Loading... Additional Content is being loaded

Windows Analysis Report
a.manasova@mlsp.kg.msg

Overview

General Information

Sample Name:	a.manasova@mlsp.kg.msg
Analysis ID:	882695
MD5:	141b5248e25ba914cf62643f1e37a1be
SHA1:	7506634f2eeafdff86ead03ab276127a3b19fcf3
SHA256:	e873bc60713be05e0d7e32218bba4839f6b09e7f59c5ac5cbc0ef582b666c26f
Infos:

Detection

Score:	21
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

LLM found phishing text in email (MSG / EML)

Creates or modifies windows services

Deletes files inside the Windows folder

Creates files inside the system directory

Classification

Signatures

Phishing

LLM found phishing text in email (MSG / EML)

Source: a.manasova@mlsp.kg.msg	ChatGPT: Communication: 0 reasoning: Subject is an email address, not a relevant subject line
Source: a.manasova@mlsp.kg.msg	ChatGPT: Communication: 0 reasoning: Mismatch between sender's email domain and organization mentioned in signature
Source: a.manasova@mlsp.kg.msg	ChatGPT: Communication: 0 reasoning: Message content mentions infected password to file
Source: a.manasova@mlsp.kg.msg	ChatGPT: Communication: 0 reasoning: Unrelated recipient email address
Source: a.manasova@mlsp.kg.msg	ChatGPT: Communication: 0 reasoning: Attachment with suspicious file format (.zip)

Deletes files inside the Windows folder

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

File deleted: C:\Windows\SysWOW64\PerfStringBackup.TMP

Jump to behavior

Creates files inside the system directory

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

File created: C:\Windows\inf\Outlook\

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\{285EE306-80F3-46AB-9CE8-F29B3B7E7A13} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

File written: C:\Windows\INF\Outlook\outlperf.ini

Jump to behavior

Source: classification engine

Classification label: sus21.phis.winMSG@1/14@0/0

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

File read: C:\Program Files (x86)\Microsoft Office\Office16\1033\OUTLPERF.INI

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

Window detected: Number of UI elements: 13

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Creates or modifies windows services

