Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
nested-You have been hacked.eml

Overview

General Information

Sample name:nested-You have been hacked.eml
Analysis ID:1523563
MD5:4c80fb2cc840aa9ad363b8090fd85d39
SHA1:aa2650ee1b06d28fd3251605b2b305ab85a1eaf1
SHA256:19bd7400e067cc7f34434ecc14e6335cd704c39ee123b39319498614fb4f6eb7
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Stores large binary data to the registry

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 6728 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-You have been hacked.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 5232 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "E0922D0D-BE47-4AAC-91A8-7111C894EA27" "B883F684-C4AC-4D33-B325-87D36D804D0D" "6728" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6728, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 57C8EDB95DF3F0AD4EE2DC2B8CFD41570.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://api.aadrm.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://api.aadrm.com/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://api.cortana.ai
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://api.microsoftstream.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://api.office.net
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://api.onedrive.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://api.scheduler.
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://app.powerbi.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://augloop.office.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://augloop.office.com/v2
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://canary.designerapp.
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://cdn.entity.
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://clients.config.office.net
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://clients.config.office.net/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://cortana.ai
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://cortana.ai/api
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://cr.office.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://d.docs.live.net
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://designerapp.azurewebsites.net
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://dev.cortana.ai
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://devnull.onenote.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://directory.services.
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://ecs.office.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://edge.skype.com/rps
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://graph.windows.net
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://graph.windows.net/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://ic3.teams.office.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://invites.office.com/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://lifecycle.office.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://login.microsoftonline.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://login.microsoftonline.com/organizations
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.dr, OUTLOOK_16_0_16827_20130-20241001T1326060348-6728.etl.0.drString found in binary or memory: https://login.windows.local
Source: OUTLOOK_16_0_16827_20130-20241001T1326060348-6728.etl.0.drString found in binary or memory: https://login.windows.localnull
Source: App1727803569087845800_1E10C151-3C25-4902-B396-FD356E1AB5EC.log.0.drString found in binary or memory: https://login.windows.net
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://make.powerautomate.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://management.azure.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://management.azure.com/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://messaging.action.office.com/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://messaging.office.com/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://mss.office.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://ncus.contentsync.
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://officeapps.live.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://officepyservice.office.net/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://onedrive.live.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://outlook.office.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://outlook.office.com/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://outlook.office365.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://outlook.office365.com/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://outlook.office365.com/connectors
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://powerlift.acompli.net
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://res.cdn.office.net
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://service.powerapps.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://settings.outlook.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://staging.cortana.ai
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://substrate.office.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://tasks.office.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://templatesmetadata.office.net/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://webshell.suite.office.com
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://wus2.contentsync.
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: C150EED2-8555-496A-A6B3-51A457CF735C.0.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: clean1.winEML@3/17@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241001T1326060348-6728.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-You have been hacked.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "E0922D0D-BE47-4AAC-91A8-7111C894EA27" "B883F684-C4AC-4D33-B325-87D36D804D0D" "6728" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "E0922D0D-BE47-4AAC-91A8-7111C894EA27" "B883F684-C4AC-4D33-B325-87D36D804D0D" "6728" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Modify Registry		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1523563 Sample: nested-You have been hacked.eml Startdate: 01/10/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 96 109 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://api.diagnosticssdf.office.com0%URL Reputationsafe
https://login.microsoftonline.com/0%URL Reputationsafe
https://shell.suite.office.com:14430%URL Reputationsafe
https://designerapp.azurewebsites.net0%URL Reputationsafe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize0%URL Reputationsafe
https://autodiscover-s.outlook.com/0%URL Reputationsafe
https://useraudit.o365auditrealtimeingestion.manage.office.com0%URL Reputationsafe
https://outlook.office365.com/connectors0%URL Reputationsafe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://api.addins.omex.office.net/appinfo/query0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/tenantassociationkey0%URL Reputationsafe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://lookup.onenote.com/lookup/geolocation/v10%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/imports0%URL Reputationsafe
https://cloudfiles.onenote.com/upload.aspx0%URL Reputationsafe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://entitlement.diagnosticssdf.office.com0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://canary.designerapp.0%URL Reputationsafe
https://ic3.teams.office.com0%URL Reputationsafe
https://www.yammer.com0%URL Reputationsafe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies0%URL Reputationsafe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive0%URL Reputationsafe
https://cr.office.com0%URL Reputationsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%URL Reputationsafe
