Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
phish_alert_sp2_2.0.0.0.eml

Overview

General Information

Sample name:phish_alert_sp2_2.0.0.0.eml
Analysis ID:1582267
MD5:9a5666ecb57a9b487e212116d4d25f57
SHA1:d336537163627c8e16d6723157e2301ff2167003
SHA256:4bcde5e502301614efa0ba9d4e7681db2ffabf3d97eb699ba2bd695d2ed0ead0
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

AI detected landing page (webpage, office document or email)
AI detected potential phishing Email
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 7620 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7908 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6C3C8601-5CA3-4290-A3F3-5F5407F4386A" "68563A63-B88A-4F7C-884B-B76C5381F25D" "7620" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7620, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
AI detected landing page (webpage, office document or email)
Source: EmailJoe Sandbox AI: Email contains prominent button: 'click here to view the secured document'
AI detected potential phishing Email
Source: EmailJoe Sandbox AI: Detected potential phishing email: The email claims to be from Dubai Police but uses a suspicious Zoho Bookings notification system and unrelated sender address. Contains multiple suspicious domains and redirects including a heavily obfuscated URL. Uses a deceptive subject line about a police fine to create urgency and concern
Source: EmailClassification: Lure-Based Attack
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 21798841561.ttf.1.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: 21798841561.ttf.1.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0Digitized
Source: 21798841561.ttf.1.drString found in binary or memory: http://www.ascendercorp.com/http://www.ascendercorp.com/typedesigners.htmlLicensed
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://api.aadrm.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://api.aadrm.com/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://api.cortana.ai
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://api.diagnostics.office.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://api.microsoftstream.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://api.office.net
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://api.onedrive.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://api.scheduler.
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://app.powerbi.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: phish_alert_sp2_2.0.0.0.emlString found in binary or memory: https://are01.safelinks.protection.outlook.com/=
Source: ~WRS{473F8AE2-7E7B-4709-901E-9CE42FD12B29}.tmp.1.drString found in binary or memory: https://are01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsmex-ctp.trendmicro.com%2Fwis%2Fcl
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://augloop.office.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://augloop.office.com/v2
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://canary.designerapp.
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/create-module
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-toolbar
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://cdn.entity.
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://clients.config.office.net
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://clients.config.office.net/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://cortana.ai
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://cortana.ai/api
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://cr.office.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://d.docs.live.net
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://designerapp.azurewebsites.net
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://designerappservice.officeapps.live.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://dev.cortana.ai
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://devnull.onenote.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://directory.services.
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://ecs.office.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://edge.skype.com/rps
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://graph.ppe.windows.net
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://graph.windows.net
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://graph.windows.net/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://ic3.teams.office.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://invites.office.com/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://lifecycle.office.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://login.microsoftonline.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://login.microsoftonline.com/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://login.microsoftonline.com/organizations
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://login.windows.local
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://make.powerautomate.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://management.azure.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://management.azure.com/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://management.core.windows.net/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://messaging.action.office.com/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://messaging.office.com/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://mss.office.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://ncus.contentsync.
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://notification.m365.svc.cloud.microsoft/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://notification.m365.svc.cloud.microsoft/PushNotifications.Register
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://officeapps.live.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://officepyservice.office.net/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://onedrive.live.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://otelrules.azureedge.net
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://outlook.office.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://outlook.office.com/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://outlook.office365.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://outlook.office365.com/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://outlook.office365.com/connectors
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://planner.cloud.microsoft
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://powerlift-user.acompli.net
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://powerlift.acompli.net
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://prod.support.office.com/InAppHelp
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://pushchannel.1drv.ms
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://res.cdn.office.net
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://service.powerapps.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://settings.outlook.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://staging.cortana.ai
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-1
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-dark-2
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-100
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-150
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-hc-200
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://statics.teams.cdn.office.net/evergreen-assets/illustrations/win32/m365-device-desktop-light-
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://storage.azure.com/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://substrate.office.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://syncservice.o365syncservice.com/"
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://teams.cloud.microsoft/ups/global/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://templatesmetadata.office.net/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://webshell.suite.office.com
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://wus2.contentsync.
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://www.odwebp.svc.ms
Source: 66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: mal48.winEML@3/15@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user~1\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241230T0155230734-7620.etlJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6C3C8601-5CA3-4290-A3F3-5F5407F4386A" "68563A63-B88A-4F7C-884B-B76C5381F25D" "7620" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6C3C8601-5CA3-4290-A3F3-5F5407F4386A" "68563A63-B88A-4F7C-884B-B76C5381F25D" "7620" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation21
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Process Injection		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager12
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
phish_alert_sp2_2.0.0.0.eml0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://are01.safelinks.protection.outlook.com/=0%Avira URL Cloudsafe
https://are01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsmex-ctp.trendmicro.com%2Fwis%2Fcl0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-part-0017.t-0009.t-msedge.net
13.107.246.45
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://api.diagnosticssdf.office.com66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
      		high
      https://login.microsoftonline.com/66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
        		high
        https://shell.suite.office.com:144366C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
          		high
          https://designerapp.azurewebsites.net66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
            		high
            https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
              		high
              https://are01.safelinks.protection.outlook.com/=phish_alert_sp2_2.0.0.0.emlfalse
              • Avira URL Cloud: safe
              		unknown
              https://autodiscover-s.outlook.com/66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                		high
                https://useraudit.o365auditrealtimeingestion.manage.office.com66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                  		high
                  https://outlook.office365.com/connectors66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                    		high
                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                      		high
                      https://cdn.entity.66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                        		high
                        https://api.addins.omex.office.net/appinfo/query66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                          		high
                          https://clients.config.office.net/user/v1.0/tenantassociationkey66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                            		high
                            https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                              		high
                              https://powerlift.acompli.net66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                		high
                                https://rpsticket.partnerservices.getmicrosoftkey.com66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                  		high
                                  https://lookup.onenote.com/lookup/geolocation/v166C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                    		high
                                    https://cortana.ai66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                      		high
                                      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                        		high
                                        https://api.powerbi.com/v1.0/myorg/imports66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                          		high
                                          https://notification.m365.svc.cloud.microsoft/66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                            		high
                                            https://cloudfiles.onenote.com/upload.aspx66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                              		high
                                              https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                		high
                                                https://entitlement.diagnosticssdf.office.com66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                  		high
                                                  https://api.aadrm.com/66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                    		high
                                                    https://ofcrecsvcapi-int.azurewebsites.net/66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                      		high
                                                      https://canary.designerapp.66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                        		high
                                                        https://ic3.teams.office.com66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                          		high
                                                          https://www.yammer.com66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                            		high
                                                            https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                              		high
                                                              https://api.microsoftstream.com/api/66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                		high
                                                                https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                  		high
                                                                  https://cr.office.com66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                    		high
                                                                    https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                      		high
                                                                      https://messagebroker.mobile.m365.svc.cloud.microsoft66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                        		high
                                                                        https://otelrules.svc.static.microsoft66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                          		high
                                                                          https://portal.office.com/account/?ref=ClientMeControl66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                            		high
                                                                            https://clients.config.office.net/c2r/v1.0/DeltaAdvisory66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                              		high
                                                                              https://edge.skype.com/registrar/prod66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                		high
                                                                                https://graph.ppe.windows.net66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                  		high
                                                                                  https://res.getmicrosoftkey.com/api/redemptionevents66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                    		high
                                                                                    https://powerlift-user.acompli.net66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                      		high
                                                                                      https://officeci.azurewebsites.net/api/66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                        		high
                                                                                        https://sr.outlook.office.net/ws/speech/recognize/assistant/work66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                          		high
                                                                                          https://api.scheduler.66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                            		high
                                                                                            https://my.microsoftpersonalcontent.com66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                              		high
                                                                                              https://store.office.cn/addinstemplate66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                		high
                                                                                                https://api.aadrm.com66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                  		high
                                                                                                  https://edge.skype.com/rps66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                    		high
                                                                                                    https://outlook.office.com/autosuggest/api/v1/init?cvid=66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                      		high
                                                                                                      https://globaldisco.crm.dynamics.com66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                        		high
                                                                                                        https://messaging.engagement.office.com/66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                          		high
                                                                                                          https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                            		high
                                                                                                            https://dev0-api.acompli.net/autodetect66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                              		high
                                                                                                              https://www.odwebp.svc.ms66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                		high
                                                                                                                https://api.diagnosticssdf.office.com/v2/feedback66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                  		high
                                                                                                                  https://api.powerbi.com/v1.0/myorg/groups66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                    		high
                                                                                                                    https://web.microsoftstream.com/video/66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                      		high
                                                                                                                      https://api.addins.store.officeppe.com/addinstemplate66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                        		high
                                                                                                                        https://graph.windows.net66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                          		high
                                                                                                                          https://dataservice.o365filtering.com/66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                            		high
                                                                                                                            https://officesetup.getmicrosoftkey.com66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                              		high
                                                                                                                              https://analysis.windows.net/powerbi/api66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                		high
                                                                                                                                https://prod-global-autodetect.acompli.net/autodetect66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                  		high
                                                                                                                                  https://substrate.office.com66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                    		high
                                                                                                                                    https://outlook.office365.com/autodiscover/autodiscover.json66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                      		high
                                                                                                                                      https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                        		high
                                                                                                                                        https://consent.config.office.com/consentcheckin/v1.0/consents66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                          		high
                                                                                                                                          https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                            		high
                                                                                                                                            https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                              		high
                                                                                                                                              https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                		high
                                                                                                                                                https://notification.m365.svc.cloud.microsoft/PushNotifications.Register66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                  		high
                                                                                                                                                  https://d.docs.live.net66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                    		high
                                                                                                                                                    https://safelinks.protection.outlook.com/api/GetPolicy66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                      		high
                                                                                                                                                      https://ncus.contentsync.66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                        		high
                                                                                                                                                        https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                          		high
                                                                                                                                                          https://syncservice.o365syncservice.com/"66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                            		high
                                                                                                                                                            https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                              		high
                                                                                                                                                              http://weather.service.msn.com/data.aspx66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                                		high
                                                                                                                                                                https://apis.live.net/v5.0/66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                                  		high
                                                                                                                                                                  https://officepyservice.office.net/service.functionality66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://templatesmetadata.office.net/66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://are01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsmex-ctp.trendmicro.com%2Fwis%2Fcl~WRS{473F8AE2-7E7B-4709-901E-9CE42FD12B29}.tmp.1.drfalse
                                                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                                                        		unknown
                                                                                                                                                                        https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://messaging.lifecycle.office.com/66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://planner.cloud.microsoft66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                                              		high
                                                                                                                                                                              https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://mss.office.com66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://pushchannel.1drv.ms66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://management.azure.com66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://outlook.office365.com66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://wus2.contentsync.66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://incidents.diagnostics.office.com66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://clients.config.office.net/user/v1.0/ios66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://make.powerautomate.com66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://api.addins.omex.office.net/api/addins/search66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://insertmedia.bing.office.net/odc/insertmedia66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://storage.azure.com/66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://outlook.office365.com/api/v1.0/me/Activities66C92E04-3882-42A8-A34E-0F8770FAF61A.1.drfalse
                                                                                                                                                                                                        		high

                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                        No contacted IP infos

                                                                                                                                                                                                        General Information

                                                                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                        Analysis ID:1582267
                                                                                                                                                                                                        Start date and time:2024-12-30 07:54:11 +01:00
                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                        Overall analysis duration:0h 7m 6s
                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                        Number of analysed new started processes analysed:8
                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                        Sample name:phish_alert_sp2_2.0.0.0.eml
                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                        Classification:mal48.winEML@3/15@0/0
                                                                                                                                                                                                        EGA Information:Failed
                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                        • Successful, ratio: 100%
                                                                                                                                                                                                        • Number of executed functions: 0
                                                                                                                                                                                                        • Number of non-executed functions: 0
                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                        • Found application associated with file extension: .eml
                                                                                                                                                                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
                                                                                                                                                                                                        • Excluded IPs from analysis (whitelisted): 20.190.159.68, 20.190.159.71, 20.190.159.0, 40.126.31.67, 20.190.159.2, 40.126.31.73, 20.190.159.75, 40.126.31.69, 52.109.28.46, 52.113.194.132, 184.28.90.27, 20.189.173.18, 13.107.246.45, 4.175.87.197, 184.28.90.29
                                                                                                                                                                                                        • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, onedscolprdwus15.westus.cloudapp.azure.com, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, login.live.com, e16604.g.akamaiedge.net, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, storeedgefd.dsx.mp.microsoft.com, ecs.office.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, otelrules.azureedge.net, www.tm.v4.a.prd.aadg.akadns.net, prod.configsvc1.live.com.akadns.net, s-0005-office.config.skype.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, azureedge-t-prod.trafficmanager.net, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net, uks-azsc-config.officeapps.live.com
                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.

                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                        No simulations

                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                        IPs

                                                                                                                                                                                                        No context

                                                                                                                                                                                                        Domains

                                                                                                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                        s-part-0017.t-0009.t-msedge.netinstaller64v9.5.7.msiGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 13.107.246.45
                                                                                                                                                                                                        zhuzhu.exeGet hashmaliciousGhostRat, XRedBrowse
                                                                                                                                                                                                        • 13.107.246.45
                                                                                                                                                                                                        017069451a4dbc523a1165a2f1bd361a762bb40856778.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 13.107.246.45
                                                                                                                                                                                                        http://nemoinsure.comGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 13.107.246.45
                                                                                                                                                                                                        https://1drv.ms/o/c/1ba8fd2bd98c98a8/EmMMbLWVyqxBh9Z6zxri2ZUBVkwUpSiY2KbvhupkdaFzGA?e=F6pNlDGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                        • 13.107.246.45
                                                                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                        • 13.107.246.45
                                                                                                                                                                                                        Kellyb Timesheet Report.pdfGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                        • 13.107.246.45
                                                                                                                                                                                                        file.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                        • 13.107.246.45
                                                                                                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, StealcBrowse
                                                                                                                                                                                                        • 13.107.246.45
                                                                                                                                                                                                        ceFgl3jkkk.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                        • 13.107.246.45

                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                        No context

                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                        No context

                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                        No context

                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):231348
                                                                                                                                                                                                        Entropy (8bit):4.3862487745704435
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:mxYL+1gsravDsYCa5gsSKNcAz79ysQqt2K8z+qoQnOrcm0FvbggyrB49wH7ilg8Z:58gtTlgemiGu2cqoQOrt0FvAu840kP4A
                                                                                                                                                                                                        MD5:C5A710CFA817D428917126650192E9A6
                                                                                                                                                                                                        SHA1:C7935E499939BADF60F2D4BFBFADAA9CA395E93D
                                                                                                                                                                                                        SHA-256:BA067B8CE4E662C802E4F3815862B3F21CC8C39716CF6F89B321218239EA4995
                                                                                                                                                                                                        SHA-512:35362390CC2725F9DE7754EEC9EB4D9129A6CF96073F6035C35F05BE6D95BDBA8583A7E83245B4DF53B5EDA5C9F8F9AA62C2BA7153CD61B3FD4832EC5BF029BF
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                        Preview:TH02...... .....Z......SM01X...,....&z..Z..........IPM.Activity...........h...............h............H..h..............h........xB..H..h\FRO ...1\Ap...h...0... ......hi.4............h........_`Fk...h..4.@...I.tw...h....H...8.Kk...0....T...............d.........2h...............k..7.......E...!h.............. h...K....8.....#h....8.........$hxB......8....."h............'h..............1hi.4.<.........0h....4....Kk../h....h.....KkH..h@0..p........-h .......d.....+h..4........................ ..............F7..............FIPM.Activity.r..Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with very long lines (2014), with no line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2014
                                                                                                                                                                                                        Entropy (8bit):5.106100511999013
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:cGEh+YdnzyrIOnzyQudy9qdSymiJdyCGdyreDnzyb8Syd+ASy8bdy7IkSyrotnzP:rYd2kO2QuE9qdbm0ECGEqD2b8bd+Ab8n
                                                                                                                                                                                                        MD5:EBF20F5A10BAA4D85390030217FD3A1F
                                                                                                                                                                                                        SHA1:F59E2BD3506840788C3AAC9AEEBB15DA85472BC7
                                                                                                                                                                                                        SHA-256:32A2D251762A1BBD390908605F206E58F9BF2BB5E8F22EE69C9D928D77E09A3B
                                                                                                                                                                                                        SHA-512:9FC1D6CD76C18E6AAEB868A07857E1872404074A2455DC90156CC82627821BBC161E0176630E082F8A56E5551465F53764FC356A995ACDBAFAB5C3F49090BE7D
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?><root><version>1</version><Count>13</Count><Resource><Id>Aptos Display_26215680</Id><LAT>2023-10-05T07:49:21Z</LAT><key>23001069669.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Display_45876480</Id><LAT>2023-10-05T07:49:21Z</LAT><key>30264859306.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos_26215680</Id><LAT>2023-10-05T07:49:21Z</LAT><key>29939506207.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_26215424</Id><LAT>2023-10-05T07:49:21Z</LAT><key>31558910439.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos_26215682</Id><LAT>2023-10-05T07:49:21Z</LAT><key>31169036496.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos_45876480</Id><LAT>2023-10-05T07:49:21Z</LAT><key>27160079615.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos Display_458764

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Open Sans\21798841561.ttf

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                        File Type:TrueType Font data, digitally signed, 19 tables, 1st "DSIG", 26 names, Macintosh, Digitized data copyright \251 2010-2011, Google Corporation.Open SansRegular1.10;1ASC;OpenSans-R
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):217276
                                                                                                                                                                                                        Entropy (8bit):6.419567239266024
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:6144:GLpzdD/rIJXiQTutgCNktQFvmnoxXTS4u8sl:c9FrIJJaqCNktA+SXfJsl
                                                                                                                                                                                                        MD5:D7D5D4588A9F50C99264BC12E4892A7C
                                                                                                                                                                                                        SHA1:513966E260BB7610D47B2329DBA194143831893E
                                                                                                                                                                                                        SHA-256:13C03E22A633919BEB2847C58C8285FB8A735EE97097D7C48FD403F8294B05F8
                                                                                                                                                                                                        SHA-512:CE9F98208CD818E486A12848B2D64BD14E12D42D84B2E47436A3C4420A242583EEFC4A9B42401B51CC204146C6133645975682E4BB5D48527B3796770EFA3397
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:moderate, very likely benign file
                                                                                                                                                                                                        Preview:...........0DSIG..D...;H...tGDEF.&....7(....GPOS.7.7..7H...8GSUB.+=...7.....OS/2.6.........`cmap............cvt .M..........fpgm~a.....<....gasp...#..7.....glyft8.K..$.../.head..cp...<...6hhea...s...t...$hmtx.5<.........kernT+.~..T....6loca)..........Vmaxp.C......... nameH.B.........post.C.l......&+prepC...................Ww.(_.<..........51......+.........b...........................{...............................V......./.\.......................3.......3.....f..................@. [...(....1ASC.@. ...........X ........H..... ...................#...5...+.3.......h...q.....^.R.^.=.j.V...h...?...T.!.........f.......d...^...+.......u...^...h...j.!...!.?...h...w...h.o...1.y...../.....}.....s...!.....}.......T.#.`.....'...9.......;.}.....;.}.....d.j.m...........h.......{.....R...........3.V.1.........s.^.......s...s.}.s.....b.'.............3.......q.........s.......s.D.....j.............9...1.'.......R...=.h.....H...h.....#.........?...{.....h...!.{...5...d...F...R...h...T...d.....m.....h

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\66C92E04-3882-42A8-A34E-0F8770FAF61A

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):183024
                                                                                                                                                                                                        Entropy (8bit):5.293759736957226
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:DrVwfRAqpbH4wglEpLe7HWKQjj/o/NMOcAZl1p5ihs7EXXbEADwaKBIa5YdGVF8M:D8e7HWKQjj/o/aXotTB
                                                                                                                                                                                                        MD5:C29356A1CA9933471DB0DF411126C814
                                                                                                                                                                                                        SHA1:5C5A2BF8F90FE44F9EABC4FE8B869ED269D0F269
                                                                                                                                                                                                        SHA-256:AB7B5B947CDA50E068434DFB23825B4A8D57303012224A05DF32AA1CF144F4B3
                                                                                                                                                                                                        SHA-512:6FDA5892BC7B5D623CAC696E5304D09ECA5E0792A6C22C4287109B8704F9AEE71D81D117CEE86D6287313EB50203C307FE7269AB1104522697AF96657475D64B
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-12-30T06:55:26">.. Build: 16.0.18406.40129-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results?fullframe=yes</o:url>.. <o:ticket o:policy="DELEGATION" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Bearer {}" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.Resourc