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Outlook\Performance

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT	data	2D5F0515FA329653416C418EEAF0539B	11AF78A611AF5B0FE222FDFC9C0ECFF9D0078171	6C3A050F2807515EB8762C7DC79547EB8C8F8D90699A2B755EDA007E34403FC1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\AC750082.dat	JPEG image data, Exif standard: [TIFF image data, big-endian, direntries=12, height=1404, bps=0, PhotometricIntepretation=RGB, orientation=upper-left, width=3482], progressive, precision 8, 1500x605, components 3	C835CC5EBB3DFFBEEEA5C19DCC3BAB4B	E7A1422F4B8B952325945678B7F41BBE48496C11	1DE5F68AB47A6ABEF6D3A3FC8B681AC425B8D4E682298EDE9756F7849498507F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{C2CF8DBE-A3F9-4A9D-96B0-EC158C0DA5C3}.tmp	data	D6FD5A20495711B409BD7E4A8E14F1A1	27BB1641EAAB578908A766B4FDFE939390D612E5	FA25E32905B07271F7221B7E25CD17293D72848C9E9733846E9CBFA60748C85B
C:\Users\user\AppData\Local\Temp\~DF8280B2FDC6D618DD.TMP	data	96B2ACB1F8B2B0B175BCBE69B4BE9C2C	E9777AB36427D6A08AE748E471C37C6AA71B4DB3	F52F44F4396221F1E24FF269D0E564D7A82FD3C07BF4636D2BCD1671F90025F5
C:\Users\user\AppData\Roaming\Microsoft\Outlook\Outlook.srs	Composite Document File V2 Document, Cannot read section info	B4A39480FB4639B8D1EC08797FDE62E6	FCD6D9B0A6310C6ECA7E83B45E4FF4AAB6B0BF26	DD64A55757F9CFAA40E285A3CECC1A8F93BBF565652F366DEF7434904DD59A11
C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC	Unicode text, UTF-16, little-endian text, with CRLF line terminators	C4F79900719F08A6F11287E3C7991493	754325A769BE6ECCC664002CD8F6BDB0D0B8CA4D	625CA96CCA65A363CC76429804FF47520B103D2044BA559B11EB02AB7B4D79A8
C:\Users\user\Documents\Outlook Files\Outlook.pst	Microsoft Outlook email folder (>=2003)	C9D1F19E90D5ED41F74C5951149BCF8D	BFCA41030C603AF2F608696BD2A9964118E8FE3B	2E83EFCC0A629BD77209761FEC6036165C8CB716F7C4EB8F68F5116E1F32CA95
C:\Users\user\Documents\Outlook Files\~Outlook.pst.tmp	data	2006E2C1411DF44E74FEFBDB1AE02197	03819483C186103DC08762A864710FEDE2C881B9	067CB3C687CED36749E78AC0A9C801E710F622CE4366F420BC1D197EFF507339
C:\Windows\INF\Outlook\outlperf.h	ASCII text, with CRLF line terminators	BC71FF7DA14ECA943FA0AD815F72B8CB	CECCD0CFF2DD12AEDE7DE14457D15D00687165BB	48E537902C03A3EEE4790FC97EE072CDDC7C1A90122702DD18243D8C12A0D99A
C:\Windows\INF\Outlook\outlperf.ini	Generic INItialization configuration [languages]	509A7197AE66401D1DA76F4BAC1DD0A8	A30F0CF0161ADDBDD3B04B482FEF651EE4EAE322	EE9E288C3495FD548FD49095BE08807F215FC0780064E179011098C0C7461A34
C:\Windows\SysWOW64\PerfStringBackup.INI	data	DCCE5FDA282F7296C105A3873060F7E1	876013B7EB661FF7B33845DBFAD468D70B29EB39	E2C4415CCAF2F1CCE8448F8EF0B297CE0BDD085FB36072F0E784F403ECC20082
C:\Windows\SysWOW64\PerfStringBackup.TMP	data	DCCE5FDA282F7296C105A3873060F7E1	876013B7EB661FF7B33845DBFAD468D70B29EB39	E2C4415CCAF2F1CCE8448F8EF0B297CE0BDD085FB36072F0E784F403ECC20082
C:\Windows\System32\perfc009.dat	data	CD989A7EF2086A5952A945991A8E731D	BF9DBF42367872448D1A8C107C132C5C6355D156	A9DD4213B016C7C37E18394710657327BB6DD083A6EBF9D97D94A31829A630E1
C:\Windows\System32\perfh009.dat	data	E7524976DB303DF6346CF3024872DD9C	31CAF98E58524AB40F9A786F4504869AFABA1F3A	2CDA416A24A4B10CC28E873E038CED3207D1EFB4A1D07A4594D5728B48EAE4FD

Phishing

LLM found phishing text in email (MSG / EML)

Source: a.manasova@mlsp.kg.msg	ChatGPT: Communication: 0 reasoning: Subject is an email address, not a relevant subject line
Source: a.manasova@mlsp.kg.msg	ChatGPT: Communication: 0 reasoning: Mismatch between sender's email domain and organization mentioned in signature
Source: a.manasova@mlsp.kg.msg	ChatGPT: Communication: 0 reasoning: Message content mentions infected password to file
Source: a.manasova@mlsp.kg.msg	ChatGPT: Communication: 0 reasoning: Unrelated recipient email address
Source: a.manasova@mlsp.kg.msg	ChatGPT: Communication: 0 reasoning: Attachment with suspicious file format (.zip)

Deletes files inside the Windows folder

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

File deleted: C:\Windows\SysWOW64\PerfStringBackup.TMP

Jump to behavior

Creates files inside the system directory

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

File created: C:\Windows\inf\Outlook\

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\{285EE306-80F3-46AB-9CE8-F29B3B7E7A13} - OProcSessId.dat

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

File written: C:\Windows\INF\Outlook\outlperf.ini

Jump to behavior

Source: classification engine

Classification label: sus21.phis.winMSG@1/14@0/0

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

File read: C:\Program Files (x86)\Microsoft Office\Office16\1033\OUTLPERF.INI

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

Window detected: Number of UI elements: 13

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages

Jump to behavior

Creates or modifies windows services

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Outlook\Performance

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior