Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
phish_alert_sp2_2.0.0.0.eml

Overview

General Information

Sample name:phish_alert_sp2_2.0.0.0.eml
Analysis ID:1635263
MD5:1a2101b6a96ce7ce9f484ae7926eddd2
SHA1:1f49d3ed3a978c2d9fcd48d197261bc8cfb58e7e
SHA256:7e5674950975996a04037f19b874cf08295341bba43af3152aa2f723a9483db0
Infos:

Detection

KnowBe4
Score:56
Range:0 - 100
Confidence:100%

Signatures

Yara detected KnowBe4 simulated phishing
AI detected landing page (webpage, office document or email)
AI detected suspicious elements in Email content
Creates files inside the system directory
Deletes files inside the Windows folder
JA3 SSL client fingerprint seen in connection with other malware
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Stores large binary data to the registry

Classification

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 5740 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 3068 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "4A255CB3-39EE-428C-9B93-D7A04E3BEDDD" "A11E6A3F-754B-434F-9D26-06CDFD5E26DE" "5740" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
    • chrome.exe (PID: 3824 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://login.gogie.com.000000000000.phish.farm/XSzd4YnRkblh5RmJaK2lOM3pITkVpTzlSeTRQWFhjQllrZXVBSHV1WDVkaGdWbDJYZFlXT2dNQ2hpSDFYU2JEZktCK2w3T1lPOWNtYU9mcTEzTXhhMkVMRk1pRlVpYWVsT0RBVXZqaG5nckl6bC9aZVZEalVyOG4rNkJSa1lFT1VKWGQ4cEZCOEhNSlJER3k3Y0g5cXNBKzc2bEp6YU43MnROMnh6V2tnb0pDNUdkRnN5VkxEQkhUZlN3PT0tLTRQWmJoR2s5VWVORVB6NHotLWRBMmtlWjZoNVp4cUJtdllCczFpa0E9PQ==?cid=2437273701 MD5: E81F54E6C1129887AEA47E7D092680BF)
      • chrome.exe (PID: 1268 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2036,i,11391448760171201345,14718212384723619357,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2052 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

HTML

SourceRuleDescriptionAuthorStrings
1.0.pages.csvJoeSecurity_KnowBe4Yara detected KnowBe4 simulated phishingJoe Security

    Sigma Signatures

    Sigma detected: Office Autorun Keys Modification
    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 5740, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