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                        Entropy (8bit):0.04604146709717531
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:Gtlxtjlw601nEdLNl/6Y1lxtjlw601nEdLNl/wlR9//8l1lvlll1lllwlvlllglK:GtT01yNlB1T01yNlA9X01PH4l942wU
                                                                                                                                                                                                        MD5:95661FA0C5D028DBAD418DB128460F02
                                                                                                                                                                                                        SHA1:73C629F4907C4AB0C36EC6BFA2407A57AD2FA0D7
                                                                                                                                                                                                        SHA-256:1BE68420872FE78320E7361E09F26979269C1B6F368F77B7617D20A97E5CF8AC
                                                                                                                                                                                                        SHA-512:E3910BB64FB1C4BD23B6C5579CEDC12AC7F02BC15F058590878DD8675BE8252A04CCCA5DE492823D0077D4F9374514F7E148B221A3816C1CF8D7806408127BF2
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                        Preview:..-........................Af....y 6\b.I!.....Z...-........................Af....y 6\b.I!.....Z.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                        File Type:SQLite Write-Ahead Log, version 3007000
                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                        Size (bytes):49472
                                                                                                                                                                                                        Entropy (8bit):0.48275409667619207
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:NIdSQ1wbeUll7DYMw5p6zO8VFDYMws9BO8VFDYML:N+Fub5ll4j5pKjVGjs3jVGC
                                                                                                                                                                                                        MD5:0669B8BF97B3D1A9C2E134442004238C
                                                                                                                                                                                                        SHA1:FB4C15235A8CB010BE2F7A1443978B0B07B87909
                                                                                                                                                                                                        SHA-256:CFAF074A046D6BF9A800E9F76B1571111FC7DD11194A15C5A40ABE3D95D6C369
                                                                                                                                                                                                        SHA-512:9551EF3417CF8F5E696A317B5609F0BCFC110535DAA63458B61F40B6683BCCE205A50CB545FCB1566BF9E14A7E58E53411AFC7E6B3CC0F6866A8B5E356F573B1
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                        Preview:7....-...........y 6\b.I..|+..,.........y 6\b.IQ..e{..RSQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{1371E88D-5B5B-46D1-9CE2-E4ED9C35E3EA}.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):2048
                                                                                                                                                                                                        Entropy (8bit):1.7868697770444717
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12:igkX0wYIOT9upua59udju0uy0Y0nk0n0h08260o606f0H:ZRSwB0Y0k0n0h08260F06f0H
                                                                                                                                                                                                        MD5:FC4BF0D7505A424305799259E29C1721
                                                                                                                                                                                                        SHA1:8AF55DECE2A882328CEC5EE4089193192E8AEB15
                                                                                                                                                                                                        SHA-256:63073563E16CCB49D1926D5AC07993D2F6E0E683362520FBE10A71AD1C4566B5
                                                                                                                                                                                                        SHA-512:F9125E9880A473DB8CB3F4381A13432D082B89E99889228398C9F74B269ACA9CBF17DBEE1CB32E8087347E3840A48879784DD3051F094B3876CA49B821207997
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Reputation:low
                                                                                                                                                                                                        Preview:....1.2.....1.....1.2.....1.2.....1.2.....1.2.....1.2.....1.2.....1.2.....1.2.....1.....1.....1.2.....1.2.....1.2.....1.2.....(.....(.....(.....(.....(...f.r.o.n.t.d.e.s.k...f..................................................................................................................................................................................................................................................................................................................................................................................... ..."...(...*...0...2...8...:...@...B...H...J...P...R...V...X...\...^...d...f...l...................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{473F8AE2-7E7B-4709-901E-9CE42FD12B29}.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):4808
                                                                                                                                                                                                        Entropy (8bit):4.27854559489404
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:48:DswVnpWY2l4GYOmNEfhMKNwRn5g1b2knq+MuSYA5zLylrSw7lUDAmJtJ29s+LbWm:oWnQY2DYOeG7xzRkyl1UDAqxybWm
                                                                                                                                                                                                        MD5:F20522C29E9D9AFB3370ABC14A53612F
                                                                                                                                                                                                        SHA1:AD7522D5D4455110C2EADA36984C120488FB48A8
                                                                                                                                                                                                        SHA-256:4357E71FBEB64ED58A390316E74ECFA0DB319A1C3E0D0972C392A6482DAD2CC1
                                                                                                                                                                                                        SHA-512:336B770814AFBD1E7505D6F60614CA3A3671BF9780F8BF4E2C7BDF1CEC8D5EC1F011DA1864DCCDB80087705ABC4DFECD5A4EA0CCABD6F64858596896C58C3BB6
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:....C.A.U.T.I.O.N.:. .T.h.i.s. .e.m.a.i.l. .i.s. .o.r.i.g.i.n.a.t.e.d. .f.r.o.m. .a.n. .E.x.t.e.r.n.a.l. .A.d.d.r.e.s.s... .D.o. .n.o.t. .v.i.s.i.t. .t.h.e. .l.i.n.k.s. .o.r. .o.p.e.n. .a.t.t.a.c.h.m.e.n.t.s. .u.n.l.e.s.s. .y.o.u. .r.e.c.o.g.n.i.z.e. .t.h.e. .S.e.n.d.e.r.....%.4.9.'.1. .:.1.'.E.). .E.F. .4.1.7.). ./.(.J. .............................................................................................................................................................................................................F...............H...........:...P...@...................................................................................................................................................................................................................................................................................&..F....d.....-D..M............[$.....&..F....d.....-D..M............[$.......d...d.-D..@&.M............[$.\$....-D..M................$.-D..M............a$.....

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1735541724148260100_F260A94E-48F7-44D8-B93B-5BCCEF8AA777.log

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                        File Type:ASCII text, with very long lines (28754), with CRLF line terminators
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):20971520
                                                                                                                                                                                                        Entropy (8bit):0.1632679578312664
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:d56Mt+CCTeTkFkSK2UUrnV6Rpa6sJ3NI+rQPo9KOGqcysBdIxjWCySOaoF6NaJBs:1+9GkFqcaid
                                                                                                                                                                                                        MD5:AE6410324274B7CA662DAE3959FF46E9
                                                                                                                                                                                                        SHA1:5016ADE28B1C7115EF9B181DFA197080DD47E7B7
                                                                                                                                                                                                        SHA-256:B7F0060982134E8E45E2399CCB1E0D42D739A3CF1191E5E62621A38B575D7350
                                                                                                                                                                                                        SHA-512:470081E564C3FE530C7C97002CD63E8E8AEE9D36A1C4CB3B23A0C782445E4545B012DF72F533450D35F13C09A29D4BCB86207B8A5A990A12451A586148CF24D1
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..12/30/2024 06:55:24.234.OUTLOOK (0x1DC4).0x1DC8.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-12-30T06:55:24.234Z","Contract":"Office.System.Activity","Activity.CV":"Tqlg8vdI2ES5O1vM74qndw.4.9","Activity.Duration":16,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...12/30/2024 06:55:24.265.OUTLOOK (0x1DC4).0x1DC8.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-12-30T06:55:24.265Z","Contract":"Office.System.Activity","Activity.CV":"Tqlg8vdI2ES5O1vM74qndw.4.10","Activity.Duration":12410,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1735541724151661600_F260A94E-48F7-44D8-B93B-5BCCEF8AA777.log

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):20971520
                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                        MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                                                                                                                                                                                                        SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                                                                                                                                                                                                        SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                                                                                                                                                                                                        SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241230T0155230734-7620.etl

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):110592
                                                                                                                                                                                                        Entropy (8bit):4.516716265223695
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:yiVY4T699uaPr8x+F8Xt/Xo2kKMzBncP+Cfj:HVY4T63uaj8x+6XdXo2kKMzBncPpfj
                                                                                                                                                                                                        MD5:DA51EAFB5AE94B450D0FE4077102485C
                                                                                                                                                                                                        SHA1:334E1157897B82FBEFD993178CD0BE0AFED80024
                                                                                                                                                                                                        SHA-256:FA9CC61B2E2EF2BD805F61DF6BFE328B73495CD43A83EE316930A4C8C8F95434
                                                                                                                                                                                                        SHA-512:C1C7E5ACE200A663C93AAEF0845D8B8627303FBC877E8BE851F78F26BCDC97E58361392F82A3B27CD9384784DE5E9555E4868F66E5C4DE70C8D854303AC56A0F
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:............................................................................h............(..Z..................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1............................................................3.TV............(..Z..........v.2._.O.U.T.L.O.O.K.:.1.d.c.4.:.6.7.6.f.b.6.7.f.8.f.4.3.4.c.8.a.a.f.a.d.f.8.b.f.7.2.d.9.2.d.b.d...C.:.\.U.s.e.r.s.\.F.R.O.N.T.D.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.2.3.0.T.0.1.5.5.2.3.0.7.3.4.-.7.6.2.0...e.t.l.......P.P..........(..Z..................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\AppData\Local\Temp\mso2E59.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                        File Type:GIF image data, version 89a, 15 x 15
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):663
                                                                                                                                                                                                        Entropy (8bit):5.949125862393289
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:12:PlrojAxh4bxdtT/CS3wkxWHMGBJg8E8gKVYQezuYEecp:trPsTTaWKbBCgVqSF
                                                                                                                                                                                                        MD5:ED3C1C40B68BA4F40DB15529D5443DEC
                                                                                                                                                                                                        SHA1:831AF99BB64A04617E0A42EA898756F9E0E0BCCA
                                                                                                                                                                                                        SHA-256:039FE79B74E6D3D561E32D4AF570E6CA70DB6BB3718395BE2BF278B9E601279A
                                                                                                                                                                                                        SHA-512:C7B765B9AFBB9810B6674DBC5C5064ED96A2682E78D5DFFAB384D81EDBC77D01E0004F230D4207F2B7D89CEE9008D79D5FBADC5CB486DA4BC43293B7AA878041
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:GIF89a....w..!..MSOFFICE9.0.....sRGB......!..MSOFFICE9.0.....msOPMSOFFICE9.0Dn&P3.!..MSOFFICE9.0.....cmPPJCmp0712.........!.......,....................'..;..b...RQ.xx..................,+................................yy..;..b.........................qp.bb..........uv.ZZ.LL.......xw.jj.NN.A@....zz.mm.^_.........yw........yx.xw.RR.,*.++............................................................................................................................................................................................................8....>.......................4567...=..../0123.....<9:.()*+,-.B.@...."#$%&'....... !............C.?....A;<...HT(..;

                                                                                                                                                                                                        C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):30
                                                                                                                                                                                                        Entropy (8bit):1.2389205950315936
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:3:pIhl/t:mh
                                                                                                                                                                                                        MD5:573971C5EB6E97F934CE4BBB6651D2F9
                                                                                                                                                                                                        SHA1:5411D2A256482E0059F679E2DAA9EAB34CA14D68
                                                                                                                                                                                                        SHA-256:CDE5BD069E91E1EF03023FBA05F7863D4E637E5C0C1ACE2E6108537644245DD5
                                                                                                                                                                                                        SHA-512:61C3D0A3F73994C94D83F34E808E017BFB3EC7C2BB7DAF835B0E286910717B1017227076655E4C07F3643BE8C66AAD9772B2DE7E184DCC5B65428542C647BDCD
                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                        Preview:.....-........................

                                                                                                                                                                                                        C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                        File Type:Microsoft Outlook email folder (>=2003)
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):271360
                                                                                                                                                                                                        Entropy (8bit):2.563248752356302
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:RTs8ckA6CgckckgAfV8sk4WfiyYe8xLzR41h3GvRB3hXsDQL8e8xL2k6nFW53jEK:RPiDRY7vJsDQLzp9Bp9
                                                                                                                                                                                                        MD5:3FF7FE96DAFF3F264BDCF7863778BF82
                                                                                                                                                                                                        SHA1:0CE0B2392D03FCA1B88D70A284267824B18A081D
                                                                                                                                                                                                        SHA-256:38E9ED86B21B80804972B179F2D54AA82FE6C01002117000A5065F9604E9AB41
                                                                                                                                                                                                        SHA-512:859CD59A2F7E7B3829CEBC648B5FB27E63FDD1763A3B39A8DD7EABAE68D7FF8E35EBE0FB5464B9DBEFABA524FD99E71C983C4E876294D20302583226DA98E4F8
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Preview:!BDN...SM......\....'..................[................@...........@...@...................................@...........................................................................$.......D...........................................................................................................................................................................................................................................................................................................................................g.6.h......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                                                                                                                                                                                                        Download File
                                                                                                                                                                                                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                        Size (bytes):131072
                                                                                                                                                                                                        Entropy (8bit):3.2247038056419064
                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                        SSDEEP:1536:uW53jEpEHP4qQ10PAwr1S1/z8U8xLwd8sAyuIW53jEpEHP4qQ10PAwr0bRNLXp/f:cp9lyevuKp9nLp
                                                                                                                                                                                                        MD5:6BA26B6328F518DFDE5EEB8317033B13
                                                                                                                                                                                                        SHA1:AC22509E2873E747C3E3C8F6A196E316B746F3FF
                                                                                                                                                                                                        SHA-256:DC176C1EB0CE813FAAA6B889ED57F6F3E757A52781016A37AF1252A17FAC2221
                                                                                                                                                                                                        SHA-512:D6A336834E206168A70BCB4804F5AA39D079A6F3ADA6E780E4D68833A69548ACED41A399ED82EBAD0A16E14E8FF48E5BADC293DCB7FD8586C1265E0EFA08CA67
                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                        Preview:J#..C...j...........XM..Z....................#.!BDN...SM......\....'..................[................@...........@...@...................................@...........................................................................$.......D...........................................................................................................................................................................................................................................................................................................................................g.6.h..XM..Z.......B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                        General

                                                                                                                                                                                                        File type:RFC 822 mail, ASCII text, with very long lines (1965), with CRLF line terminators
                                                                                                                                                                                                        Entropy (8bit):5.922226553148347
                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                        • E-Mail message (Var. 5) (54515/1) 100.00%
                                                                                                                                                                                                        File name:phish_alert_sp2_2.0.0.0.eml
                                                                                                                                                                                                        File size:18'852 bytes
                                                                                                                                                                                                        MD5:9a5666ecb57a9b487e212116d4d25f57
                                                                                                                                                                                                        SHA1:d336537163627c8e16d6723157e2301ff2167003
                                                                                                                                                                                                        SHA256:4bcde5e502301614efa0ba9d4e7681db2ffabf3d97eb699ba2bd695d2ed0ead0
                                                                                                                                                                                                        SHA512:28d18364d7e7a38a7b9d9974be56c03cd1a41460797b2989da8a8d24dad85294289dbce9d0d3075988a6c77aa4f29facff6175f590cadb2c4b1819983cea7eab
                                                                                                                                                                                                        SSDEEP:384:uMLwAZOXtCJfzivVd2eTE01bmmAgKtxuAyIJJkb:uMLwAZOX8JfzivL2CNRmmmHQb
                                                                                                                                                                                                        TLSH:7882D6B3746C20A437A14FF8A2437FA699551989CBE70BD420BE434406AA12BFF51F7D
                                                                                                                                                                                                        File Content Preview:Received: from AU1P273MB1901.AREP273.PROD.OUTLOOK.COM.. (2603:1086:200:57::13) by AU2P273MB0921.AREP273.PROD.OUTLOOK.COM with.. HTTPS; Sat, 28 Dec 2024 02:22:47 +0000..Received: from DX0P273CA0031.AREP273.PROD.OUTLOOK.COM (2603:1086:300:58::9).. by AU1P27

                                                                                                                                                                                                        Static Mail

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Subject:A fine notice from Dubai Police
                                                                                                                                                                                                        From:notification@zohobookings.com
                                                                                                                                                                                                        To:Ayesha Abdulla Al Khaaldi <Ayesha.AlKhaaldi@dubaiculture.ae>
                                                                                                                                                                                                        Cc:
                                                                                                                                                                                                        BCC:
                                                                                                                                                                                                        Date:Fri, 27 Dec 2024 21:22:31 -0500
                                                                                                                                                                                                        Communications:
                                                                                                                                                                                                        • CAUTION: This email is originated from an External Address. Do not visit the links or open attachments unless you recognize the Sender. . . . . . : : 07/23/2023 : : . This email was sent to you by corabel855@freesourcecodes.com from SUOPPRT via Zoho Bookings. Contact the sender corabel855@freesourcecodes.com for any clarifications. If you think this is spam, please report it to abuse@zohocorp.com for immediate investigation and action. CAUTION: This email is originated from an External Address. Do not visit the links or open attachments unless you recognize the Sender. . . . . . : : 07/23/2023 : : . This email was sent to you by corabel855@freesourcecodes.com from SUOPPRT via Zoho Bookings. Contact the sender corabel855@freesourcecodes.com for any clarifications. If you think this is spam, please report it to abuse@zohocorp.com for immediate investigation and action. CAUTION: This email is originated from an External Address. Do not visit the links or open attachments unless you recognize the Sender. CAUTION: This email is originated from an External Address. Do not visit the links or open attachments unless you recognize the Sender. CAUTION: External Address. Sender. body { font-family: Arial, sans-serif; line-height: 1.6; margin: 20px; color: rgb(51, 51, 51); direction: rtl; text-align: right }.container { max-width: 600px; margin: auto; border: 1px solid rgb(204, 204, 204); padding: 20px; border-radius: 10px; background-color: rgb(249, 249, 249) }.header { text-align: center; margin-bottom: 20px }.header img { width: 100%; max-width: 400px }.reference { text-align: center; font-size: 18px; color: rgb(231, 76, 60); margin-top: 10px; font-weight: bold }.content { margin: 20px 0 }.content h3 { color: rgb(44, 62, 80) }.content ul { padding-right: 20px }.content ul li { margin-bottom: 10px }.footer { text-align: center; margin-top: 20px }.footer a { display: inline-block; background-color: rgb(0, 123, 255); color: rgb(255, 255, 255); padding: 10px 20px; text-decoration: none; border-radius: 5px }.footer a:hover { background-color: rgb(0, 86, 179) } . . . . . : : 07/23/2023 : : . . . . . . : : 07/23/2023 : : . . . . . . : : 07/23/2023 : : . : 07/23/2023 : 07/23/2023 : : : . : . https://are01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsmex-ctp.trendmicro.com%2Fwis%2Fclicktime%2Fv1%2Fquery%3Furl%3Dhttps%253a%252f%252fshm.to%252fpolice%26umid%3D0d23e2e5-f76c-4734-8c53-52692e5df704%26auth%3D771bc9afedacaf21ff6267a075d4e92f38a56cd1-76eb9d39a6a3c5ec361f1d32692c8a467e476d6a&data=05%7C02%7CAyesha.AlKhaaldi%40dubaiculture.ae%7Ce61f856a9427497dbe9a08dd26e68277%7C1ee74fefbf154332b65a6df657279935%7C1%7C0%7C638709493671732176%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C40000%7C%7C%7C&sdata=9V8u2HI86XlUOWlMxLl2o%2BPRFrACGKMl%2F%2BZY5u%2FChBA%3D&reserved=0 This email was sent to you by corabel855@freesourcecodes.com from SUOPPRT via Zoho Bookings. Contact the sender corabel855@freesourcecodes.com for any clarifications. If you think this is spam, please report it to abuse@zohocorp.com for immediate investigation and action. corabel855@freesourcecodes.com from SUOPPRT via Zoho Bookings. Contact the sender corabel855@freesourcecodes.com for any clarifications. If you think this is spam, please report it to abuse@zohocorp.com for immediate investigation and action. corabel855@freesourcecodes.com for any clarifications. If you think this is spam, please report it to abuse@zohocorp.com for immediate investigation and action.
                                                                                                                                                                                                        Attachments:
                                                                                                                                                                                                        • 30 min meeting with SIMO.ics

                                                                                                                                                                                                        Headers

                                                                                                                                                                                                        Key Value
                                                                                                                                                                                                        Receivedby mx.zohocloud.ca with SMTPS id 1735352551615364.2341606523629; Fri, 27 Dec 2024 21:22:31 -0500 (EST)
                                                                                                                                                                                                        Authentication-Resultsspf=softfail (sender IP is 185.78.244.246) smtp.mailfrom=user.zohobookings.ca; dkim=fail (body hash did not verify) header.d=zohobookings.com;dmarc=fail action=none header.from=zohobookings.com;
                                                                                                                                                                                                        Received-SpfPass (domain user.zohobookings.ca designates 199.67.69.210 as a permitted sender), client-ip=<199.67.69.210>; identity=<bounces+96cc0fb0-c4c2-11ef-b17c-2655081e6903_vt1@user.zohobookings.ca>; helo=<system2-210.zeptomail.ca>;
                                                                                                                                                                                                        Arc-Seali=1; a=rsa-sha256; t=1735352552; cv=none; d=zohomail360.ca; s=zohoarc; b=FBfdMf9zCj3vp3vQZSrP19obB0PzvsuOWdk8DLoPqWO5gdNssLwmWWYyE4/S39CQmtOSuEZULgqguMNGnBxO1yxaqWufnFfmTu531QbDVlhdVqGVRMRQA5f9cCAwLrSGwvKKIXHcOX3SBCrN3bjnjPquwmoGy5eBlOdZ9G/9TC4=
                                                                                                                                                                                                        Arc-Message-Signaturei=1; a=rsa-sha256; c=relaxed/relaxed; d=zohomail360.ca; s=zohoarc; t=1735352552; h=Content-Type:Date:Date:From:From:MIME-Version:Message-ID:Reply-To:Reply-To:Subject:Subject:To:To:Message-Id:Cc; bh=qVuL5FbyNxvvu1V6S1fSim8Ddhw+LqBF5e7MBNfoQYA=; b=WkH6rS6nWtPG62pOCtQCmhwg2GthSVucWJOxvU980MJQAFx1ZvP2rcwUxT6Qp+6n0tqaHhJ2Fj44eC4372Cn/u9LFF9pdf+24JFwn3fiXW5CX5IizP5ENWJtnAZh/PdUKsFz6QGqCuo1CFpSppMzKMvZMitzRcjheUpczt6or5c=
                                                                                                                                                                                                        Arc-Authentication-Resultsi=1; mx.zohomail360.ca; dkim=pass header.i=zohobookings.com; spf=pass smtp.mailfrom=bounces+96cc0fb0-c4c2-11ef-b17c-2655081e6903_vt1@user.zohobookings.ca; dmarc=pass header.from=<notification@zohobookings.com>
                                                                                                                                                                                                        Dkim-Signaturea=rsa-sha256; b=IXimnrBrQ+t0C3DkBmawSHUCjPCc4TBuhbQer+E7zM/xxI17I86VeDz49c6UvT+beKMC300F3kCaEy+xnj7N9DJURh26UYSMRLCFtcdYI66C71qJo6zCRcsq3bwmrjfDfSHGyWn6KbnuJ9D7cjFaoWNsM7wB+Lffi4REJvKDRYo=; c=relaxed/relaxed; s=2826696452161; d=zohobookings.com; v=1; bh=qVuL5FbyNxvvu1V6S1fSim8Ddhw+LqBF5e7MBNfoQYA=; h=date:from:reply-to:to:message-id:subject:mime-version:content-type:date:from:reply-to:to:message-id:subject;
                                                                                                                                                                                                        DateFri, 27 Dec 2024 21:22:31 -0500
                                                                                                                                                                                                        Fromnotification@zohobookings.com
                                                                                                                                                                                                        Reply-Tocorabel855@freesourcecodes.com
                                                                                                                                                                                                        ToAyesha Abdulla Al Khaaldi <Ayesha.AlKhaaldi@dubaiculture.ae>
                                                                                                                                                                                                        Message-Id <3b2f8.3c037297d1e753b4.m1.96cc0fb0-c4c2-11ef-b17c-2655081e6903.1940b12842b@user.zohobookings.ca>
                                                                                                                                                                                                        SubjectA fine notice from Dubai Police
                                                                                                                                                                                                        MIME-Version1.0
                                                                                                                                                                                                        Content-Typemultipart/mixed; boundary="----sinikael-?=_1-17355360253990.6910273714511612"
                                                                                                                                                                                                        X-Transmailtransmail
                                                                                                                                                                                                        Original-Envelope-Id 3b2f8.3c037297d1e753b4.m1.96cc0fb0-c4c2-11ef-b17c-2655081e6903.1940b12842b
                                                                                                                                                                                                        X-Jid 3b2f8.3c037297d1e753b4.m1.96cc0fb0-c4c2-11ef-b17c-2655081e6903.1940b12842b
                                                                                                                                                                                                        Tm-Mail-Jid 3b2f8.3c037297d1e753b4.m1.96cc0fb0-c4c2-11ef-b17c-2655081e6903.1940b12842b
                                                                                                                                                                                                        X-App-Message-Id 3b2f8.3c037297d1e753b4.m1.96cc0fb0-c4c2-11ef-b17c-2655081e6903.1940b12842b
                                                                                                                                                                                                        X-Report-Abuse <mailto:abuse+3b2f8.3c037297d1e753b4.m1.96cc0fb0-c4c2-11ef-b17c-2655081e6903.1940b12842b@zeptomail.ca>
                                                                                                                                                                                                        X-Zoho-Virus-Status1
                                                                                                                                                                                                        X-Zoho-Av-Stampzmail-av-1.4.1/227.185.87
                                                                                                                                                                                                        X-ZohomailclientExternal
                                                                                                                                                                                                        X-Seg-Spamprofiler-Analysisv=2.4 cv=HK2RFZtv c=1 sm=1 tr=0 ts=676f60ee b=1 p=8Vpt1asHAAAA:8 a=jdJ9YNF0i0Cp29Z+iBYexQ==:117 a=jdJ9YNF0i0Cp29Z+iBYexQ==:17 a=RZcAm9yDv7YA:10 a=IV9cfEO-ZvIA:10 a=7TkYG1A8AAAA:8 a=ytyj2zl9AAAA:8 a=XA_05EqruHdn4O2xgSsA:9 a=5h7NqfyMbTVTztJW:21 a=_W_S_7VecoQA:10 a=lqcHg5cX4UMA:10 a=QEXdDO2ut3YA:10 a=kRPjSbjzFNwA:10 a=ImwWUX5h3JJ3gRE9moBe:22 a=OP72AkHfvCprdRIF52UA:9 a=pt9G7I5XmLUTiVRDx3fboKQV4P0=:19 a=Zq7r0XqNILgA:10 a=rVnDm9A_-c-k2ki-JAcA:9 a=3ZKOabzyN94A:10 a=Iv6wv51_8wQhu8XjO2uV:22 a=s32ZXkSTkGnSimxBV1yp:22 a=Kz4u_ZPItYQhEMAJvr6f:22 a=tU6cvD4BqOXQIHuACRQ7:22 a=pporQVP1f3IcyGjEEk_R:22
                                                                                                                                                                                                        X-Seg-Spamprofiler-Score100
                                                                                                                                                                                                        Return-Path bounces+96cc0fb0-c4c2-11ef-b17c-2655081e6903_vt1@user.zohobookings.ca
                                                                                                                                                                                                        X-Tm-Snts-Smtp 97216456BD735E9B1ED1281503A8E34D80DCDFAD0A79B5448DA73A265D24FFB52000:8
                                                                                                                                                                                                        X-Exclaimer-Md-Config1b89284e-e4ca-4afb-b899-c4370bca71aa
                                                                                                                                                                                                        X-OrganizationheaderspreservedHBWPMBX08.msg.dubai.gov.ae
                                                                                                                                                                                                        X-Ms-Exchange-Organization-Expirationstarttime28 Dec 2024 02:22:42.9697 (UTC)
                                                                                                                                                                                                        X-Ms-Exchange-Organization-ExpirationstarttimereasonOriginalSubmit
                                                                                                                                                                                                        X-Ms-Exchange-Organization-Expirationinterval1:00:00:00.0000000
                                                                                                                                                                                                        X-Ms-Exchange-Organization-ExpirationintervalreasonOriginalSubmit
                                                                                                                                                                                                        X-Ms-Exchange-Organization-Network-Message-Id e61f856a-9427-497d-be9a-08dd26e68277
                                                                                                                                                                                                        X-Eopattributedmessage0
                                                                                                                                                                                                        X-Ms-Exchange-Organization-MessagedirectionalityOriginating
                                                                                                                                                                                                        X-Ms-Exchange-Organization-Scl1
                                                                                                                                                                                                        X-CrosspremisesheaderspromotedDX3PEPF00000099.AREP273.PROD.OUTLOOK.COM
                                                                                                                                                                                                        X-CrosspremisesheadersfilteredDX3PEPF00000099.AREP273.PROD.OUTLOOK.COM
                                                                                                                                                                                                        X-Ms-PublictraffictypeEmail
                                                                                                                                                                                                        X-Ms-Traffictypediagnostic DX3PEPF00000099:EE_|AU1P273MB1901:EE_|AU2P273MB0921:EE_
                                                                                                                                                                                                        X-Ms-Exchange-Organization-AuthsourceHBWPMBX03.msg.dubai.gov.ae
                                                                                                                                                                                                        X-Ms-Exchange-Organization-AuthasAnonymous
                                                                                                                                                                                                        X-Originatororgdubaiculture.ae
                                                                                                                                                                                                        X-Ms-Office365-Filtering-Correlation-Id e61f856a-9427-497d-be9a-08dd26e68277
                                                                                                                                                                                                        X-Ms-Exchange-AtpmessagepropertiesSA|SL
                                                                                                                                                                                                        X-Microsoft-Antispam BCL:0;ARA:13230040|5073199012|4073199012|82310400026|12012899012|5062899012|3072899012|2092899012|8096899003|4076899003;
                                                                                                                                                                                                        X-Forefront-Antispam-Report CIP:185.78.244.246;CTRY:AE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:smtp.dubaiculture.ae;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(5073199012)(4073199012)(82310400026)(12012899012)(5062899012)(3072899012)(2092899012)(8096899003)(4076899003);DIR:INB;
                                                                                                                                                                                                        X-Ms-Exchange-Crosstenant-Originalarrivaltime28 Dec 2024 02:22:42.7353 (UTC)
                                                                                                                                                                                                        X-Ms-Exchange-Crosstenant-Network-Message-Id e61f856a-9427-497d-be9a-08dd26e68277
                                                                                                                                                                                                        X-Ms-Exchange-Crosstenant-Id1ee74fef-bf15-4332-b65a-6df657279935
                                                                                                                                                                                                        X-Ms-Exchange-Crosstenant-Originalattributedtenantconnectingip TenantId=1ee74fef-bf15-4332-b65a-6df657279935;Ip=[185.78.244.246];Helo=[smtp.dubaiculture.ae]
                                                                                                                                                                                                        X-Ms-Exchange-Crosstenant-AuthsourceHBWPMBX03.msg.dubai.gov.ae
                                                                                                                                                                                                        X-Ms-Exchange-Crosstenant-AuthasAnonymous
                                                                                                                                                                                                        X-Ms-Exchange-Crosstenant-FromentityheaderHybridOnPrem
                                                                                                                                                                                                        X-Ms-Exchange-Transport-CrosstenantheadersstampedAU1P273MB1901
                                                                                                                                                                                                        X-Ms-Exchange-Transport-Endtoendlatency00:00:04.3038447
                                                                                                                                                                                                        X-Ms-Exchange-Processed-By-Bccfoldering15.20.8293.000
                                                                                                                                                                                                        X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003)(1420198);
                                                                                                                                                                                                        X-Microsoft-Antispam-Message-Info AtYVJ8ecnvXipe0D3WRpepERj/9Gj7hr5246ars2IyGoRloHBFWjs4w5ca8BaPL6AihYJkSlvnf4AtvpGo+LIM02UYzQhZN1Cs5R2et6kLtWbsTDxi/pBELF/izsAdjRJLRvVMa13e9s3+B1App/4lie9dnYDq8/k3y27axgSZeBKM1y3jEgVGgCcWQweeEdohZNtXbHh4Nr+PpZ1nFm+gUeuvP6lwX4pallW64GjPuMbqiJDj3bzhx8h1ZVdIFu4PgOH+I4tGrmSt60KZPMQmRFOExKkyFnhsvpIr4yr1fhThbGj/0KfJ0e+V+DW9Sy39y2HReYetHYkBSZWDyZWHKGQN+YS91FBQfggHQTYdl5QbFi6Iyq9xYCYj5H5HC61ZaSQaZ+m3tOA/i4sENAV0nmFXWC8rPnzSZDcaiy+TSCzRsmV0XmTXrQGJebCKrEV9W7TJapjpakHHGld9UWCVw1xXIuEUo3IVDigabbsQVopw59nw9/N9eg1Q52NKkkldjjJw73nEYFxzqCOkHFNdvtuKHIw6bFppFmdOcRXBJXzZ03Gl9gpSc4YBA11Rfhwk5QtUrmr/THnGl947nQ5a9TTxIpBfjMmRgYE7HFIgQzhSF6L3LZs8UktKxaBMyWumcFcA2jO7uC+cJU4WrbPRbbridPivOsDgO1u8wIx/5X1EikxWFzJTlphzwVNV3/TxPtUa1KmpIussEOVr7Au5mpKfK5QAfXPz1ycsVqY/Hk+CeLTwioo8Zn/u4E/cs9oNUpqPtf3s2QNwuB9wmcNh6I6ODl5P7N6Z1FkPtscjDlp4MjIR7nqW5Jv1cbD2+wBzKKbx/GqyhouDH1jpdUgS3MEfobDDqtkcOufgMOpgC3f9FEmj3V9kYzNFBEI8C0ZYoy8UnTTLj2JMbTbT5GgSAk6eTiVafoL57/WZJViRoarnvrkCBp8Lz3z49FCmRls5IGdvgQviBy4oYiYRFkACXm6NBAA73S1qbrp5LvT6UnawOKRPjyrF8INnTolm40hSXEatmeAQr8jAlutdv+ib/26zavWOcc6WOPYXeQdwai4IRL+TK6pa5DYdkAFk+xXxLNWS8govcD3JFSV3qQ3KXGFlNqOOcxC4cZJEabMUXdF3/fuubdVtLN/ltqBdnHNo2uz+0tUHnkmClDr9MG4kwIdrFImcPrPSz0aRTcJ95xffHXh4ZwbfsK1ujDLzT3dPVvqkBYIedv+2AY7q2PAYwi+C/77pKrWLgmesPwu5ZVaKazD/lL5RzeDdYiumhNdw/gL2UvUOsA7LpKi0/DouLWh6CGCgFW5ObXKU/aKNxpkF3f6xzBPVXB77nrwRyySHOZg7ftFy7cBfqupQbRHHEuWZwqUVAgqi6U5l52I8egaZdoSohhr/icDqjdcmUkTqPyewiPyocro5cyk4T3UV6Dads6H67AcV0XcNUHeYhVckcWdfKrxNG4OFi0angmLx1rVSECKv4D6HjM/NNdkyWUssw5RcyUCU5bfXB3LPE6JaJxOv2Ad8qogjHJ3+8ffvycevtgkuu5r5k3EJ/6IuPGHdqr37L/OTHaoVDQ+yMBT/W+VddtesBIT3DmlpZzTUjGJ5Z9eY/0mjw24j+fUXPvVt4ADc/DAubUUIj9hjeOIBZAIy4OHqp3vM2elJyPRk+Hm71AUA1Axx7z7ZWn1WUEtXbmR11BZq18BOy7q3W9TTX1dsuiiQ69c1MB9yqklEAuOJllSzbUzq06iFSbuouGMKEhqouUhZKXb4+W9ZxyFwbHmKItsLcG0RIqDe9MxnPlzWBwNn4N9TcikWvmQL9r3WWBVQKI8d8QTQbNG7bE1KadUfVTtkdcztWeb4iG6D+Fftb3g4bjWTTOXvDwC3N0k5trk/5hK9kBsaDJvg3R/VNe+2qgDzw+UtLwjHGJKRpi/4AVOQLrvN+MivazavtCUKx76N9KgyV/Zp8gVGE=
                                                                                                                                                                                                        Content-Transfer-Encoding7bit

                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                        Icon Hash:46070c0a8e0c67d6

                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                        DNS Answers

                                                                                                                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                        Dec 30, 2024 07:55:16.841494083 CET1.1.1.1192.168.2.70xec08No error (0)shed.dual-low.s-part-0017.t-0009.t-msedge.nets-part-0017.t-0009.t-msedge.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                        Dec 30, 2024 07:55:16.841494083 CET1.1.1.1192.168.2.70xec08No error (0)s-part-0017.t-0009.t-msedge.net13.107.246.45A (IP address)IN (0x0001)false

                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:1
                                                                                                                                                                                                        Start time:01:55:19
                                                                                                                                                                                                        Start date:30/12/2024
                                                                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml"
                                                                                                                                                                                                        Imagebase:0x730000
                                                                                                                                                                                                        File size:34'446'744 bytes
                                                                                                                                                                                                        MD5 hash:91A5292942864110ED734005B7E005C0
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                        General

                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                        Start time:01:55:26
                                                                                                                                                                                                        Start date:30/12/2024
                                                                                                                                                                                                        Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "6C3C8601-5CA3-4290-A3F3-5F5407F4386A" "68563A63-B88A-4F7C-884B-B76C5381F25D" "7620" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                                                                                                                                                                                                        Imagebase:0x7ff7e5af0000
                                                                                                                                                                                                        File size:710'048 bytes
                                                                                                                                                                                                        MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                        No disassembly