https://portal.office.com/account/?ref=ClientMeControl0%URL Reputationsafe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory0%URL Reputationsafe
https://edge.skype.com/registrar/prod0%URL Reputationsafe
https://graph.ppe.windows.net0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://tasks.office.com0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://edge.skype.com/rps0%URL Reputationsafe
https://globaldisco.crm.dynamics.com0%URL Reputationsafe
https://messaging.engagement.office.com/0%URL Reputationsafe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.diagnosticssdf.office.com/v2/feedback0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/groups0%URL Reputationsafe
https://web.microsoftstream.com/video/0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://graph.windows.net0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://analysis.windows.net/powerbi/api0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://substrate.office.com0%URL Reputationsafe
https://outlook.office365.com/autodiscover/autodiscover.json0%URL Reputationsafe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios0%URL Reputationsafe
https://consent.config.office.com/consentcheckin/v1.0/consents0%URL Reputationsafe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json0%URL Reputationsafe
https://safelinks.protection.outlook.com/api/GetPolicy0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/0%URL Reputationsafe
http://weather.service.msn.com/data.aspx0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://officepyservice.office.net/service.functionality0%URL Reputationsafe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks0%URL Reputationsafe
https://templatesmetadata.office.net/0%URL Reputationsafe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios0%URL Reputationsafe
https://messaging.lifecycle.office.com/0%URL Reputationsafe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml0%URL Reputationsafe
https://mss.office.com0%URL Reputationsafe
https://pushchannel.1drv.ms0%URL Reputationsafe
https://management.azure.com0%URL Reputationsafe
https://outlook.office365.com0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://incidents.diagnostics.office.com0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/ios0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://api.addins.omex.office.net/api/addins/search0%URL Reputationsafe
https://insertmedia.bing.office.net/odc/insertmedia0%URL Reputationsafe
https://outlook.office365.com/api/v1.0/me/Activities0%URL Reputationsafe
https://api.office.net0%URL Reputationsafe
https://incidents.diagnosticssdf.office.com0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/android/policies0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.214.172
truefalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://api.diagnosticssdf.office.comC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
    • URL Reputation: safe
    		unknown
    https://login.microsoftonline.com/C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
    • URL Reputation: safe
    		unknown
    https://shell.suite.office.com:1443C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
    • URL Reputation: safe
    		unknown
    https://designerapp.azurewebsites.netC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
    • URL Reputation: safe
    		unknown
    https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
    • URL Reputation: safe
    		unknown
    https://autodiscover-s.outlook.com/C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
    • URL Reputation: safe
    		unknown
    https://useraudit.o365auditrealtimeingestion.manage.office.comC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
    • URL Reputation: safe
    		unknown
    https://outlook.office365.com/connectorsC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
    • URL Reputation: safe
    		unknown
    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
    • URL Reputation: safe
    		unknown
    https://cdn.entity.C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.addins.omex.office.net/appinfo/queryC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
    • URL Reputation: safe
    		unknown
    https://clients.config.office.net/user/v1.0/tenantassociationkeyC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
    • URL Reputation: safe
    		unknown
    https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
    • URL Reputation: safe
    		unknown
    https://login.windows.localnullOUTLOOK_16_0_16827_20130-20241001T1326060348-6728.etl.0.drfalse
      		unknown
      https://powerlift.acompli.netC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
      • URL Reputation: safe
      		unknown
      https://rpsticket.partnerservices.getmicrosoftkey.comC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
      • URL Reputation: safe
      		unknown
      https://lookup.onenote.com/lookup/geolocation/v1C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
      • URL Reputation: safe
      		unknown
      https://cortana.aiC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
      • URL Reputation: safe
      		unknown
      https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
      • URL Reputation: safe
      		unknown
      https://api.powerbi.com/v1.0/myorg/importsC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
      • URL Reputation: safe
      		unknown
      https://cloudfiles.onenote.com/upload.aspxC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
      • URL Reputation: safe
      		unknown
      https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
      • URL Reputation: safe
      		unknown
      https://entitlement.diagnosticssdf.office.comC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
      • URL Reputation: safe
      		unknown
      https://api.aadrm.com/C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
      • URL Reputation: safe
      		unknown
      https://ofcrecsvcapi-int.azurewebsites.net/C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
      • URL Reputation: safe
      		unknown
      https://canary.designerapp.C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
      • URL Reputation: safe
      		unknown
      https://ic3.teams.office.comC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
      • URL Reputation: safe
      		unknown
      https://www.yammer.comC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
      • URL Reputation: safe
      		unknown
      https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
      • URL Reputation: safe
      		unknown
      https://api.microsoftstream.com/api/C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
        		unknown
        https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
        • URL Reputation: safe
        		unknown
        https://cr.office.comC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
        • URL Reputation: safe
        		unknown
        https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;hC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
          		unknown
          https://messagebroker.mobile.m365.svc.cloud.microsoftC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
          • URL Reputation: safe
          		unknown
          https://otelrules.svc.static.microsoftC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
            		unknown
            https://portal.office.com/account/?ref=ClientMeControlC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
            • URL Reputation: safe
            		unknown
            https://clients.config.office.net/c2r/v1.0/DeltaAdvisoryC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
            • URL Reputation: safe
            		unknown
            https://edge.skype.com/registrar/prodC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
            • URL Reputation: safe