    Suricata Signatures

    No Suricata rule has matched

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    Phishing

    barindex
    Yara detected KnowBe4 simulated phishing
    Source: Yara matchFile source: 1.0.pages.csv, type: HTML
    AI detected landing page (webpage, office document or email)
    Source: EmailJoe Sandbox AI: Email contains prominent button: 'accept & understand'
    AI detected suspicious elements in Email content
    Source: EmailJoe Sandbox AI: Detected potential phishing email: The email contains suspicious URLs with phishing farm domains. The sender domain 'application-alert.com' is not a legitimate Microsoft/Windows domain. The message creates urgency and requires clicking a suspicious button, typical phishing tactics
    Source: EmailClassification: Credential Stealer
    Source: https://secured-login.net/pages/f2e6f2a95eaf/XSzd4YnRkblh5RmJaK2lOM3pITkVpTzlSeTRQWFhjQllrZXVBSHV1WDVkaGdWbDJYZFlXT2dNQ2hpSDFYU2JEZktCK2w3T1lPOWNtYU9mcTEzTXhhMkVMRk1pRlVpYWVsT0RBVXZqaG5nckl6bC9aZVZEalVyOG4rNkJSa1lFT1VKWGQ4cEZCOEhNSlJER3k3Y0g5cXNBKzc2bEp6YU43MnROMnh6V2tnb0pDNUdkRnN5VkxEQkhUZlN3PT0tLTRQWmJoR2s5VWVORVB6NHotLWRBMmtlWjZoNVp4cUJtdllCczFpa0E9PQ==HTTP Parser: No favicon
    Source: unknownHTTPS traffic detected: 184.86.251.28:443 -> 192.168.2.18:49711 version: TLS 1.2
    Source: Joe Sandbox ViewJA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
    Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.7
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.5
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.5
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.5
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.5
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.5
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.5
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.5
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.7
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 184.86.251.28
    Source: unknownTCP traffic detected without corresponding DNS query: 184.86.251.28
    Source: unknownTCP traffic detected without corresponding DNS query: 184.86.251.28
    Source: unknownTCP traffic detected without corresponding DNS query: 184.86.251.28
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 184.86.251.28
    Source: unknownTCP traffic detected without corresponding DNS query: 184.86.251.28
    Source: unknownTCP traffic detected without corresponding DNS query: 184.86.251.28
    Source: unknownTCP traffic detected without corresponding DNS query: 184.86.251.28
    Source: unknownTCP traffic detected without corresponding DNS query: 184.86.251.28
    Source: unknownTCP traffic detected without corresponding DNS query: 184.86.251.28
    Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
    Source: unknownTCP traffic detected without corresponding DNS query: 184.86.251.28
    Source: unknownTCP traffic detected without corresponding DNS query: 184.86.251.28
    Source: unknownTCP traffic detected without corresponding DNS query: 172.217.18.99
    Source: unknownTCP traffic detected without corresponding DNS query: 172.217.18.99
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.5
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.5
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.5
    Source: unknownTCP traffic detected without corresponding DNS query: 20.190.160.5
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficHTTP traffic detected: GET /XSzd4YnRkblh5RmJaK2lOM3pITkVpTzlSeTRQWFhjQllrZXVBSHV1WDVkaGdWbDJYZFlXT2dNQ2hpSDFYU2JEZktCK2w3T1lPOWNtYU9mcTEzTXhhMkVMRk1pRlVpYWVsT0RBVXZqaG5nckl6bC9aZVZEalVyOG4rNkJSa1lFT1VKWGQ4cEZCOEhNSlJER3k3Y0g5cXNBKzc2bEp6YU43MnROMnh6V2tnb0pDNUdkRnN5VkxEQkhUZlN3PT0tLTRQWmJoR2s5VWVORVB6NHotLWRBMmtlWjZoNVp4cUJtdllCczFpa0E9PQ==?cid=2437273701 HTTP/1.1Host: login.gogie.com.000000000000.phish.farmConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /pages/f2e6f2a95eaf/XSzd4YnRkblh5RmJaK2lOM3pITkVpTzlSeTRQWFhjQllrZXVBSHV1WDVkaGdWbDJYZFlXT2dNQ2hpSDFYU2JEZktCK2w3T1lPOWNtYU9mcTEzTXhhMkVMRk1pRlVpYWVsT0RBVXZqaG5nckl6bC9aZVZEalVyOG4rNkJSa1lFT1VKWGQ4cEZCOEhNSlJER3k3Y0g5cXNBKzc2bEp6YU43MnROMnh6V2tnb0pDNUdkRnN5VkxEQkhUZlN3PT0tLTRQWmJoR2s5VWVORVB6NHotLWRBMmtlWjZoNVp4cUJtdllCczFpa0E9PQ== HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://login.gogie.com.000000000000.phish.farm/XSzd4YnRkblh5RmJaK2lOM3pITkVpTzlSeTRQWFhjQllrZXVBSHV1WDVkaGdWbDJYZFlXT2dNQ2hpSDFYU2JEZktCK2w3T1lPOWNtYU9mcTEzTXhhMkVMRk1pRlVpYWVsT0RBVXZqaG5nckl6bC9aZVZEalVyOG4rNkJSa1lFT1VKWGQ4cEZCOEhNSlJER3k3Y0g5cXNBKzc2bEp6YU43MnROMnh6V2tnb0pDNUdkRnN5VkxEQkhUZlN3PT0tLTRQWmJoR2s5VWVORVB6NHotLWRBMmtlWjZoNVp4cUJtdllCczFpa0E9PQ==?cid=2437273701Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /assets/landing-watermark-8487e36eef1bec74f06631f19fea0aa171c208e2976373cda5bd0a4b9e230903.css HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: text/css,*/*;q=0.1Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: styleReferer: https://secured-login.net/pages/f2e6f2a95eaf/XSzd4YnRkblh5RmJaK2lOM3pITkVpTzlSeTRQWFhjQllrZXVBSHV1WDVkaGdWbDJYZFlXT2dNQ2hpSDFYU2JEZktCK2w3T1lPOWNtYU9mcTEzTXhhMkVMRk1pRlVpYWVsT0RBVXZqaG5nckl6bC9aZVZEalVyOG4rNkJSa1lFT1VKWGQ4cEZCOEhNSlJER3k3Y0g5cXNBKzc2bEp6YU43MnROMnh6V2tnb0pDNUdkRnN5VkxEQkhUZlN3PT0tLTRQWmJoR2s5VWVORVB6NHotLWRBMmtlWjZoNVp4cUJtdllCczFpa0E9PQ==Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /assets/application-237cb5c4f318687625f8ccf2f42de3fc20238bfe267384653491a6bba8c8f6f5.js HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://secured-login.net/pages/f2e6f2a95eaf/XSzd4YnRkblh5RmJaK2lOM3pITkVpTzlSeTRQWFhjQllrZXVBSHV1WDVkaGdWbDJYZFlXT2dNQ2hpSDFYU2JEZktCK2w3T1lPOWNtYU9mcTEzTXhhMkVMRk1pRlVpYWVsT0RBVXZqaG5nckl6bC9aZVZEalVyOG4rNkJSa1lFT1VKWGQ4cEZCOEhNSlJER3k3Y0g5cXNBKzc2bEp6YU43MnROMnh6V2tnb0pDNUdkRnN5VkxEQkhUZlN3PT0tLTRQWmJoR2s5VWVORVB6NHotLWRBMmtlWjZoNVp4cUJtdllCczFpa0E9PQ==Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /LP_videos/hook.wav HTTP/1.1Host: helpimg.s3.amazonaws.comConnection: keep-alivesec-ch-ua-platform: "Windows"Accept-Encoding: identity;q=1, *;q=0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: audioSec-Fetch-Storage-Access: activeReferer: https://secured-login.net/pages/f2e6f2a95eaf/XSzd4YnRkblh5RmJaK2lOM3pITkVpTzlSeTRQWFhjQllrZXVBSHV1WDVkaGdWbDJYZFlXT2dNQ2hpSDFYU2JEZktCK2w3T1lPOWNtYU9mcTEzTXhhMkVMRk1pRlVpYWVsT0RBVXZqaG5nckl6bC9aZVZEalVyOG4rNkJSa1lFT1VKWGQ4cEZCOEhNSlJER3k3Y0g5cXNBKzc2bEp6YU43MnROMnh6V2tnb0pDNUdkRnN5VkxEQkhUZlN3PT0tLTRQWmJoR2s5VWVORVB6NHotLWRBMmtlWjZoNVp4cUJtdllCczFpa0E9PQ==Accept-Language: en-US,en;q=0.9Range: bytes=0-
    Source: global trafficHTTP traffic detected: GET /LP_videos/You've_Been_Phished.mp4 HTTP/1.1Host: helpimg.s3.amazonaws.comConnection: keep-alivesec-ch-ua-platform: "Windows"Accept-Encoding: identity;q=1, *;q=0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: videoSec-Fetch-Storage-Access: activeReferer: https://secured-login.net/pages/f2e6f2a95eaf/XSzd4YnRkblh5RmJaK2lOM3pITkVpTzlSeTRQWFhjQllrZXVBSHV1WDVkaGdWbDJYZFlXT2dNQ2hpSDFYU2JEZktCK2w3T1lPOWNtYU9mcTEzTXhhMkVMRk1pRlVpYWVsT0RBVXZqaG5nckl6bC9aZVZEalVyOG4rNkJSa1lFT1VKWGQ4cEZCOEhNSlJER3k3Y0g5cXNBKzc2bEp6YU43MnROMnh6V2tnb0pDNUdkRnN5VkxEQkhUZlN3PT0tLTRQWmJoR2s5VWVORVB6NHotLWRBMmtlWjZoNVp4cUJtdllCczFpa0E9PQ==Accept-Language: en-US,en;q=0.9Range: bytes=0-
    Source: global trafficHTTP traffic detected: GET /pages/f2e6f2a95eaf/phished.mp3 HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://secured-login.net/pages/f2e6f2a95eaf/XSzd4YnRkblh5RmJaK2lOM3pITkVpTzlSeTRQWFhjQllrZXVBSHV1WDVkaGdWbDJYZFlXT2dNQ2hpSDFYU2JEZktCK2w3T1lPOWNtYU9mcTEzTXhhMkVMRk1pRlVpYWVsT0RBVXZqaG5nckl6bC9aZVZEalVyOG4rNkJSa1lFT1VKWGQ4cEZCOEhNSlJER3k3Y0g5cXNBKzc2bEp6YU43MnROMnh6V2tnb0pDNUdkRnN5VkxEQkhUZlN3PT0tLTRQWmJoR2s5VWVORVB6NHotLWRBMmtlWjZoNVp4cUJtdllCczFpa0E9PQ==Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /LP_videos/hook.wav HTTP/1.1Host: helpimg.s3.amazonaws.comConnection: keep-alivesec-ch-ua-platform: "Windows"Accept-Encoding: identity;q=1, *;q=0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: audioSec-Fetch-Storage-Access: activeReferer: https://secured-login.net/pages/f2e6f2a95eaf/XSzd4YnRkblh5RmJaK2lOM3pITkVpTzlSeTRQWFhjQllrZXVBSHV1WDVkaGdWbDJYZFlXT2dNQ2hpSDFYU2JEZktCK2w3T1lPOWNtYU9mcTEzTXhhMkVMRk1pRlVpYWVsT0RBVXZqaG5nckl6bC9aZVZEalVyOG4rNkJSa1lFT1VKWGQ4cEZCOEhNSlJER3k3Y0g5cXNBKzc2bEp6YU43MnROMnh6V2tnb0pDNUdkRnN5VkxEQkhUZlN3PT0tLTRQWmJoR2s5VWVORVB6NHotLWRBMmtlWjZoNVp4cUJtdllCczFpa0E9PQ==Accept-Language: en-US,en;q=0.9Range: bytes=196608-214545If-Range: "6b207845061b2bf9205c8418d478cc0b"
    Source: global trafficHTTP traffic detected: GET /pages/f2e6f2a95eaf/phished.mp3 HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: iframeReferer: https://secured-login.net/pages/f2e6f2a95eaf/phished.mp3Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9If-None-Match: W/"74133370e122c9bb68f488aaad71134d"
    Source: global trafficHTTP traffic detected: GET /LP_videos/hook.wav HTTP/1.1Host: helpimg.s3.amazonaws.comConnection: keep-alivesec-ch-ua-platform: "Windows"Accept-Encoding: identity;q=1, *;q=0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: audioSec-Fetch-Storage-Access: activeReferer: https://secured-login.net/pages/f2e6f2a95eaf/phished.mp3Accept-Language: en-US,en;q=0.9Range: bytes=0-
    Source: global trafficHTTP traffic detected: GET /LP_videos/hook.wav HTTP/1.1Host: helpimg.s3.amazonaws.comConnection: keep-alivesec-ch-ua-platform: "Windows"Accept-Encoding: identity;q=1, *;q=0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: audioSec-Fetch-Storage-Access: activeReferer: https://secured-login.net/pages/f2e6f2a95eaf/XSzd4YnRkblh5RmJaK2lOM3pITkVpTzlSeTRQWFhjQllrZXVBSHV1WDVkaGdWbDJYZFlXT2dNQ2hpSDFYU2JEZktCK2w3T1lPOWNtYU9mcTEzTXhhMkVMRk1pRlVpYWVsT0RBVXZqaG5nckl6bC9aZVZEalVyOG4rNkJSa1lFT1VKWGQ4cEZCOEhNSlJER3k3Y0g5cXNBKzc2bEp6YU43MnROMnh6V2tnb0pDNUdkRnN5VkxEQkhUZlN3PT0tLTRQWmJoR2s5VWVORVB6NHotLWRBMmtlWjZoNVp4cUJtdllCczFpa0E9PQ==Accept-Language: en-US,en;q=0.9Range: bytes=32768-
    Source: global trafficHTTP traffic detected: GET /LP_videos/hook.wav HTTP/1.1Host: helpimg.s3.amazonaws.comConnection: keep-alivesec-ch-ua-platform: "Windows"Accept-Encoding: identity;q=1, *;q=0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: audioSec-Fetch-Storage-Access: activeReferer: https://secured-login.net/pages/f2e6f2a95eaf/phished.mp3Accept-Language: en-US,en;q=0.9Range: bytes=0-
    Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: secured-login.netConnection: keep-alivesec-ch-ua-platform: "Windows"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8Sec-Fetch-Site: same-originSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageReferer: https://secured-login.net/pages/f2e6f2a95eaf/XSzd4YnRkblh5RmJaK2lOM3pITkVpTzlSeTRQWFhjQllrZXVBSHV1WDVkaGdWbDJYZFlXT2dNQ2hpSDFYU2JEZktCK2w3T1lPOWNtYU9mcTEzTXhhMkVMRk1pRlVpYWVsT0RBVXZqaG5nckl6bC9aZVZEalVyOG4rNkJSa1lFT1VKWGQ4cEZCOEhNSlJER3k3Y0g5cXNBKzc2bEp6YU43MnROMnh6V2tnb0pDNUdkRnN5VkxEQkhUZlN3PT0tLTRQWmJoR2s5VWVORVB6NHotLWRBMmtlWjZoNVp4cUJtdllCczFpa0E9PQ==Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /LP_videos/hook.wav HTTP/1.1Host: helpimg.s3.amazonaws.comConnection: keep-alivesec-ch-ua-platform: "Windows"Accept-Encoding: identity;q=1, *;q=0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: audioSec-Fetch-Storage-Access: activeReferer: https://secured-login.net/pages/f2e6f2a95eaf/phished.mp3Accept-Language: en-US,en;q=0.9Range: bytes=196608-
    Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Host: secured-login.netConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: */*Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptySec-Fetch-Storage-Access: activeAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
    Source: global trafficHTTP traffic detected: GET /LP_videos/hook.wav HTTP/1.1Host: helpimg.s3.amazonaws.comConnection: keep-alivesec-ch-ua-platform: "Windows"Accept-Encoding: identity;q=1, *;q=0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: audioSec-Fetch-Storage-Access: activeReferer: https://secured-login.net/pages/f2e6f2a95eaf/phished.mp3Accept-Language: en-US,en;q=0.9Range: bytes=196608-
    Source: global trafficHTTP traffic detected: GET /LP_videos/hook.wav HTTP/1.1Host: helpimg.s3.amazonaws.comConnection: keep-alivesec-ch-ua-platform: "Windows"Accept-Encoding: identity;q=1, *;q=0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: audioSec-Fetch-Storage-Access: activeReferer: https://secured-login.net/pages/f2e6f2a95eaf/phished.mp3Accept-Language: en-US,en;q=0.9Range: bytes=32768-
    Source: global trafficHTTP traffic detected: GET /LP_videos/hook.wav HTTP/1.1Host: helpimg.s3.amazonaws.comConnection: keep-alivesec-ch-ua-platform: "Windows"Accept-Encoding: identity;q=1, *;q=0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36sec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0Accept: */*Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: audioSec-Fetch-Storage-Access: activeReferer: https://secured-login.net/pages/f2e6f2a95eaf/phished.mp3Accept-Language: en-US,en;q=0.9Range: bytes=32768-
    Source: global trafficDNS traffic detected: DNS query: login.gogie.com.000000000000.phish.farm
    Source: global trafficDNS traffic detected: DNS query: secured-login.net
    Source: global trafficDNS traffic detected: DNS query: www.google.com
    Source: global trafficDNS traffic detected: DNS query: helpimg.s3.amazonaws.com
    Source: chromecache_64.9.drString found in binary or memory: http://www.videolan.org/x264.html
    Source: chromecache_66.9.dr, chromecache_62.9.drString found in binary or memory: https://helpimg.s3.amazonaws.com/LP_videos/You
    Source: chromecache_66.9.dr, chromecache_62.9.drString found in binary or memory: https://helpimg.s3.amazonaws.com/LP_videos/hook.wav
    Source: phish_alert_sp2_2.0.0.0.emlString found in binary or memory: https://login.gogie.com.000000000000.phish.farm/XNERJVGhPdmdzZGV4Z3hwREY3NzUydjc4dDVkbUVYS1VwbFhIeG5
    Source: phish_alert_sp2_2.0.0.0.emlString found in binary or memory: https://login.gogie.com.000000000000.phish.farm/XSzd4YnRkblh5RmJaK2lOM3pITkVpTzlSeTRQWFhjQllrZXVBSHV
    Source: phish_alert_sp2_2.0.0.0.emlString found in binary or memory: https://login.gogie.com.000000000000.phish.farm/XcW1ZYzM5U2pISU03bDNqUElsRUd3MVRJS3BHZ29Ud1p2VjlpckN
    Source: chromecache_61.9.drString found in binary or memory: https://secured-login.net/pages/f2e6f2a95eaf/XSzd4YnRkblh5RmJaK2lOM3pITkVpTzlSeTRQWFhjQllrZXVBSHV1WD
    Source: phish_alert_sp2_2.0.0.0.emlString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/0/05/Windows_10_Logo.svg/2560px-Windows_10_Logo
    Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
    Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
    Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49696 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49809
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
    Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49697 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
    Source: unknownNetwork traffic detected: HTTP traffic on port 49809 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
    Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
    Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49750
    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
    Source: unknownNetwork traffic detected: HTTP traffic on port 49750 -> 443
    Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
    Source: unknownHTTPS traffic detected: 184.86.251.28:443 -> 192.168.2.18:49711 version: TLS 1.2
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir3824_1027417652Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir3824_1027417652Jump to behavior
    Source: classification engineClassification label: mal56.phis.winEML@24/17@10/9
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250311T0949390471-5740.etlJump to behavior
    Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml"
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "4A255CB3-39EE-428C-9B93-D7A04E3BEDDD" "A11E6A3F-754B-434F-9D26-06CDFD5E26DE" "5740" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://login.gogie.com.000000000000.phish.farm/XSzd4YnRkblh5RmJaK2lOM3pITkVpTzlSeTRQWFhjQllrZXVBSHV1WDVkaGdWbDJYZFlXT2dNQ2hpSDFYU2JEZktCK2w3T1lPOWNtYU9mcTEzTXhhMkVMRk1pRlVpYWVsT0RBVXZqaG5nckl6bC9aZVZEalVyOG4rNkJSa1lFT1VKWGQ4cEZCOEhNSlJER3k3Y0g5cXNBKzc2bEp6YU43MnROMnh6V2tnb0pDNUdkRnN5VkxEQkhUZlN3PT0tLTRQWmJoR2s5VWVORVB6NHotLWRBMmtlWjZoNVp4cUJtdllCczFpa0E9PQ==?cid=2437273701
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2036,i,11391448760171201345,14718212384723619357,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2052 /prefetch:3
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "4A255CB3-39EE-428C-9B93-D7A04E3BEDDD" "A11E6A3F-754B-434F-9D26-06CDFD5E26DE" "5740" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://login.gogie.com.000000000000.phish.farm/XSzd4YnRkblh5RmJaK2lOM3pITkVpTzlSeTRQWFhjQllrZXVBSHV1WDVkaGdWbDJYZFlXT2dNQ2hpSDFYU2JEZktCK2w3T1lPOWNtYU9mcTEzTXhhMkVMRk1pRlVpYWVsT0RBVXZqaG5nckl6bC9aZVZEalVyOG4rNkJSa1lFT1VKWGQ4cEZCOEhNSlJER3k3Y0g5cXNBKzc2bEp6YU43MnROMnh6V2tnb0pDNUdkRnN5VkxEQkhUZlN3PT0tLTRQWmJoR2s5VWVORVB6NHotLWRBMmtlWjZoNVp4cUJtdllCczFpa0E9PQ==?cid=2437273701Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=2036,i,11391448760171201345,14718212384723619357,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2052 /prefetch:3Jump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
    Source: Window RecorderWindow detected: More than 3 window changes detected
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} DeviceTicketJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
    Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation21
    Browser Extensions    		1
    Process Injection    		11
    Masquerading    		OS Credential Dumping1
    Process Discovery    		Remote ServicesData from Local System1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault AccountsScheduled Task/Job1
    DLL Side-Loading    		1
    DLL Side-Loading    		1
    Modify Registry    		LSASS Memory13
    System Information Discovery    		Remote Desktop ProtocolData from Removable Media2
    Non-Application Layer Protocol    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
    Process Injection    		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive3
    Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
    DLL Side-Loading    		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
    Ingress Tool Transfer    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    File Deletion    		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.