Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nested-phish_alert_sp2_2.0.0.0.eml

Overview

General Information

Sample name:nested-phish_alert_sp2_2.0.0.0.eml
Analysis ID:1500049
MD5:88e43fec3e1c9ea42ccefd9eb5d92b89
SHA1:17d2c53143a96ffa506b611bc20ef2dd0b4a619f
SHA256:baf1213f397084e6bdf02c1e4384dbd9040064326a2a1033f68683f3ced5d406
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 8024 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-phish_alert_sp2_2.0.0.0.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 3392 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "91660081-029E-48F9-8285-49EF82740A07" "6848AD10-B891-4458-BCB1-412F94668DFC" "8024" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 8024, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://api.aadrm.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://api.aadrm.com/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://api.cortana.ai
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://api.microsoftstream.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://api.office.net
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://api.onedrive.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://api.scheduler.
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://app.powerbi.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://augloop.office.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://augloop.office.com/v2
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://canary.designerapp.
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://cdn.entity.
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://clients.config.office.net
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://clients.config.office.net/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://config.edge.skype.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://cortana.ai
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://cortana.ai/api
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://cr.office.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://d.docs.live.net
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://designerapp.azurewebsites.net
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://dev.cortana.ai
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://devnull.onenote.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://directory.services.
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://ecs.office.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://edge.skype.com/rps
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 30153066857.ttf.0.drString found in binary or memory: https://github.com/andre-fuchs/kerning-pairs/blob/master/LICENSE.md).
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://graph.windows.net
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://graph.windows.net/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://ic3.teams.office.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://invites.office.com/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://lifecycle.office.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://login.microsoftonline.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://login.microsoftonline.com/organizations
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://login.windows.local
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://make.powerautomate.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://management.azure.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://management.azure.com/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://messageuserer.mobile.m365.svc.cloud.microsoft
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://messaging.action.office.com/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://messaging.office.com/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://ncus.contentsync.
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://officeapps.live.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://officepyservice.office.net/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://onedrive.live.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://outlook.office.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://outlook.office.com/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://outlook.office365.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://outlook.office365.com/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://outlook.office365.com/connectors
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://powerlift.acompli.net
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://res.cdn.office.net
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://service.powerapps.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://settings.outlook.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://staging.cortana.ai
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://substrate.office.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://tasks.office.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://templatesmetadata.office.net/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://webshell.suite.office.com
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://wus2.contentsync.
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: D7E8689D-7D56-45BE-BE22-5367780402CD.0.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: clean1.winEML@3/22@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240827T1413290757-8024.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-phish_alert_sp2_2.0.0.0.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "91660081-029E-48F9-8285-49EF82740A07" "6848AD10-B891-4458-BCB1-412F94668DFC" "8024" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "91660081-029E-48F9-8285-49EF82740A07" "6848AD10-B891-4458-BCB1-412F94668DFC" "8024" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1500049 Sample: nested-phish_alert_sp2_2.0.... Startdate: 27/08/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 70 159 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://api.diagnosticssdf.office.com0%URL Reputationsafe
https://login.microsoftonline.com/0%URL Reputationsafe
https://shell.suite.office.com:14430%URL Reputationsafe
https://designerapp.azurewebsites.net0%URL Reputationsafe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize0%URL Reputationsafe
https://autodiscover-s.outlook.com/0%URL Reputationsafe
https://useraudit.o365auditrealtimeingestion.manage.office.com0%URL Reputationsafe
https://outlook.office365.com/connectors0%URL Reputationsafe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://api.addins.omex.office.net/appinfo/query0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/tenantassociationkey0%URL Reputationsafe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://lookup.onenote.com/lookup/geolocation/v10%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/imports0%URL Reputationsafe
https://cloudfiles.onenote.com/upload.aspx0%URL Reputationsafe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://entitlement.diagnosticssdf.office.com0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://canary.designerapp.0%URL Reputationsafe
https://ic3.teams.office.com0%URL Reputationsafe
https://www.yammer.com0%URL Reputationsafe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies0%URL Reputationsafe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive0%URL Reputationsafe
https://cr.office.com0%URL Reputationsafe
https://messageuserer.mobile.m365.svc.cloud.microsoft0%URL Reputationsafe
https://otelrules.svc.static.microsoft0%URL Reputationsafe
https://portal.office.com/account/?ref=ClientMeControl0%URL Reputationsafe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory0%URL Reputationsafe
https://edge.skype.com/registrar/prod0%URL Reputationsafe
https://graph.ppe.windows.net0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://tasks.office.com0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://edge.skype.com/rps0%URL Reputationsafe
https://globaldisco.crm.dynamics.com0%URL Reputationsafe
https://messaging.engagement.office.com/0%URL Reputationsafe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.diagnosticssdf.office.com/v2/feedback0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/groups0%URL Reputationsafe
https://web.microsoftstream.com/video/0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://graph.windows.net0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://analysis.windows.net/powerbi/api0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://substrate.office.com0%URL Reputationsafe
https://outlook.office365.com/autodiscover/autodiscover.json0%URL Reputationsafe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios0%URL Reputationsafe
https://consent.config.office.com/consentcheckin/v1.0/consents0%URL Reputationsafe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://github.com/andre-fuchs/kerning-pairs/blob/master/LICENSE.md).0%Avira URL Cloudsafe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json0%URL Reputationsafe
https://safelinks.protection.outlook.com/api/GetPolicy0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/0%URL Reputationsafe
http://weather.service.msn.com/data.aspx0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://api.microsoftstream.com/api/0%Avira URL Cloudsafe
https://officepyservice.office.net/service.functionality0%URL Reputationsafe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks0%URL Reputationsafe
https://templatesmetadata.office.net/0%URL Reputationsafe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios0%URL Reputationsafe
https://messaging.lifecycle.office.com/0%URL Reputationsafe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml0%URL Reputationsafe
https://pushchannel.1drv.ms0%URL Reputationsafe
https://management.azure.com0%URL Reputationsafe
https://outlook.office365.com0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://incidents.diagnostics.office.com0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/ios0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://api.addins.omex.office.net/api/addins/search0%URL Reputationsafe
https://insertmedia.bing.office.net/odc/insertmedia0%URL Reputationsafe
https://outlook.office365.com/api/v1.0/me/Activities0%URL Reputationsafe
https://api.office.net0%URL Reputationsafe
https://my.microsoftpersonalcontent.com0%Avira URL Cloudsafe
https://incidents.diagnosticssdf.office.com0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/android/policies0%URL Reputationsafe
https://entitlement.diagnostics.office.com0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json0%URL Reputationsafe
https://outlook.office.com/autosuggest/api/v1/init?cvid=0%Avira URL Cloudsafe
https://d.docs.live.net0%Avira URL Cloudsafe
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.comD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://login.microsoftonline.com/D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://shell.suite.office.com:1443D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://designerapp.azurewebsites.netD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://autodiscover-s.outlook.com/D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://useraudit.o365auditrealtimeingestion.manage.office.comD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.com/connectorsD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://cdn.entity.D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://api.addins.omex.office.net/appinfo/queryD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/user/v1.0/tenantassociationkeyD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://powerlift.acompli.netD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://rpsticket.partnerservices.getmicrosoftkey.comD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://lookup.onenote.com/lookup/geolocation/v1D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://cortana.aiD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://github.com/andre-fuchs/kerning-pairs/blob/master/LICENSE.md).30153066857.ttf.0.drfalse
  • Avira URL Cloud: safe
unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://api.powerbi.com/v1.0/myorg/importsD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://cloudfiles.onenote.com/upload.aspxD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://entitlement.diagnosticssdf.office.comD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://api.aadrm.com/D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://ofcrecsvcapi-int.azurewebsites.net/D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://canary.designerapp.D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://ic3.teams.office.comD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://www.yammer.comD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://api.microsoftstream.com/api/D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • Avira URL Cloud: safe
unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://cr.office.comD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;hD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • Avira URL Cloud: safe
unknown
https://messageuserer.mobile.m365.svc.cloud.microsoftD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://otelrules.svc.static.microsoftD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://portal.office.com/account/?ref=ClientMeControlD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/c2r/v1.0/DeltaAdvisoryD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://edge.skype.com/registrar/prodD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://graph.ppe.windows.netD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://res.getmicrosoftkey.com/api/redemptioneventsD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://powerlift-frontdesk.acompli.netD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://tasks.office.comD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://officeci.azurewebsites.net/api/D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/workD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://api.scheduler.D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://my.microsoftpersonalcontent.comD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • Avira URL Cloud: safe
unknown
https://store.office.cn/addinstemplateD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://api.aadrm.comD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://edge.skype.com/rpsD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • Avira URL Cloud: safe
unknown
https://globaldisco.crm.dynamics.comD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://messaging.engagement.office.com/D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://dev0-api.acompli.net/autodetectD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://www.odwebp.svc.msD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://api.diagnosticssdf.office.com/v2/feedbackD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://api.powerbi.com/v1.0/myorg/groupsD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://web.microsoftstream.com/video/D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://api.addins.store.officeppe.com/addinstemplateD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://graph.windows.netD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://dataservice.o365filtering.com/D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://officesetup.getmicrosoftkey.comD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://analysis.windows.net/powerbi/apiD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://prod-global-autodetect.acompli.net/autodetectD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://substrate.office.comD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.com/autodiscover/autodiscover.jsonD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://consent.config.office.com/consentcheckin/v1.0/consentsD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/GetvoicesD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://d.docs.live.netD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • Avira URL Cloud: safe
unknown
https://safelinks.protection.outlook.com/api/GetPolicyD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://ncus.contentsync.D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • Avira URL Cloud: safe
unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
http://weather.service.msn.com/data.aspxD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://apis.live.net/v5.0/D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://officepyservice.office.net/service.functionalityD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://templatesmetadata.office.net/D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://messaging.lifecycle.office.com/D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://pushchannel.1drv.msD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://management.azure.comD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.comD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://wus2.contentsync.D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://incidents.diagnostics.office.comD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/user/v1.0/iosD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://make.powerautomate.comD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://api.addins.omex.office.net/api/addins/searchD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://insertmedia.bing.office.net/odc/insertmediaD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.com/api/v1.0/me/ActivitiesD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://api.office.netD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://incidents.diagnosticssdf.office.comD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://asgsmsproxyapi.azurewebsites.net/D7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/user/v1.0/android/policiesD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://entitlement.diagnostics.office.comD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonD7E8689D-7D56-45BE-BE22-5367780402CD.0.drfalse
  • URL Reputation: safe
unknown

