/JiU4/c7a0NqUST4yo23k3g1lmJWkDqEkzAavk+5hzC5MToo/JuF754kCPh+0+6bUlF2qRwduqNc6PlcG9NwT4Hp38gPeNO3tiP2sd+nm4dKDH7Cavm0rMnzzcdSdLvx/7yZqC1iq1PCF38+Qs7t7akdhpfRS31QOjqckh9i7hjXE561a2n7QKOtDMWjAlSkb3miiyA51njalf2ZiD2bu0wkpteQM24QWzlaKpKmKMIWkK5kog3OCkStSaNKnyZQ2HR0WKVNp2Azbs2bBPy6FenjNAiMUUJAAXZPs/mHxGFr3rhMe+Sj2rAM4vSyFLRSXfjpoqtZVeOKlMfoT4PQHOsMAdmXMlA==

                                  File Icon

                                  Icon Hash:46070c0a8e0c67d6

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2025-03-10T18:22:18.231468+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.54972252.123.128.14443TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Mar 10, 2025 18:21:18.260333061 CET49722443192.168.2.552.123.128.14
                                  Mar 10, 2025 18:21:18.260370970 CET4434972252.123.128.14192.168.2.5
                                  Mar 10, 2025 18:21:18.260559082 CET49722443192.168.2.552.123.128.14
                                  Mar 10, 2025 18:21:18.260799885 CET49722443192.168.2.552.123.128.14
                                  Mar 10, 2025 18:21:18.260811090 CET4434972252.123.128.14192.168.2.5
                                  Mar 10, 2025 18:22:18.231467962 CET49722443192.168.2.552.123.128.14

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Mar 10, 2025 18:21:18.259344101 CET1.1.1.1192.168.2.50x6f14No error (0)ecs-office.s-0005.dual-s-msedge.nets-0005.dual-s-msedge.netCNAME (Canonical name)IN (0x0001)false
                                  Mar 10, 2025 18:21:18.259344101 CET1.1.1.1192.168.2.50x6f14No error (0)s-0005.dual-s-msedge.net52.123.128.14A (IP address)IN (0x0001)false
                                  Mar 10, 2025 18:21:18.259344101 CET1.1.1.1192.168.2.50x6f14No error (0)s-0005.dual-s-msedge.net52.123.129.14A (IP address)IN (0x0001)false

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:13:20:40
                                  Start date:10/03/2025
                                  Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0 (1).eml"
                                  Imagebase:0x360000
                                  File size:34'446'744 bytes
                                  MD5 hash:91A5292942864110ED734005B7E005C0
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  General

                                  Target ID:4
                                  Start time:13:20:46
                                  Start date:10/03/2025
                                  Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "D247B595-C988-431A-9F38-28BA3BBEE6FE" "0E69CB0F-3467-4C0B-95EC-304C1B024ED2" "8904" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                                  Imagebase:0x7ff691de0000
                                  File size:710'048 bytes
                                  MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:false

                                  Disassembly

                                  No disassembly