            		unknown
            https://graph.ppe.windows.netC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
            • URL Reputation: safe
            		unknown
            https://res.getmicrosoftkey.com/api/redemptioneventsC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
            • URL Reputation: safe
            		unknown
            https://powerlift-frontdesk.acompli.netC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
            • URL Reputation: safe
            		unknown
            https://tasks.office.comC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
            • URL Reputation: safe
            		unknown
            https://officeci.azurewebsites.net/api/C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
            • URL Reputation: safe
            		unknown
            https://sr.outlook.office.net/ws/speech/recognize/assistant/workC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
            • URL Reputation: safe
            		unknown
            https://api.scheduler.C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
            • URL Reputation: safe
            		unknown
            https://my.microsoftpersonalcontent.comC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
              		unknown
              https://store.office.cn/addinstemplateC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
              • URL Reputation: safe
              		unknown
              https://api.aadrm.comC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
              • URL Reputation: safe
              		unknown
              https://edge.skype.com/rpsC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
              • URL Reputation: safe
              		unknown
              https://outlook.office.com/autosuggest/api/v1/init?cvid=C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                		unknown
                https://globaldisco.crm.dynamics.comC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                • URL Reputation: safe
                		unknown
                https://messaging.engagement.office.com/C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                • URL Reputation: safe
                		unknown
                https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                • URL Reputation: safe
                		unknown
                https://dev0-api.acompli.net/autodetectC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                • URL Reputation: safe
                		unknown
                https://www.odwebp.svc.msC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                • URL Reputation: safe
                		unknown
                https://api.diagnosticssdf.office.com/v2/feedbackC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                • URL Reputation: safe
                		unknown
                https://api.powerbi.com/v1.0/myorg/groupsC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                • URL Reputation: safe
                		unknown
                https://web.microsoftstream.com/video/C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                • URL Reputation: safe
                		unknown
                https://api.addins.store.officeppe.com/addinstemplateC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                • URL Reputation: safe
                		unknown
                https://graph.windows.netC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                • URL Reputation: safe
                		unknown
                https://dataservice.o365filtering.com/C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                • URL Reputation: safe
                		unknown
                https://officesetup.getmicrosoftkey.comC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                • URL Reputation: safe
                		unknown
                https://analysis.windows.net/powerbi/apiC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                • URL Reputation: safe
                		unknown
                https://prod-global-autodetect.acompli.net/autodetectC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                • URL Reputation: safe
                		unknown
                https://substrate.office.comC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                • URL Reputation: safe
                		unknown
                https://outlook.office365.com/autodiscover/autodiscover.jsonC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                • URL Reputation: safe
                		unknown
                https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                • URL Reputation: safe
                		unknown
                https://consent.config.office.com/consentcheckin/v1.0/consentsC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                • URL Reputation: safe
                		unknown
                https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                • URL Reputation: safe
                		unknown
                https://learningtools.onenote.com/learningtoolsapi/v2.0/GetvoicesC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                • URL Reputation: safe
                		unknown
                https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                • URL Reputation: safe
                		unknown
                https://d.docs.live.netC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                  		unknown
                  https://safelinks.protection.outlook.com/api/GetPolicyC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://ncus.contentsync.C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                    		unknown
                    https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://weather.service.msn.com/data.aspxC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://apis.live.net/v5.0/C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://officepyservice.office.net/service.functionalityC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://templatesmetadata.office.net/C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://messaging.lifecycle.office.com/C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://mss.office.comC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://pushchannel.1drv.msC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://management.azure.comC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://outlook.office365.comC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://login.windows.netApp1727803569087845800_1E10C151-3C25-4902-B396-FD356E1AB5EC.log.0.drfalse
                      		unknown
                      https://wus2.contentsync.C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://incidents.diagnostics.office.comC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://clients.config.office.net/user/v1.0/iosC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://make.powerautomate.comC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.addins.omex.office.net/api/addins/searchC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://insertmedia.bing.office.net/odc/insertmediaC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://outlook.office365.com/api/v1.0/me/ActivitiesC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://api.office.netC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://incidents.diagnosticssdf.office.comC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://asgsmsproxyapi.azurewebsites.net/C150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://clients.config.office.net/user/v1.0/android/policiesC150EED2-8555-496A-A6B3-51A457CF735C.0.drfalse
                      • URL Reputation: safe
                      		unknown

                      World Map of Contacted IPs

                      No contacted IP infos

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1523563
                      Start date and time:2024-10-01 19:25:11 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 4m 27s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:8
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:nested-You have been hacked.eml
                      Detection:CLEAN
                      Classification:clean1.winEML@3/17@0/0
                      EGA Information:Failed
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Found application associated with file extension: .eml

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                      • Excluded IPs from analysis (whitelisted): 52.109.89.18, 52.109.68.129, 52.113.194.132, 2.19.126.160, 2.19.126.151, 199.232.214.172, 20.189.173.3
                      • Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, weu-azsc-config.officeapps.live.com, eur.roaming1.live.com.akadns.net, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, ocsp.digicert.com, login.live.com, frc-azsc-000.roaming.officeapps.live.com, officeclient.microsoft.com, wu-b-net.trafficmanager.net, a1864.dscd.akamai.net, ecs.office.com, self-events-data.trafficmanager.net, ctldl.windowsupdate.com.delivery.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, onedscolprdwus02.westus.cloudapp.azure.com, osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net
                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • VT rate limit hit for: nested-You have been hacked.eml

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      bg.microsoft.map.fastly.netbWrRSlOThY.exeGet hashmaliciousAsyncRAT, NeshtaBrowse
                      • 199.232.210.172
                      https://www.dropbox.com/l/scl/AADL_v5DzsoHwkyegIhk6J0bQm3A7UWklCAGet hashmaliciousUnknownBrowse
                      • 199.232.214.172
                      https://k7qo.sarnerholz.cam/APRjVfmkGet hashmaliciousUnknownBrowse
                      • 199.232.214.172
                      https://0.pwsinc.shop/?MKPT=IncGet hashmaliciousCaptcha PhishBrowse
                      • 199.232.210.172
                      https://swissquotech.com/swissquote-2024.zipGet hashmaliciousPhisherBrowse
                      • 199.232.214.172
                      He6pI1bhcA.exeGet hashmaliciousScreenConnect ToolBrowse
                      • 199.232.214.172
                      5eRyCYRR9y.exeGet hashmaliciousScreenConnect ToolBrowse
                      • 199.232.210.172
                      VD01NDHM8u.exeGet hashmaliciousScreenConnect ToolBrowse
                      • 199.232.210.172
                      vovE92JSzK.exeGet hashmaliciousScreenConnect ToolBrowse
                      • 199.232.214.172
                      s9POKY8U8k.exeGet hashmaliciousScreenConnect ToolBrowse
                      • 199.232.214.172

                      ASNs

                      No context

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4770 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                      Category:dropped
                      Size (bytes):4770
                      Entropy (8bit):7.946747821604857
                      Encrypted:false
                      SSDEEP:96:9/nBu64pydcvOHRUfu0xK1bQYMRSRNoYmxYvk56sHMZhh4m:9/nBuP2cGxUfu6K1bpWJ6vfh4m
                      MD5:1BFE591A4FE3D91B03CDF26EAACD8F89
                      SHA1:719C37C320F518AC168C86723724891950911CEA
                      SHA-256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8
                      SHA-512:02F88DA4B610678C31664609BCFA9D61DB8D0B0617649981AF948F670F41A6207B4EC19FECCE7385A24E0C609CBBF3F2B79A8ACAF09A03C2C432CC4DCE75E9DB
                      Malicious:false
                      Reputation:moderate, very likely benign file
                      Preview:MSCF............,...................O.................2Wqh .disallowedcert.stl....^K...CK.wTS...:.w.K'.C0T.....Bh.{....C.).*.....Y@...(..).R."E..D^6........u....|f~3...o.3. ..SPK.k.o#...."{-.U..P........:..aPr.@.d......Dy.h.....)..:...!./\A.....A<I_<$...q.h..........'.....7....H...@`T..K.S.%...Y4..R.....`.....-....D...(..b..-c."...G.=.dx..S+..2.a.E....d.L...77J...c.[..@..iT&..^78..g....NW6.Ek..FY.F........cNt.O.*..R....*......D...... k........J.y...z.d...;.9_t...].@....yw..}.x....d.t..`f\K..;|.*h.X...4/.;.xT......q>.0...<...3...X..L$.&.,b.....\V....\......G..O..@..H3.....t..J..).x.?.{[..G>.7...<...^Q..z..Gw9P..d....i].n%K}.*z..2.Py...A..s...z..@...4..........4.....*Y.d..._Z.5.s..fl.C..#.K{9^.E...k..z.Ma..G.(.....5g. ...}.t.#4....$;.,....S@fs....k......u .^2.#_...I........;.......w..P...UCY...$;.S._|.x..dK...[i..q..^.l..A.?.....'N.. .L.l......m.*.+f#]............A.;.....Z..rIt....RW....Kr1e=8.=.z:Oi.z.d..r..C_......o...]j.N;.s....3@3.dgrv.

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):338
                      Entropy (8bit):3.2701238360821674
                      Encrypted:false
                      SSDEEP:6:kK1kDsN+SkQlPlEGYRMY9z+s3Ql2DUevat:mDTkPlE99SCQl2DUevat
                      MD5:6B614C80F64D200AD31DB9409D4FF9A0
                      SHA1:9B54B8B76DD60AB5E004B83E5F5724970279B860
                      SHA-256:8AE3B3EB14C451A047C04FD01E620E23A2FF8C78987273196F804AC71EBCD263
                      SHA-512:1C62BC5C7CBEA0C6CD9DFFA88348E285366251A7CABD2A931B7E18B18F561CF49779E292A9509AFC76EF30D3BFBF9383D716D4B8187F7972691D6CC17339EC9B
                      Malicious:false
                      Reputation:low
                      Preview:p...... ........Y.T.'...(....................................................... .........p.........$.....(=........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                      C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):231348
                      Entropy (8bit):4.396597563961801
                      Encrypted:false
                      SSDEEP:1536:HRYL3igsQbSN+XWNRgst0NcAz79ysQqt2LAW5qoQTQrcm0Fv/E6yBPQRl/98biap:2SgkWqghmiGu2nqoQUrt0FvKK7GNlNVZ
                      MD5:F589A897CD17E8B63F11B90D76405689
                      SHA1:8D421EAD867C130477ACE70E67A684237718015A
                      SHA-256:A59CD753F1C78A86705975EC354A5AC1F240BAE132855C00BBC3EE153AAE8197
                      SHA-512:20FB3CB427D47ADCC94C4416EBD6A7A640A2BF8333B41532FA3ADD049FD3D77C72BDFF1DB18C1407F6830FE55A1DA11815F631D535CF864832D1783A86F1B5D5
                      Malicious:false
                      Reputation:low
                      Preview:TH02...... ...:.&.......SM01X...,...@.).&...........IPM.Activity...........h...............h............H..h..W.....+.....h........PU..H..h\eng ...r\Ap...h..}.0.....W....h...............h........_`.k...ho...@...I.6w...h....H...8..k...0....T...............d.........2h...............k..............!h.............. h.g...... .W...#h....8.........$hPU......8....."h..............'h..t...........1h....<.........0h....4.....k../h....h......kH..hx...p.....W...-h .......L.W...+h+........W................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:ASCII text, with very long lines (65536), with no line terminators
                      Category:dropped
                      Size (bytes):322260
                      Entropy (8bit):4.000299760592446
                      Encrypted:false
                      SSDEEP:6144:dztCFLNyoAHq5Rv2SCtUTnRe4N2+A/3oKBL37GZbTSB+pMZIrh:HMLgvKz9CtgRemO3oUHi3SBSMZIl
                      MD5:CC90D669144261B198DEAD45AA266572
                      SHA1:EF164048A8BC8BD3A015CF63E78BDAC720071305
                      SHA-256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
                      SHA-512:16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:ASCII text, with no line terminators
                      Category:dropped
                      Size (bytes):10
                      Entropy (8bit):2.8464393446710154
                      Encrypted:false
                      SSDEEP:3:LCXWQSRn:mWHR
                      MD5:0DDA6E9B45801CC25531FF95E4628CDF
                      SHA1:29A398265B498FE7D24E2D7BE7E37CE5676DF068
                      SHA-256:E8BA31CD61B20D561F0137B360A30AA4A8D5CE7081A6ADD5BF9C1D76D744C6EB
                      SHA-512:04E513601E06A6C60DBB9A995793B5A285D602F90F030E54D61E015F623AD42C3D43CDEC968B306E1D0EC073D6606EF300B134A03C66A7DEDA5AF0493C30D9DF
                      Malicious:false
                      Reputation:low
                      Preview:1727803574

                      C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C150EED2-8555-496A-A6B3-51A457CF735C

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):177088
                      Entropy (8bit):5.286724579780074
                      Encrypted:false
                      SSDEEP:1536:yi2XfRAqcbH41gwEwLe7HW8bM/o/NM5cAZl1p5ihs7EXXCEAD2OdaLI:HCe7HW8bM/o/9XPkiI
                      MD5:A7CADD3B2161318C3945BF47A9A12FC5
                      SHA1:95508265FF9B186D293004D54CF7CFC292727D74
                      SHA-256:5174DEF5A4143C01AF14842A5B62E5C9D927942254A7C05813E7C13FD605FAF2
                      SHA-512:2A9958D516BEFAA30DC49E23F29FAB4E619E8BE47033746560A0E3A19B82FB96676F176716584767A83DA1B815B88663CE48AA67C3BAD6462EAC7F96052859F7
                      Malicious:false
                      Reputation:low
                      Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-01T17:26:12">.. Build: 16.0.18112.40129-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

                      C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:SQLite 3.x database, last written using SQLite version 3023002, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
                      Category:dropped
                      Size (bytes):4096
                      Entropy (8bit):0.09216609452072291
                      Encrypted:false
                      SSDEEP:3:lSWFN3l/klslpF/4llfll:l9F8E0/
                      MD5:F138A66469C10D5761C6CBB36F2163C3
                      SHA1:EEA136206474280549586923B7A4A3C6D5DB1E25
                      SHA-256:C712D6C7A60F170A0C6C5EC768D962C58B1F59A2D417E98C7C528A037C427AB6
                      SHA-512:9D25F943B6137DD2981EE75D57BAF3A9E0EE27EEA2DF19591D580F02EC8520D837B8E419A8B1EB7197614A3C6D8793C56EBC848C38295ADA23C31273DAA302D9
                      Malicious:false
                      Preview:SQLite format 3......@ .......................................................................... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:SQLite Rollback Journal
                      Category:dropped
                      Size (bytes):4616
                      Entropy (8bit):0.13700485453793962
                      Encrypted:false
                      SSDEEP:3:7FEG2l+/M+9ls9/FllkpMRgSWbNFl/sl+ltlslVlllfllt:7+/lp+9Ig9bNFlEs1EP/d
                      MD5:1456B704C8242CE023BB4F1AE5F4A9B5
                      SHA1:A2853855F61C19E0A8397C34CC23B84A51EE4B51
                      SHA-256:EDA45AA9A8A1BC5F6101CE8EE622768E03CD6A79164B6D5672686B0317C06C2B
                      SHA-512:74E05D6A992F2CAACE9ED20B50A9458D772EB4E0CC5244CC856363425C046D6C27087B73C2A435D4C545F222C8978C2E7900BCBD9609F23AEDEBD8B93C4DA16A
                      Malicious:false
                      Preview:.... .c.......[X....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ .......................................................................... .................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):32768
                      Entropy (8bit):0.04453451757384427
                      Encrypted:false
                      SSDEEP:3:G4l2BaeWQeHYAl2BaeWQGltlWlL9//Xlvlll1lllwlvlllglbXdbllAlldl+l:G4l2olVYAl2olPt0L9XXPH4l942U
                      MD5:23667384432108E59BAE4751C7E3533E
                      SHA1:EADBAF27F660AA342F98037CD9F4666D14EC7DA4
                      SHA-256:DFDF8B9A4A74E15045326DA61DF1D5B085A292F6CED1B07F5EFB4BF8EAF4BE73
                      SHA-512:E7A408D9A201E6F7C8545CA550C3247C9B741FA742098C3DC5EF57C1BFFF25B98A2A3FD2B868BB4AE9135F7ECAC203A3594B505E389E869E54D7787DD41E8C98
                      Malicious:false
                      Preview:..-.....................I.3Q.c%.W.."..[(y.(!.J...-.....................I.3Q.c%.W.."..[(y.(!.J.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:SQLite Write-Ahead Log, version 3007000
                      Category:modified
                      Size (bytes):45352
                      Entropy (8bit):0.3938519768380463
                      Encrypted:false
                      SSDEEP:24:KgipMQ3zRDNnKtUll7DBtDi4kZERDoFtf+zqt8VtbDBtDi4kZERD:tipMQ1ZKtUll7DYMGtGzO8VFDYM
                      MD5:4BFCA2DCD2BA7C38252619E610E91BB5
                      SHA1:D90E5E67594677668F1051DD70EA92696C42CA35
                      SHA-256:BEF76D15B0270E79D90632A3D108552EF9E1B282318F3041890B843CAA63AF3C
                      SHA-512:B7D310696B487400FAE5423FBC71C9C97A187BE234D1F585962AA83748DEBD4489CA4F16063E7B4603961B5CA3283E0020706C71567BAFB30B13CCE6AFFD4809
                      Malicious:false
                      Preview:7....-..........W.."..[..j.W..........W.."..[_..04..ESQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1727803569087845800_1E10C151-3C25-4902-B396-FD356E1AB5EC.log