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1500049
Start date and time:2024-08-27 20:12:16 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 48s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:9
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:nested-phish_alert_sp2_2.0.0.0.eml
Detection:CLEAN
Classification:clean1.winEML@3/22@0/0
Cookbook Comments:
  • Found application associated with file extension: .eml

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 52.109.76.240, 52.113.194.132, 23.222.8.109, 52.109.68.129, 2.19.126.151, 2.19.126.160, 20.42.65.85, 52.109.32.39, 52.109.32.38, 52.109.32.47, 52.109.32.46
  • Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, eur.roaming1.live.com.akadns.net, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, login.live.com, e16604.g.akamaiedge.net, frc-azsc-000.roaming.officeapps.live.com, officeclient.microsoft.com, prod.fs.microsoft.com.akadns.net, a1864.dscd.akamai.net, ecs.office.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com, onedscolprdeus05.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, neu-azsc-config.officeapps.live.com, nleditor.osi.office.net, prod-eu-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, s-0005.s-msedge.net, config.office
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadVirtualMemory calls found.
  • VT rate limit hit for: nested-phish_alert_sp2_2.0.0.0.eml

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):231348
Entropy (8bit):4.396200586363017
Encrypted:false
SSDEEP:1536:K7wYLjP8gsC8tkLQbsMJYxQZBmgsuESNcAz79ysQqt2e9z5XA+qoQLEIrcm0Fv1C:aYgQjAghmiGu2GqoQjrt0FvdAy5dLqL
MD5:92221947761755A55E0A5725608156FD
SHA1:DAD5B59D2479465AC3075A0A163FF282DF2BB89B
SHA-256:CE7DE7C6752F1742080ADF938AB119885C1AED20A50C67353EE8EB832CDE7210
SHA-512:B15E0BDBA02D3F5EA422D8943E67E5B7FE5D2DD81BC67D0F7C485FA5F8251174BB7A1A3292B2EC3F8396E118C4A8B9201DA603FC57A5B64A35A4DBF0D9C0E75C
Malicious:false
Reputation:low
Preview:TH02...... ..9<........SM01X...,.....-............IPM.Activity...........h...............h............H..h..o.....$......h............H..h\bro ...pDat...hHx..0.....o....h..............h........_`.j...hp..@...I.ew...h....H...8..j...0....T...............d.........2h...............k..vm..........!h.............. h..........o...#h....8.........$h........8....."hP.......`.....'h..............1h...<.........0h....4.....j../h....h......jH..hpU..p.....o...-h .......<.o...+h4........o................. ..............F7..............FIPM.Activity.st.Form.e..Standard.tanJournal Entry.pdIPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.000Microsoft.ofThis form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:XML 1.0 document, ASCII text, with very long lines (1869), with no line terminators
Category:dropped
Size (bytes):1869
Entropy (8bit):5.089483643730479
Encrypted:false
SSDEEP:48:cGldSyr4nzyedyVkdyDSyrXnzyrHnzyr8dnzydASyldyGJdyLkSyO:9db02eEyEDbb2j2od2dAblEQEAbO
MD5:560E654452B4614CD3F0CBEBA5A3368C
SHA1:A54EAC5CE31EB48E1E4F5F49BD7BD6AB411413CF
SHA-256:AC4FFDF0B71E527CA18983B0A5F366676940CFAA772D659A38675B3415CFCF6B
SHA-512:30BB6124933CF5955AA75C5EF444233E75784589F9AAD40097CD045EDB717ADB3FDAC14948C414CCD135C9D55D61B78640C17E3CDE7E6F6ECD485254755DB2AE
Malicious:false
Reputation:low
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?><root><version>1</version><Count>12</Count><Resource><Id>Aptos Narrow_26215424</Id><LAT>2024-08-27T18:13:30Z</LAT><key>31558910439.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos Display_45876480</Id><LAT>2024-08-27T18:13:30Z</LAT><key>30264859306.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos_45876480</Id><LAT>2024-08-27T18:13:30Z</LAT><key>27160079615.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos_26215680</Id><LAT>2024-08-27T18:13:38Z</LAT><key>30153066857.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_45876224</Id><LAT>2024-08-27T18:13:30Z</LAT><key>24153076628.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos Display_26215682</Id><LAT>2024-08-27T18:13:30Z</LAT><key>28367963232.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos

C:\Users\user\AppData\Local\Microsoft\FontCache\4\Catalog\ListAll.Json

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:JSON data
Category:dropped
Size (bytes):521377
Entropy (8bit):4.9084889265453135
Encrypted:false
SSDEEP:3072:gdTb5Sb3F2FqSrfZm+CnQsbzxZO7aYb6f5780K2:wb5q3umBnzT
MD5:C37972CBD8748E2CA6DA205839B16444
SHA1:9834B46ACF560146DD7EE9086DB6019FBAC13B4E
SHA-256:D4CFBB0E8B9D3E36ECE921B9B51BD37EF1D3195A9CFA1C4586AEA200EB3434A7
SHA-512:02B4D134F84122B6EE9A304D79745A003E71803C354FB01BAF986BD15E3BA57BA5EF167CC444ED67B9BA5964FF5922C50E2E92A8A09862059852ECD9CEF1A900
Malicious:false
Reputation:moderate, very likely benign file
Preview:{"MajorVersion":4,"MinorVersion":40,"Expiration":14,"Fonts":[{"a":[4294966911],"f":"Abadi","fam":[],"sf":[{"c":[1,0],"dn":"Abadi","fs":32696,"ful":[{"lcp":983041,"lsc":"Latn","ltx":"Abadi"}],"gn":"Abadi","id":"23643452060","p":[2,11,6,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":26215680},{"c":[1,0],"dn":"Abadi Extra Light","fs":22180,"ful":[{"lcp":983042,"lsc":"Latn","ltx":"Abadi Extra Light"}],"gn":"Abadi Extra Light","id":"17656736728","p":[2,11,2,4,2,1,4,2,2,4],"sub":[],"t":"ttf","u":[2147483651,0,0,0],"v":197263,"w":13108480}]},{"a":[4294966911],"f":"ADLaM Display","fam":[],"sf":[{"c":[536870913,0],"dn":"ADLaM Display Regular","fs":140072,"ful":[{"lcp":983040,"lsc":"Latn","ltx":"ADLaM Display"}],"gn":"ADLaM Display","id":"31965479471","p":[2,1,0,0,0,0,0,0,0,0],"sub":[],"t":"ttf","u":[2147491951,1107296330,0,0],"v":131072,"w":26215680}]},{"a":[4294966911],"f":"Agency FB","fam":[],"sf":[{"c":[536870913,0],"dn":"Agency FB Bold","fs":54372,"ful":[{"lcp":9830

C:\Users\user\AppData\Local\Microsoft\FontCache\4\CloudFonts\Aptos\30153066857.ttf

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:TrueType Font data, 20 tables, 1st "GDEF", 38 names, Macintosh, \251 2024 Microsoft Corporation. All Rights Reserved. The "kern" table of this font was develope
Category:dropped
Size (bytes):220792
Entropy (8bit):6.4449616995688
Encrypted:false
SSDEEP:6144:/gNszJEdEFNVyVHJoTPZWdQOWedqa8a3Y8:/yHo4fqaz3D
MD5:1250B2192733FA4D140AB32D9D31FBA1
SHA1:09ACB6EB6A1F48E6BB94B6270A9BD27085AD8748
SHA-256:95980114FCFD42F2F9C446DAE429B70582BF2F03097D68433EA9E7D85A49DA0B
SHA-512:C274240785A5F93BEC620EEA3CF93F3A3ACFE86808786C83B69C71DC315633814AA161DF0409E1355FF8AB0B774FADFBA07C19BAD804054C69A982135DDE592F
Malicious:false
Reputation:low
Preview:...........@GDEF.y.....X....GPOS.a.......w.GSUB.N....M....4OS/2J..........`STAT......\....|cmap.v.....D....cvt !.....2.....fpgmW.....!P....gasp.......L....glyf-:.3..=...}.head$......L...6hhea...........$hmtxB&.....(....kern...s.......Lloca%.....3.....maxp........... meta6.xS..]t....name.6.=.......Npost...2...,... prepp.....0..............'.._.<..........u......h25.....u.........................&.....u.............................p......./.....L.........|.......3.......3.......f.............. ...............MS ...............3 ..........B... ...................................................................................................w...w.............l...l...l...l...l...l.}...}...}...}...}...3...s...s...s...s...s...s...s...s.9.s...s...s...s...s...s...s...s...s.....^.t.i.s.....l...R.2...2.....l...l...l...l...l...l...........................................................-.......%...%.....................................R.................................l...l...l...l...l...l...l

C:\Users\user\AppData\Local\Microsoft\FontCache\4\PreviewFont\flat_officeFontsPreview_4_40.ttf

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:TrueType Font data, 10 tables, 1st "OS/2", 7 names, Microsoft, language 0x409, \251 2018 Microsoft Corporation. All Rights Reserved.msofp_4_40RegularVersion 4.40;O365
Category:dropped
Size (bytes):773040
Entropy (8bit):6.55939673749297
Encrypted:false
SSDEEP:12288:Zn84XULLDs51UJQSOf9VvLXHyheIQ47gEFGHtAgk3+/cLQ/zhm1kjFKy6Nyjbqq+:N8XPDs5+ivOXgo1kYvyz2
MD5:4296A064B917926682E7EED650D4A745
SHA1:3953A6AA9100F652A6CA533C2E05895E52343718
SHA-256:E04E41C74D6C78213BA1588BACEE64B42C0EDECE85224C474A714F39960D8083
SHA-512:A25388DDCE58D9F06716C0F0BDF2AEFA7F68EBCA7171077533AF4A9BE99A08E3DCD8DFE1A278B7AA5DE65DA9F32501B4B0B0ECAB51F9AF0F12A3A8A75363FF2C
Malicious:false
Reputation:moderate, very likely benign file
Preview:........... OS/29....(...`cmap.s.,.......pglyf..&....|....head2..........6hheaE.@v.......$hmtx...........@loca.U.....8...Dmaxp........... name.P+........post...<...... .........b~1_.<...........<......r......Aa...................Q....Aa....Aa.........................~...................................................3..............................MS .@.......(...Q................. ...........d...........0...J.......8.......>..........+a..#...,................................................/...K.......z...............N......*...!...-...+........z.......h..%^..3...&j..+...+%..'R..+..."....................k......$A...,.......g...&...=.......X..&........*......&....B..(B...............#.......j...............+...P...5...@...)..........#...)Q...............*...{.. ....?..'...#....N...7......<...;>.............. ]...........5......#....s.......$.......$.......^..................+...>....H.......%...7.......6.......O...V...........K......"........c...N......!...............$...&...*p..

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:ASCII text, with very long lines (65536), with no line terminators
Category:dropped
Size (bytes):322260
Entropy (8bit):4.000299760592446
Encrypted:false
SSDEEP:6144:dztCFLNyoAHq5Rv2SCtUTnRe4N2+A/3oKBL37GZbTSB+pMZIrh:HMLgvKz9CtgRemO3oUHi3SBSMZIl
MD5:CC90D669144261B198DEAD45AA266572
SHA1:EF164048A8BC8BD3A015CF63E78BDAC720071305
SHA-256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
SHA-512:16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
Malicious:false
Reputation:high, very likely benign file
Preview:51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:ASCII text, with no line terminators
Category:dropped
Size (bytes):10
Entropy (8bit):2.2464393446710154
Encrypted:false
SSDEEP:3:LBS7E:t8E
MD5:341EB31FF751CFF573AC4C3D5F350FFC
SHA1:DA61365EFDB218FA8E49592658C89D721A62E751
SHA-256:4C461D087C2E8D58DC4AB7F860807BAB92295661D7464DD7542DEC71244F6DCC
SHA-512:0AD4D7018A4EC071BAEC3CA790BD2AB1A39D7F49DBCF329657E255F3B33781FCC23C26B79A151C69C85C613AA62755FF25E13E651C93DB9F369CBD06DC89406D
Malicious:false
Preview:1724782421

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\D7E8689D-7D56-45BE-BE22-5367780402CD

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):176365
Entropy (8bit):5.287468267636747
Encrypted:false
SSDEEP:1536:Ei2XfRAqcbH41gwEiLe7HW8bM/o/NMYcAZl1p5ihs7EXXmEAD2Odad:B4e7HW8bM/o/wXDku
MD5:0EFE19188E65F3A788BD8E5EDED9F7DA
SHA1:EF74E5715659D126A42E911F7F0EDEFE783D8D23
SHA-256:72D1E61C55440D9F7E577249C1183813EFB42F57DC6816EDDD3290C8246C497A
SHA-512:9DC565F4E38334A3E9DB48459958FB2331C3FDB21471862C06481C77F3A1E3D0D4EAF66D3DB7D04708CFC14D3746BBB6DE395A59DD7E81B55EDF4570F84E0EA7
Malicious:false
Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-08-27T18:13:33">.. Build: 16.0.18014.40125-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:SQLite 3.x database, last written using SQLite version 3034001, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
Category:dropped
Size (bytes):4096
Entropy (8bit):0.09304735440217722
Encrypted:false
SSDEEP:3:lSWFN3l/klslpEl9Xll:l9F8E+9
MD5:D0DE7DB24F7B0C0FE636B34E253F1562
SHA1:6EF2957FDEDDC3EB84974F136C22E39553287B80
SHA-256:B6DC74E4A39FFA38ED8C93D58AADEB7E7A0674DAC1152AF413E9DA7313ADE6ED
SHA-512:42D00510CD9771CE63D44991EA10C10C8FBCF69DF08819D60B7F8E7B0F9B1D385AE26912C847A024D1D127EC098904784147218869AE8D2050BCE9B306DB2DDE
Malicious:false
Preview:SQLite format 3......@ ..........................................................................K.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:SQLite Rollback Journal
Category:dropped
Size (bytes):4616
Entropy (8bit):0.1384465837476566
Encrypted:false
SSDEEP:3:7FEG2l+clK/FllkpMRgSWbNFl/sl+ltlslN04l9Xll8:7+/lDSg9bNFlEs1E39k
MD5:BB3697441D0F2EBA277D67F63FA5876D
SHA1:0113BCA0CAEA9C0C6C200161EC5040BF55DA4D5C
SHA-256:1042DA90A653E6DDC92C74CB38EE20B6F069221AC2959FE83C2D189C870674D0
SHA-512:D2E75B37B333963719D9770448DB7DC1B67223A48DA8568FA049D49F135AFBD8F9D26133A39EDEAAB4C2A906B1D99F52E1FEAB060B258E0ED34E9E86F9678376
Malicious:false
Preview:.... .c.......%.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..........................................................................K.................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):32768
Entropy (8bit):0.04482848510499482
Encrypted:false
SSDEEP:3:G4l2hdWHJfPtl2hdWHJfXX8lL9//Xlvlll1lllwlvlllglbXdbllAlldl+l:G4l232Ptl232XX0L9XXPH4l942U
MD5:215119F1BF5BA8CF269059F16D67FF6B
SHA1:E75F96D3B76CB87C93A7655752AF9106996B37EC
SHA-256:4AB0CDA0BCC887BB5BFD9F817241ECB462C0850D4D422856CF3332B706319706
SHA-512:B6F6FBE5DC7ACA1F3686DB7EEA87B6E2F75580417D403776AE9815E61494E63E34D07588AE4955C550AD6A13E7F5C0A6467E984BADF1B43A9543978587207224
Malicious:false
Preview:..-.........................*...m.....t.:."..w..-.........................*...m.....t.:."..w........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:SQLite Write-Ahead Log, version 3007000
Category:dropped
Size (bytes):45352
Entropy (8bit):0.39391341901033006
Encrypted:false
SSDEEP:24:K9Z0XAg28QMIzRDNA5ve7ill7DBtDi4kZERDNS82KmSxqt8VtbDBtDi4kZERDNsN:SyJ28Qjy5Aill7DYMnxO8VFDYMx
MD5:FEA1DE3F01871C58FE00B205FDB9E585
SHA1:5489FADA915335A3F7F6487C77B55A35732D8ADF
SHA-256:8260F0A5D539DAD7E4AD474BCDDC58D31CC276A6FCF1061DB84E49E8EAA8CB7C
SHA-512:565FF7D062DEE9440091F7C1A90E4E4195870814D68E671BDD5FC7264D2689188E815E4C834E0F99008975F3919493457FAF5A7CE476D3ACEC4D768D5D12A344
Malicious:false
Preview:7....-...........m.....t..p....3.........m.....t....\4m.SQLite format 3......@ ..........................................................................K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\9C61E57E.dat

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:PNG image data, 189 x 56, 8-bit/color RGBA, non-interlaced
Category:dropped
Size (bytes):6907
Entropy (8bit):7.894902775057321
Encrypted:false
SSDEEP:192:KGknHl39GWOqEZK44nW0j9hXFkT82+bz2fw8E:qniWOqF4Z8nVkArN8E
MD5:602E3E1B5BE0294DABF47873EB205BF2
SHA1:4FC1A98FD4D42F4F22F16EF69DDB3FA6B1332F44
SHA-256:A0363FE462016BFFC097D3111C61B3F47998F8817BCE4A1BC4C1F1487E93BDD4
SHA-512:AD51395698F07FD4FBB75CF9545B0FA5171E7C2211ACA54D297AE83B8A70F165EF412ABA3545A94C6867EDA238F326C32AB7FE4D1806C3D0E74806285B7B87ED
Malicious:false
Preview:.PNG........IHDR.......8........[....sRGB.........gAMA......a.....pHYs..........+......tEXtSoftware.Adobe ImageReadyq.e<....iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c145 79.163499, 2018/08/13-16:40:22 "> <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmpMM:OriginalDocumentID="uuid:5D20892493BFDB11914A8590D31508C8" xmpMM:DocumentID="xmp.did:929DD79CE94C11E9B7AE9652DB0A5425" xmpMM:InstanceID="xmp.iid:929DD79BE94C11E9B7AE9652DB0A5425" xmp:CreatorTool="Adobe Illustrator CC 23.1 (Macintosh)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:1cdf38ad-2bd1-4dba-bc70-54a7e10a2764" stRef:documentID="xmp.did:1cdf38ad-2bd1-4dba-bc70-54a7e10a2764"/> <dc:tit

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{3B8C9892-7A32-46E5-A3E4-368E3D7835D9}.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):1536
Entropy (8bit):1.9896214161381782
Encrypted:false
SSDEEP:12:Jlk+WQJDEDcjNElRONgw0fkQKmsAxN2zu/ivJHkAXzsAlsA/pw:pWoEm4Ut0fzK2NsuEJHVXz5Vw
MD5:F1740E7F8CAB6849F3E7E493BA12A3B1
SHA1:EB672F567BDBB2DEDBF13B43B27AF4DEC739CBF6
SHA-256:39E9E6B267D3038B6E72A98BEEF3CD79E52949107826817DCF41418E30FC5422
SHA-512:E8EB0C37DE5F1680A67438F85E91F1B004DECBA9DDCFDEDB11F7BCAEDF44C7ADC4501C171667BA4E62FFEB4093A4766BB2495E59E216A31431ACCD4E6E6496AE
Malicious:false
Preview:....G.o.o.d. .M.o.r.n.i.n.g.,. .P.l.e.a.s.e. .s.e.e. .a.t.t.a.c.h.e.d. .t.h.a.t. .w.a.s. .e.m.a.i.l.e.d. .o.n. .0.8./.2.0./.2.4. .f.o.r. .y.o.u.r. .r.e.v.i.e.w...........T.h.a.n.k. .y.o.u.,.......I.N.C.L.U.D.E.P.I.C.T.U.R.E. .".c.i.d.:.i.m.a.g.e.0.0.1...p.n.g.@.0.1.D.A.F.8.9.A...4.9.9.C.4.1.0.0.". .\.*. .M.E.R.G.E.F.O.R.M.A.T.I.N.E.T... . ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1724782410136951900_A2247349-1A88-40A9-878A-3FD221C82E85.log

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:ASCII text, with very long lines (28739), with CRLF line terminators
Category:dropped
Size (bytes):20971520
Entropy (8bit):0.18305562415340515
Encrypted:false
SSDEEP:1536:pGKQsXwuN5TGcvtutfyXM+kPKNzpX2mi2Y3nSONvlQ5mNiz8M+9d0/9ajjTmfzOh:FX3PTvt+1ITW
MD5:A368D1C66AA2CE4CD729510219DFAF3F
SHA1:DE1733896484865F3DB28114E6E894A9583F7778
SHA-256:B936EFB57F1B9246CFEE2D129665C82C056FC8FAC253CFA54A7FACB7F8A116CC
SHA-512:BF6CF9C0CB2A17DEB711897A6DAF41B30DED80D26F51BE871431B142A801A2850555D31990BA3C1C1D217B5A5F5B51F178FA6D2BA3E3276AEEF368A733EE0AD0
Malicious:false
Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..08/27/2024 18:13:30.195.OUTLOOK (0x1F58).0xC88.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":21,"Time":"2024-08-27T18:13:30.195Z","Contract":"Office.System.Activity","Activity.CV":"SXMkoogaqUCHij/SIcguhQ.4.9","Activity.Duration":13,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...08/27/2024 18:13:30.210.OUTLOOK (0x1F58).0xC88.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":23,"Time":"2024-08-27T18:13:30.210Z","Contract":"Office.System.Activity","Activity.CV":"SXMkoogaqUCHij/SIcguhQ.4.10","Activity.Duration":10768,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorVer

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1724782410138034300_A2247349-1A88-40A9-878A-3FD221C82E85.log

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):20971520
Entropy (8bit):0.0
Encrypted:false
SSDEEP:3::
MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:false
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240827T1413290757-8024.etl

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):110592
Entropy (8bit):4.5193112023300825
Encrypted:false
SSDEEP:768:ReHvdnPmBN+ytPn44Zr91SbvDrWRWaXjTCEJHf+1FDJd/i/gCJLo8X0XZhfRPjjD:K4Zr91Sb7UXj2XPpjD
MD5:9E53153C85547F0267534AC887D54D70
SHA1:F696BA2DD75755F17706E5F2215449DCB22F6871
SHA-256:CDEB3C467CED81D787C6EC711E168DB7E3C2631407D1F13CAA44C76329C6AC19
SHA-512:3AEFAA10276F5D4C10CE2C9FF101D85404EFD10C1A154CD70E50B461DC2B539E98A72DEB083188E9FB0847971D2944011A085065A4564104213BDC96F919DB74
Malicious:false
Preview:............................................................................`.......X...#......................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@.G.l...........#..............v.2._.O.U.T.L.O.O.K.:.1.f.5.8.:.7.0.4.f.c.2.9.4.e.1.7.e.4.7.1.f.8.2.f.6.7.2.8.c.2.8.f.9.9.f.a.a...C.:.\.U.s.e.r.s.\.b.r.o.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.8.2.7.T.1.4.1.3.2.9.0.7.5.7.-.8.0.2.4...e.t.l.......P.P.....X.................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):30
Entropy (8bit):1.2389205950315936
Encrypted:false
SSDEEP:3:U4lX:U4l
MD5:70B7FFE3710CADA621A2E0A0C590A46D
SHA1:E78F0D78AFC58D9A62DE5DF2D08DAE1A6E0C37FA
SHA-256:A17719C1B8C3C9DD297BDBBE2792618AC734F8F91567CE18430E8AAFAC528972
SHA-512:61542CBE2B4A9422D760F41C63DDFDE468B9CCA94515AF8BD74B98E99D5889B194219A28D1E1FFACCF6E357AE77E9156923F0F65AFD4EEFCD94C496F19D7B407
Malicious:false
Preview:....cI........................

C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):16384
Entropy (8bit):0.6700653939958965
Encrypted:false
SSDEEP:12:rl3baFSGsqLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheCmoL:rLwmnq1Py961T
MD5:044D238B7668AB178E1DA97438EFA2C3
SHA1:D176D4A5DC704D0AD2FE8FAC3C2A5BE352E45C00
SHA-256:971E352C8A8BB43D003166E319F9F19C62C8DFDFC64FEF886470E5A935F19F7B
SHA-512:054338B579D1337D4760B68BD1F670FDD14E0B3F583005315F1113A759E45B3289088C4EDF0787FDCFB95D313D05CA5636566B2E3FC15E9F16BE2F5A2F6F4719
Malicious:false
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:modified
Size (bytes):14
Entropy (8bit):2.699513850319966
Encrypted:false
SSDEEP:3:QH67vln:Qa79
MD5:02D52CC7E56EDC72F48B849DD008B370
SHA1:15B9F79906EDFC98224F857DEC8528D02DD68107
SHA-256:86C89C4C21847C61EE136A4B19FC5A701D1C387A4B50A728BEBB2CFF56AC4855
SHA-512:50B53DCAF8A68B2DEBF8B0D43EFA5C3F97079ECB675044801F5F0B69DDB174635A90E1D88041B2361087CA9959B0BD9431568497646CBAFB548EA2A677AF5789
Malicious:false
Preview:..b.r.o.k.....

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:Microsoft Outlook email folder (>=2003)
Category:dropped
Size (bytes):271360
Entropy (8bit):3.658484662613537
Encrypted:false
SSDEEP:1536:wk0Bl8AhVP4tcCklhpi9qvgRMr1vzjDdnahqQ1dZddbC8jR3L+ZPTxW53jEpEHPa:wbV5l60nahqQ7ZdlXUp9UZp9
MD5:1DCA959DE784CFF0D2163167946AC863
SHA1:03E1C76323B0061B64262DF3DD8A8A624B9EE34B
SHA-256:284EE6BEA9E14DBEB2EAD52BAD55A56BE3EECF68407A7D23FE99C1A5657892AA
SHA-512:AD52AD86D1E65296EAA6595A5B68EA6486BFF6A57F17B1AA8D736D247D43EE1926490DD1507970512A21D5BCB40FA24F66DE6477EFB4D02F24137959CCE3100E
Malicious:false
Preview:!BDN-...SM......\....>..................h................@...........@...@...................................@...........................................................................$.......D...............................>..................................................................................................................................................................................................................................................................................................,..........Kqc......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):131072
Entropy (8bit):4.450807963326244
Encrypted:false
SSDEEP:1536:C53jEpEHP4qQ10PAwr1s/MYqWrn+hO8jR3LbtcCklzdZd5b3QTW53jEpEHP4qQ1N:lp90on+h7slXZdp3Qlp9
MD5:B5B125CD9FA089CC367309932C8424E3
SHA1:730CA522414A7FBC970F55DEEF1CFC4843C96798
SHA-256:165EFABB3404A0EBDB4E811A40592E02C044D0C5E978A51085DFBF42EA180AEA
SHA-512:6155A99FAC5499484AFE41F474812ED93A993736CFDB93956DBE3D970082D84F9365681F78E83482DEB95AA111228C28DAD82DBB2570B36FEECD5C4397B7036D
Malicious:false
Preview:S..0C...q.......X...)........................#.!BDN-...SM......\....>..................h................@...........@...@...................................@...........................................................................$.......D...............................>..................................................................................................................................................................................................................................................................................................,..........Kqc..)...........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:RFC 822 mail, ASCII text, with very long lines (2049), with CRLF line terminators
Entropy (8bit):6.179172655359519
TrID:
  • E-Mail message (Var. 5) (54515/1) 100.00%
File name:nested-phish_alert_sp2_2.0.0.0.eml
File size:46'491 bytes
MD5:88e43fec3e1c9ea42ccefd9eb5d92b89
SHA1:17d2c53143a96ffa506b611bc20ef2dd0b4a619f
SHA256:baf1213f397084e6bdf02c1e4384dbd9040064326a2a1033f68683f3ced5d406
SHA512:4ca190d4f4572aab60c7c3d62b29cd4d9a744728dc13681f2c457bbf8099967895092e4ebb976d924b0d22c3cd67149206581ea3fe695d874e1a0230bb927f6c
SSDEEP:768:XJnlRcywPner3K7u5UrrTOSm11IasIp4iyr3/Mw6b58bc0IWIEDFrlKX:XJnlRVJK7pWSm11dT7yrPQbWbc0JIEZW
TLSH:A1239F32F4591550B2FCFAD5B0053B06A4C23A8E43BA66F1B61D99D83DCA9F1729324F
File Content Preview:Received: from SJ2PR22MB4555.namprd22.prod.outlook.com.. (2603:10b6:a03:55e::6) by SJ2PR22MB5262.namprd22.prod.outlook.com with.. HTTPS; Tue, 27 Aug 2024 16:45:27 +0000..Received: from DS7P220CA0010.NAMP220.PROD.OUTLOOK.COM (2603:10b6:8:1ca::8).. by SJ2PR

Static Mail

General

Subject:ConsultTrustNorth-payment Requisition #42 3L# 1414 18 Dock.pdf.
From:Lauren Trzaskus <ltrzaskus@consulttruenorth.com>
To:Lauren Trzaskus <ltrzaskus@consulttruenorth.com>
Cc:
BCC:
Date:Tue, 27 Aug 2024 16:43:46 +0000
Communications:
  • Good Morning, Please see attached that was emailed on 08/20/24 for your review. Thank you, Trusted Partner. Leading Environmental Solutions.Lauren F. TrzaskusSenior Consultant 525 Junction Road I Suite 5800 I Madison, WI 53717o 608.234.5092 ext.7 I m 815.557.7256 I f 608.237.2453 ConsultTrueNorth.com P Please consider the environment. The information contained in this e-mail is intended only for the individual or entity to whom it is addressed and should not be opened, read or utilized by any other party. This message shall not be construed as official project information or as direction except as expressly provided in the contract document. Its contents (including any attachments) may contain confidential and/or privileged information. If you are not an intended recipient you must not use, disclose, disseminate, copy or print its contents. If you receive this e-mail in error, please notify the sender by reply e-mail and delete and destroy the message. <!-- /* Font Definitions */ @font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;} @font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;} @font-face {font-family:"Calibri Light"; panose-1:2 15 3 2 2 2 4 3 2 4;} @font-face {font-family:Aptos;} @font-face {font-family:Webdings; panose-1:5 3 1 2 1 5 9 6 7 3;} @font-face {font-family:"Ministry Extra Light";} @font-face {font-family:"Ministry Extra Bold";} @font-face {font-family:MinistryExtraLight;} /* Style Definitions */ p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; font-size:12.0pt; font-family:"Aptos",sans-serif; mso-ligatures:standardcontextual;} span.EmailStyle18 {mso-style-type:personal-compose; font-family:"Aptos",sans-serif; color:windowtext;} .MsoChpDefault {mso-style-type:export-only; font-size:10.0pt; mso-ligatures:none;} @page WordSection1 {size:8.5in 11.0in; margin:1.0in 1.0in 1.0in 1.0in;} div.WordSection1 {page:WordSection1;} --> Good Morning, Please see attached that was emailed on 08/20/24 for your review. Thank you, Trusted Partner. Leading Environmental Solutions.Lauren F. TrzaskusSenior Consultant 525 Junction Road I Suite 5800 I Madison, WI 53717o 608.234.5092 ext.7 I m 815.557.7256 I f 608.237.2453 ConsultTrueNorth.com P Please consider the environment. The information contained in this e-mail is intended only for the individual or entity to whom it is addressed and should not be opened, read or utilized by any other party. This message shall not be construed as official project information or as direction except as expressly provided in the contract document. Its contents (including any attachments) may contain confidential and/or privileged information. If you are not an intended recipient you must not use, disclose, disseminate, copy or print its contents. If you receive this e-mail in error, please notify the sender by reply e-mail and delete and destroy the message. Good Morning, Please see attached that was emailed on 08/20/24 for your review. Thank you, Trusted Partner. Leading Environmental Solutions.Lauren F. TrzaskusSenior Consultant 525 Junction Road I Suite 5800 I Madison, WI 53717o 608.234.5092 ext.7 I m 815.557.7256 I f 608.237.2453 ConsultTrueNorth.com P Please consider the environment. The information contained in this e-mail is intended only for the individual or entity to whom it is addressed and should not be opened, read or utilized by any other party. This message shall not be construed as official project information or as direction except as expressly provided in the contract document. Its contents (including any attachments) may contain confidential and/or privileged information. If you are not an intended recipient you must not use, disclose, disseminate, copy or print its contents. If you receive this e-mail in error, please notify the sender by reply e-mail and delete and destroy the message. Good Morning, Please see attached that was emailed on 08/20/24 for your review. Thank you, Thank you, Trusted Partner. Leading Environmental Solutions.Lauren F. TrzaskusSenior Consultant 525 Junction Road I Suite 5800 I Madison, WI 53717o 608.234.5092 ext.7 I m 815.557.7256 I f 608.237.2453 ConsultTrueNorth.com Trusted Partner. Leading Environmental Solutions.Lauren F. TrzaskusSenior Consultant 525 Junction Road I Suite 5800 I Madison, WI 53717o 608.234.5092 ext.7 I m 815.557.7256 I f 608.237.2453 ConsultTrueNorth.com Trusted Partner. Leading Environmental Solutions.Lauren F. TrzaskusSenior Consultant 525 Junction Road I Suite 5800 I Madison, WI 53717o 608.234.5092 ext.7 I m 815.557.7256 I f 608.237.2453 ConsultTrueNorth.com Trusted Partner. Leading Environmental Solutions. Trusted Partner. Leading Environmental Solutions. Trusted Partner. Leading Environmental Solutions Trusted Partner. Leading Environmental Solutions . . Lauren F. TrzaskusSenior Consultant 525 Junction Road I Suite 5800 I Madison, WI 53717o 608.234.5092 ext.7 I m 815.557.7256 I f 608.237.2453 ConsultTrueNorth.com Lauren F. Trzaskus Lauren F. Trzaskus Lauren F. Trzaskus Senior Consultant Senior Consultant 525 Junction Road I Suite 5800 I Madison, WI 53717 525 Junction Road I I I Suite 5800 I I I Madison, WI 53717 o 608.234.5092 ext.7 I m 815.557.7256 I f 608.237.2453 o 608.234.5092 ext.7 I I I m 815.557.7256 I I I f 608.237.2453 ConsultTrueNorth.com ConsultTrueNorth.com ConsultTrueNorth.com ConsultTrueNorth.com P Please consider the environment. P Please consider the environment. The information contained in this e-mail is intended only for the individual or entity to whom it is addressed and should not be opened, read or utilized by any other party. This message shall not be construed as official project information or as direction except as expressly provided in the contract document. Its contents (including any attachments) may contain confidential and/or privileged information. If you are not an intended recipient you must not use, disclose, disseminate, copy or print its contents. If you receive this e-mail in error, please notify the sender by reply e-mail and delete and destroy the message. The information contained in this e-mail is intended only for the individual or entity to whom it is addressed and should not be opened, read or utilized by any other party. This message shall not be construed as official project information or as direction except as expressly provided in the contract document. Its contents (including any attachments) may contain confidential and/or privileged information. If you are not an intended recipient you must not use, disclose, disseminate, copy or print its contents. If you receive this e-mail in error, please notify the sender by reply e-mail and delete and destroy the message.
Attachments:
  • image001.png
  • ConsultTrustNorth-payment Requisition #42 3L# 1414 18 Dock.pdf..eml

Headers

Key Value
Receivedfrom CYXPR02MB10196.namprd02.prod.outlook.com ([fe80::68b9:f14a:c583:1a16]) by CYXPR02MB10196.namprd02.prod.outlook.com ([fe80::68b9:f14a:c583:1a16%7]) with mapi id 15.20.7875.019; Tue, 27 Aug 2024 16:43:46 +0000
Arc-Seali=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=NnQYfbOvI/7nrufzdfgeeFZ5FWFRfhGv4z4p3Tc32Dpf4tbCszKvlxYbdMfzFqrYQfvnoFyLkTwcOB8kJ9og7VbMlfB4aJlx1JUC5nBmBR/IBmoUmy2YocLfQ2BfplyNBl5Od8h4lvUHd2XjC6cmj9FvF8oDCho7BSOSpcAL5zxG4Q/Aj+GwJRr5fmCfaDKnAFcqrg5uwQSL89epw7mHrDAOJr/pEEbb1PHqJLQ/MI7kIhJh2pOykovlo8wZY5hBmJ6+3HS4Mgr/wBRw3r6uNUt4y3eyLbBKRw+04SHdIX808Ame+erGk9JZNOX9UjIXRy56o4L8jDpCkZkCDcvYdg==
Arc-Message-Signaturei=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=9ROLC8DL5LQOsf42J6UaxHE+MGXGzAA40At6rFiqqAo=; b=FFHVCKyMbgfVhuD4xvNnzPlgU2tJe0AXxlDyX5dv0jxN4ttEBGtsjG41vwlkDRkoJ+4SUc+6EguO2Pv6XDfSo5EgBM9c9aUDEckBjQY2z74/oaPlHJHu4i+1baib3yVWerEoXZ2Y4EYVt4nJ74oVhn0H8glHoJp+KRYuO6Yx65fKY/Fh9Dl/k3K61tbbbTeFOJSiHvPhOQQoFRS/fIDkJbdRfBRb+XJ3M2ynTPvcjfF1xuJKBQSMpJ08Hpt5TE9rfFWAb6WZ0g8Zde7E0hUSjpoAHmnAjegc4+7qSj1SAnuRqkQTfAmEbtYkCKs/vz1lSUIVJeKvTwxnC8nhk2mWiw==
Arc-Authentication-Resultsi=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=consulttruenorth.com; dmarc=pass action=none header.from=consulttruenorth.com; dkim=pass header.d=consulttruenorth.com; arc=none
Authentication-Resultsspf=softfail (sender IP is 18.208.22.118) smtp.mailfrom=consulttruenorth.com; dkim=pass (signature was verified) header.d=consulttruenorth.com;dmarc=bestguesspass action=none header.from=consulttruenorth.com;compauth=pass reason=109
Received-SpfSoftFail (protection.outlook.com: domain of transitioning consulttruenorth.com discourages use of 18.208.22.118 as permitted sender)
X-Tm-Mail-Received-Time1724777123.868000
X-Tm-Mail-Uuid28fcf683-672b-4685-8e70-28746870783d
Dkim-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=consulttruenorth.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9ROLC8DL5LQOsf42J6UaxHE+MGXGzAA40At6rFiqqAo=; b=qM/EkrkIizmXNbX3WlDLyLKNZXsmP+Ac/uHbKUFVSEunFI2yGkBwQcwO+M5/u17ONSWoaUI1hi1J9DCr6+jbzL43MyOljsH+s8UImxZboh5uu+zHLHlA2TmdL7MJK2rmFal6fP7+InpxJgJQUDJPONXam7QgSyGBXmoThQQdCho=
FromLauren Trzaskus <ltrzaskus@consulttruenorth.com>
ToLauren Trzaskus <ltrzaskus@consulttruenorth.com>
SubjectConsultTrustNorth-payment Requisition #42 3L# 1414 18 Dock.pdf.
Thread-TopicConsultTrustNorth-payment Requisition #42 3L# 1414 18 Dock.pdf.
Thread-IndexAdr4mYJ2nlXWLHvOTMWk2tIQBMlaJQAAFfUw
DateTue, 27 Aug 2024 16:43:46 +0000
Message-Id <CYXPR02MB10196D5E9D4254A411B556F45DF942@CYXPR02MB10196.namprd02.prod.outlook.com>
References <CYXPR02MB10196E5D37F0CBC38C8F91AA8DF942@CYXPR02MB10196.namprd02.prod.outlook.com>
In-Reply-To <CYXPR02MB10196E5D37F0CBC38C8F91AA8DF942@CYXPR02MB10196.namprd02.prod.outlook.com>
Accept-Languageen-US
Content-Languageen-US
X-Ms-Has-Attachyes
Authentication-Results-Originaldkim=none (message not signed) header.d=none;dmarc=none action=none header.from=consulttruenorth.com;
X-Ms-Traffictypediagnostic CYXPR02MB10196:EE_|SJ0PR02MB7406:EE_|DS1PEPF00017096:EE_|SJ2PR22MB4555:EE_|SJ2PR22MB5262:EE_
X-Ms-Office365-Filtering-Correlation-Id dd652bf3-ab18-4da1-1ca5-08dcc6b7a68e
X-Ld-Processed4f541a0d-5981-446f-a96b-54f97a8da888,ExtAddr
X-Ms-Exchange-Senderadcheck1
X-Ms-Exchange-Antispam-Relay0
X-Microsoft-Antispam-Untrusted BCL:0;ARA:13230040|376014|7416014|1800799024|366016|3613699012|38070700018;
X-Microsoft-Antispam-Message-Info-Original MoZZ4jKveYH16/PHss4G3ln4EEG07jaqlPTrT9fI0IRXmOt0Z7pkxFlrdISTiLbwfERh3PSfJhfR/+lMfV9kwK0W3lnVgZDlxoLqIh0OvK2UndR78EFdg5HS+OHuCAPKUltd8leP/YKRzKTlLJaU90O6dMO2cmZAl1KywPYUR34MAmlkRi9/CjGTmTvSXgjDQ4R43q5+AoP8ov5MNEgKtsGlkAl7pyU4hFlHoGH7ZMwtStFYIvi6rS681CmuTCciX4UtwEdDMj8yLnQXpZTRE4hZFqQXQqfwi1w5qAOiw0cjF4FLAl6PHaRQ+NiIt387Q76gEddHklI26owOu8vC1vbu0+zzWCe068j8sOQXkxMD2vHyNcKwa+Md+AqJjdmLjXVSRFRG+gUxBS1RaQEpaQE5va/GxuOXeuhP/nSNkbLSskU3JxYFoxyTY4rufeg2Kcwt/2CZgP8a6nyThYm65gTWSwl9YMOiDOOwAR9A0mRvnlPZxWDO4AyTA0Kggqgb6mHmTQx9wCblQiPI94GkYXMXm3ShmU1CuV25XWXPNHp73xusWBr9XEeALj6fxeDoTxJdXIdW/2DSA7enyn2QhBRAmvV15qIyMRlIwDbZLbL2+fxKukhcQmR3YgMiRJzsbmzA/5WWVfdTx1zJAg6umDnM1CsEOtlPM0BYTDsLTH0VPbcqE0fGb/6jzU1Ac+HAoPmRQG09ds88Gc+1Us770OsBaBq8/znXmg0AAB/EZswtUzMve6jOEUgH6YyOxtYmzagP+hLu/8hQAWBaDAFQiVPXWfCbIZJMOZckcFG+jpZVqtmtTvKV/SFczF+KgrfOz9/52/akhttcKVJAizSdaXTr8vRKMa2bfrnLmwFJOS8y3mi3UEVsZ2Ja5g5W263ENMMISBrkppMqUqcEBGpAcns2XlhBNMYOb7DArZpzBUxtyioEwMNZl+rl9F4fvi+2ug2S/EzLCJPfpnETMe9S8p4CCkchks6iYYPb5zUF0fLvaG4O1fK1G1Q1VYUg9V/J2TJrI2Pod8WE2EdjkjxqjqCbnDFXivHYuLQeS30Lr95OOdBOtXE77t0qZNaF3fkbcpFMh6zPLAWiyrQcDReiYoai7b3wgCmfwg6J82uVIM6DqjphJIQb086rIHgLoLD/ejv08l4TpZJIQS8wXLdUlF9mOx7AdbEYWR4tX+veqzv2LyHQqbwntsWAQl++x1pHGla3S/U4lUK/xqLO529Ca1ehfG897XP1iD3pDRb9/t3qUiOh/WOhmzOzMMwvraUYps9o4Xf8cBewscj3r4GB3CZHrV+6cx56h4h87jnvGtjinY/RjY5QfmNE0LpG4XKikKPhJ8lBgJ2blVxW/mVr0ZHx6gSkg0F8k4geDv+p7J0uSVGd0BA1W2i7RGwNwSa/
X-Forefront-Antispam-Report-Untrusted CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CYXPR02MB10196.namprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(376014)(7416014)(1800799024)(366016)(3613699012)(38070700018);DIR:OUT;SFP:1102;
X-Ms-Exchange-Antispam-Messagedata-Original-Chunkcount1
X-Ms-Exchange-Antispam-Messagedata-Original-0 QQsEc1Bo082pX23qiyHa6yRGsNMmvGXFDiMH5reZih0D2miwuOTnMJaPDvN1wI0wWuUU59pvi9W2hC0Pbiy9Q8N16jlvSRb5TBwL6CRrhnYv8XJfrRbTYwgO7eiuzzJeH38uC1ZkVikkkWj/qpA9zmq3Hq62ltA91HhYl1whwXnaXi2rr/OVO/qZLfbJbm5pHKpWAdVIznkkNTh7TcElXTNaC9rCaK5UQ5poeopmcnIGF7X2xEO2biP6WxZiCxO1SlcGFj1cwu3ZM+LEU32o4havtilCNZLa7NHZ859BxYg22LSR3MxhNC5ouOPknNu6A/C07VqsORvxsdawzzBj8nCZqP6j6qcAuoMjKI0yJMFFiyPa54l1EFbfR4exHn6GeuTOdTKb2sj3g0zi1LI0it3MlP2Dd+ckCYJiqgBqWeFyW7gS0+tNaBn0Nb7Zs0xL+pOvyTdxqEsOCg92arBs00M43WdIqdMyzat8oe30N8WvWEaSc9dCzJMG1797r2YK1FAfzqGh4h64wBojstPjZj1eakxwutlY2dmXp6eMC4NAeu75NUWUrwY2NUqtCddjrvs5sRqmURfyUgT43s4QFdx/yKDyrxj+6eXFhG3gDDxxZ+bbbHZWFi1zFOP7+13MP+ymXz4GvXmAAwOYRmvoXzxMH/s+/0Fkg/9hrSCVzpPiIKKI9FRi5k9x6SfWMHw7GZguhx/7L3zonz9hvAVCvaKgBAlsAz8wTlc7nrn2WPWngw7sZt+SVCQZ/DaapBzWwuBRBIjyqriCpVPQiz3CI9vb0khiDnNDfc8Qx2SsTxWONy8BpjOV3gofPTUxrP/LiUvGG0GMjDSlto3FuLBxnmZg1LUzpItmHk00q8e9I+6MJgzDcNrS83iepA+SFZEk7O9T4/ggli83TKk0ygot0dr3U9tPWTU8JrKpQs39GuQbTVElvVJPrBgkClp7uQ+r+BZc047cncgpavz2VWQk98NEHB6S+Ff/dItEQd2S7DtXbdKp03sbfCjb1Wms8T/vA03WPcw169e7F++gbGKmTqcwp/4f3TErvXVutdRyXnvcm4Zb/Cx4hUpf2cdryGxbCbYp47D10jgs/zWVkMQ77DdGLYEfu9i223klYqZUPTHYjpbO51ojhd7rOYRC5w1mR1/3NqM0Qqip8qiBmDNgT7DTrVbsioRP4jHVRpTfa/+LaplyW3VIwfb8N3OvEJg9xCtjnZ/AN+Xz/M0/xb8U5aU7mFCRm5kUJO7rOZsPDHhdmpStDNZhxi2XQ/3VKFs5u9u7YJshTUXiqakib7cl+InqKoCxJUMlQ6RQvdubgVPnRbxxo9MOqVkNcHJUF4jSrevebbkh/RtsCXHRhyVjf14wNsXy6uFM7huBaJRSG4uWUnQtc4yXrSF4enNAhVoSH6ui2DPrL/lMOLMf00lzIyz0wsGFbM4ybf6GBAeyhomlIg8CBs6enUmkx3YCEWfld8GHn5nchup8ocHYRAy2V66D0a/hywN6ywErQadMTxydmFn5BmQoy07zxnnniN5131MHOOOPE1f4KXOlSwIGFZFFDgT8kSRmAW+YDBUCNVz+H6pfbKZRP8Hb/oNsxz/Rwooo+LEJP0Pc7dw6DaM3jQ==
Content-Typemultipart/mixed; boundary="----sinikael-?=_1-17247791207370.17463254623424662"
MIME-Version1.0
X-Ms-Exchange-Transport-CrosstenantheadersstampedSJ2PR22MB4555
X-Bess-Id1724777038-110308-22531-1625-1
X-Bess-Ver2019.1_20240826.2119
X-Bess-Apparent-Source-Ip40.93.13.24
X-Bess-Parts H4sIAAAAAAACA03NPY5CMQwE4LukprCdxD9cBW0RJw4UwK7EK1ZC3J1XBInGGo 30jU/PFP9bOqZtv4f0+0hHBLQ9XfYSpJmBT68kjkwjpFOgtZLzUK3pdfj4y3ZbXtV4+b CBnLnj4CrCkx1zw15LhEfP9OX/7ufl2UCWZ6DIgV49gKyM5rOISg4nqD6/fdyun/+Za1 kD0qF0EPU5hgoAslK2XoJKE66aXj9vftIDdQIBAAA=
X-Bess-Outbound-Spam-Score0.16
X-Bess-Outbound-Spam-ReportCode version 3.2, rules version 3.2.2.258634 [from cloudscan16-142.us-east-2b.ess.aws.cudaops.com] Rule breakdown below pts rule name description ---- ---------------------- -------------------------------- 0.00 HTML_IMAGE_ONLY_24 BODY: HTML: images with 2000-2400 bytes of words 0.01 BSF_SC0_SA_TO_FROM_DOMAIN_MATCH META: Sender Domain Matches Recipient Domain 0.00 HTML_MESSAGE BODY: HTML included in message 0.00 BSF_BESS_OUTBOUND META: BESS Outbound 0.14 MPART_ALT_DIFF BODY: HTML and text parts are different
X-Bess-Outbound-Spam-StatusSCORE=0.16 using account:ESS91168 scores of KILL_LEVEL=7.0 tests=HTML_IMAGE_ONLY_24, BSF_SC0_SA_TO_FROM_DOMAIN_MATCH, HTML_MESSAGE, BSF_BESS_OUTBOUND, MPART_ALT_DIFF
X-Bess-Brts-Status1
X-Tm-As-Ers209.222.82.33-127.9.0.1
X-Tmase-VersionStarCloud-1.3-9.1.1028-28624.000
X-Tmase-Result10--27.062600-7.000000
X-Tmase-Matchedrid cqkypTHrfYblWIQhuBlG6kD8XsAfKtB5ChJqth1sAeoEo7RuIMv80At4 xO6POgCMxWDy3fEIm33JD+x5Gv5HyfQGmEqbt1OwWShcjhmQ7BEdjlrznnjhYPGKuygqTSTfSBD IP5lXrC8ktyv3T/NyPkzybeSDgWzNQdB77ebD2zjgR8l2Qhmx6mbAWs7ut9sikj4YNhB8WcK3B6 PQfaMtcRBq/0lQI/pLFbysFUYi29kShLtqspoMd4tozUB7oVBXG6vAF77GsJb6EZOWUqY0GC65+ Td0AkXGJel4XoiyEN8NA5h5goeswubGpf9n2yCVHY/XeJlZKEXKIm5wTGbEAKINgcEzNI9jZFU1 OAyYdMM8wI78sJc+1X0nkNVZUcLt6D0IQz16lXJKbGAWfebwy/4HMKRDK5w1b38BDIuNsvzWduc paS5PZAALXvd/ahkgjWwCFLlnNKonxX138MZb11rnBGaGznk0MtqLW6iaAWp0dzm+/HbU9FOsY3 p9sG7FHTbwDuqJ1aA2NptCrHWcmCIgjTHVhLEM+cRImPy1aLskTOb1Ht2kT3PEIv7ZxqNNeuYan ixitAosWKzV3dSVpLS2U5E6u8XA6XaGSX+VH4TRwkr4ujw9qMFU1OsXSWWxhoxKtcowRB/MtV+6 GrgU8SjlZNpGlmz/zh5pfkkvXmVtbtOy7xZlYjmoMBkrmuf/mCYM4MaoFU9gzsg0RQqaJLcIl1L tAgi2dBQi3/pSJMC+xJv79spnKdysVglBT1hnqrLIM38svt58LgjA4u/K59BUjSZeZsvECrRPC0 KYV3qXPMyznfSMjdeUYV4tmZLQCeL4QOrAESPRw+VqpywFTkro7lT9MrkBulxMqwyzVlEhtlJZd lnnbQ==
X-Tmase-Snap-Result1.821001.0001-0-1-5:1,22:0,28:1,33:0,34:0,42:1-0
X-Tmase-Xgencloud5d66fdf3-d15c-4eea-b014-d44eb5e9e3fc-0-0-200-0
X-Tm-Deliver-SignatureF026D9A7502EE5B307E7C5ADDC439EE2
X-Tm-Addin-Auth 4kVvuyDrQmvqnA9Idyfy/o1+vVF5FgPYtbcdVt4Joqe+W3W7IWhMH+lgt4o t4v4Mvxzek0E8TMOb432fP8sEFGdf3FMZCnNUjnJD0z668Q/01eG8cNiGPvK886aGjuvBWGduRm QXO4HExsr9Toc2fBjdhWJASwMwm4E5DdNK/DFVa8F4ytSFRVn9oHUO1fxCA57zbY5RlYL95jhg5 uUZ6q9TSEhe6L/nAUeB5A/svWDmUE8+L3KSZirn2r2Q7FYt0LY4oIyLFWMeGuwBiNMmQehUsu0/ U5jTUcBcIAzB0bNitPNFlNJC1ViYcDtB6lClbYydp++0IvoL7qFGiF93bA==.JgWjLWOOP+DXAe po+ICTgsJN50vbnHg9JDkQ3+FUtO/jnfoWMoUbZOpVBbfTeh6v6XLVX6cuuGwBtm+EKCNhYrBse 5xGncOA+kdMxIl8jwymIlkHO4xdM/qTzVWxa04VeCo1cV9FBCmFjz4hGaG0mOOIBz+KPha1EiM+ J+9E7CUoDxYP+1HkFhrHkwxzF55gMHU5GU7nymNtK3jYK13kNUbyG695FGUx3O+hfxRzs20loXz uVgg6MKvca/7TiFOfNm5lBj5MElpED82JlJSoPZCFB3ejYtfPILiOsQPp8JEWS9o7MQqoc5dTbb 5z8iZD/Q8D5HRjKmzrJXWKOKX8TA==
X-Tm-Addin-ProductcodeEMS
Return-Pathltrzaskus@consulttruenorth.com
X-Ms-Exchange-Organization-Expirationstarttime27 Aug 2024 16:45:25.5413 (UTC)
X-Ms-Exchange-Organization-ExpirationstarttimereasonOriginalSubmit
X-Ms-Exchange-Organization-Expirationinterval1:00:00:00.0000000
X-Ms-Exchange-Organization-ExpirationintervalreasonOriginalSubmit
X-Ms-Exchange-Organization-Network-Message-Id dd652bf3-ab18-4da1-1ca5-08dcc6b7a68e
X-Eopattributedmessage0
X-Eoptenantattributedmessage38f5a5d8-05e5-4b90-b247-044e544e666a:0
X-Ms-Exchange-Organization-MessagedirectionalityIncoming
X-Ms-Exchange-Transport-Crosstenantheadersstripped DS1PEPF00017096.namprd05.prod.outlook.com
X-Ms-PublictraffictypeEmail
X-Ms-Exchange-Organization-Authsource DS1PEPF00017096.namprd05.prod.outlook.com
X-Ms-Exchange-Organization-AuthasAnonymous
X-Ms-Office365-Filtering-Correlation-Id-Prvs c0b13f78-dc6b-430f-45ba-08dcc6b76b83
X-Ms-Exchange-Organization-Scl1
X-Microsoft-Antispam BCL:0;ARA:13230040|82310400026|35042699022|5073199012|4073199012|3613699012;
X-Forefront-Antispam-Report CIP:18.208.22.118;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:inpost.tmes.trendmicro.com;PTR:inpost.tmes.trendmicro.com;CAT:NONE;SFS:(13230040)(82310400026)(35042699022)(5073199012)(4073199012)(3613699012);DIR:INB;
X-Ms-Exchange-Crosstenant-Originalarrivaltime27 Aug 2024 16:45:25.2445 (UTC)
X-Ms-Exchange-Crosstenant-Network-Message-Id dd652bf3-ab18-4da1-1ca5-08dcc6b7a68e
X-Ms-Exchange-Crosstenant-Id38f5a5d8-05e5-4b90-b247-044e544e666a
X-Ms-Exchange-Crosstenant-Authsource DS1PEPF00017096.namprd05.prod.outlook.com
X-Ms-Exchange-Crosstenant-AuthasAnonymous
X-Ms-Exchange-Crosstenant-FromentityheaderInternet
X-Ms-Exchange-Transport-Endtoendlatency00:00:02.3527105
X-Ms-Exchange-Processed-By-Bccfoldering15.20.7897.019
X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
X-Microsoft-Antispam-Message-Info sdNEwxfRFuimrteHvVaQQ+z8TVF2Bg0YqFXwTl7paZiQHlmxs83y0gpVDyiihF6BRaXzj7amsq9z688asw6BWxLkDb7iDvJeFgbYeDLdUNG8yN12LDrePk1fWktOfwwoR/BNYrVHMVllHOfbTPOPahKxSAzAFa9DhiprtjkOmhEpRHpVICViHIeCzCe4y+wAD1nVA/lVFm8/8b7jM8YHbPeGScdGXZMOmD+WaFpTlgfNniiO933r92IIQNR1oz9pZU6A8QxuWjSlKdHkhMsc9iaETRHfWPSDxOY+LakPVX6k5D3h9f9T4KruqsAHtiANG2Hur1HMFtgkpEHfHVyBfYalGAoBZSxAxdqvY1jZYOpWoWNL0Of1h5Ad4XaMnCg7gZLMio5WglV8dZYFrq75fGtXv5ldLUfS3gpyPZ2nKRnkzF0dEYkMgh3iGuOELLtgPFsbW87xYfc2hC0RyM8LGz0yWypqScHEsz8PWj9wwiBu8nJ10V8mTU2FFTsBh26WgHYzeY6mvAihwzrfm11vCGFftdQbjE2PtyBCyLGUUqBJY3M0NJ18rTwuskcoiLQKnKaqbCYvVzy1JZWOs5V9iOnS5VvKCFSLUvbuf4jEkc8i5w/0H1TKnmWQqbIs/bfscrG0bzO51OTFbmqTB8gBykEl+Md4gqr4APeaBw7mkXpR0hsiVdh5rSxY7ckdvEbvFEKQ/VVNUyCESIReLrY0ZiOm0hiJl4x4l8HCuWVaGSwc+dy9wFhAkomTajI/vtNw8rAjesiVNI26GSJYmcs/kIM/c0lCD+5lrunAL2VzDP5p3F6SpKu4QXGlRikD72FLr1V9bzbMIyxUwNH+zXAPmFl17SWanT2l8M/1NA2Sbw14TM7JkRsJQv44ZwG3n+wb1CH4bfV9Ju/yZg5TsdIMiMvx91yllv25vZGZ0e1V4MUj5XSNqd3wpdrlSXCoSl1V2TQf6AqW3mW4VhvST4Kq6fUjhRLZY6lqJsttcRsNmUjLzl5uKHdn31G0tmzNbw6zMM2VjOvSp16U3mMSxmUwaqyTH9menGIyj4/1rPQ6t/B626XxWnnAximhbCTj68QabVYGvZmeHgVzMJWHOnS4AyC0/Y5I5WKV49AO1rJKVQ+JJG992mDaxPHFapBQ6V9tVfU4xnbxWFbE9dn0e5dpB2cfQcdBl+crgbYRGC12ggLwlkBgF/KadRPBZqGFT9hJSmiBGx+jD2xji+yympMBQyYu+IREc74kuXXktk4yu+bzcmra0l114rZLUBX7OsTpcpgb3dSOFHBTyRbnqcfZvsfmUgVIRYEHAAAH9vx2zPulXEWKUoxWIxps60NNczPjE7gyxb11r4hkdvdHQgyHgxt4BbFd/AEH2DQlduuH8qjWKaWc3zsK2v49p459KfiP20cW7PFdmkpegNkQ8umXaSb3Gzw/afhcY9V8Dt3lntNmWsCV/H8bVIV4LXtCu7D3yeeWdj8Ls3kafpaoiwClxy+9pgrcARqVUwd335L7olRNaAjUhLTwVRXKIMzeKEuoGj5Nhj5Sfk5tiPBH6Z61hi3CF5qAlJv8BMniDLk/mZy28WejDmO7KFJuVY4VSZT0IXntvWQ/VHVUOFHWFuOkN88+K9dEalJGhpCHwccifqWM5QucotSqfZh5Vwzs/6gVOjUoWTUhEZJL2kmlfzXkf47Fb5hVcehIH0mrtJwJo8UR1P9rL536bm6txJrHBgriPsgA0YdZ/jz05b9KJoW7+aN4QRJuKPgdMleR2yL1zEH3qIqaW5Wv8v/HYezf7zSvF/L3JGz1hqUGOeLamMEEbzmG5avmAxl7jDw7exRuPt8wuA5jur5fnxn8/SqGoLTG78N+fx4wa2Bf/Sbr5rXfIz9MlrscElHymLYJXHF5yQJFbC8IPUIzk7CEmXoWJF8yfesqmEGbPypMTSg215DS1qG7dFGBAHnLslAyykvbgSMWaJQrlgFg8wvIduqRDW2Jova9UleMH3oBLy/lhyG06yjtKUnPWVhER8Wn9+yUbRfo+hMnsFc7gRqzSlMGGSXa
Content-Transfer-Encoding7bit

File Icon

Icon Hash:46070c0a8e0c67d6

Network Behavior

No network behavior found

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

General

Target ID:0
Start time:14:13:26
Start date:27/08/2024
Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):true
Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-phish_alert_sp2_2.0.0.0.eml"
Imagebase:0x220000
File size:34'446'744 bytes
MD5 hash:91A5292942864110ED734005B7E005C0
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

General

Target ID:4
Start time:14:13:33
Start date:27/08/2024
Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):false
Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "91660081-029E-48F9-8285-49EF82740A07" "6848AD10-B891-4458-BCB1-412F94668DFC" "8024" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:0x7ff777ed0000
File size:710'048 bytes
MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:high
Has exited:false

Disassembly

No disassembly