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:ASCII text, with very long lines (1979), with CRLF line terminators
                      Category:dropped
                      Size (bytes):20971520
                      Entropy (8bit):0.008672947263970738
                      Encrypted:false
                      SSDEEP:192:2UOGA8GiKTfLnhTqamc15jiWbswPRqAg4NLinzBb:2UmRTfLhTqi5jiWbRPRqAgaLinzBb
                      MD5:1BBA5C89173AF1658710701C8F895360
                      SHA1:679D26FFB8A62BD687BA6BE50B379A89AA61D691
                      SHA-256:1AE95242156F6DF27AB3F0A3567579B44DA94E443F9AD70239AA3244F7BF0D69
                      SHA-512:42F2B82F2FF7CC1B3AF06856D96736D6CC74C9B81B182C70BEBD52D1BBA91E31E7DBE52371695E8E23AC2B31AC49A267A63F6CC8046B5D69EE4E877DAD09EBE5
                      Malicious:false
                      Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/01/2024 17:26:09.113.OUTLOOK (0x1A48).0x774.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.System.GracefulExit.GracefulAppExitDesktop","Flags":33777014402039809,"InternalSequenceNumber":17,"Time":"2024-10-01T17:26:09.113Z","Data.PreviousAppMajor":16,"Data.PreviousAppMinor":0,"Data.PreviousAppBuild":16827,"Data.PreviousAppRevision":20130,"Data.PreviousSessionId":"11F3FF5A-F170-4501-BDA2-7322C50D1833","Data.PreviousSessionInitTime":"2024-10-01T17:25:48.297Z","Data.PreviousSessionUninitTime":"2024-10-01T17:25:51.610Z","Data.SessionFlags":2147483652,"Data.InstallMethod":0,"Data.OfficeUILang":1033,"Data.PreviousBuild":"Unknown","Data.EcsETag":"\"\"","Data.ProcessorArchitecture":"x64"}...10/01/2024 17:26:09.176.OUTLOOK (0x1A48).0x830.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Telemetry.LoadXmlRules","Flags":33777014401990913,"InternalSequenceNumber":22,"

                      C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1727803569088899300_1E10C151-3C25-4902-B396-FD356E1AB5EC.log

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):20971520
                      Entropy (8bit):0.0
                      Encrypted:false
                      SSDEEP:3::
                      MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                      SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                      SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                      SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                      Malicious:false
                      Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241001T1326060348-6728.etl

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):135168
                      Entropy (8bit):4.675931253104704
                      Encrypted:false
                      SSDEEP:1536:iz/SJloYs1vdmwYR1AEZLjKgAapK/WX4pq97t/FJWI2Z07SXrH:ii4pqdlF+XrH
                      MD5:37D5E36DFC8A2A5A6741E25874C3F6F2
                      SHA1:0E674997A729076EDCADD3EBE9F97ECE257DC727
                      SHA-256:0E56B04258D88DAF9D51DF21E0E0D201D8B1DA6AC8DF139BBA649EFD1415FEF2
                      SHA-512:0D5A69C571DED98F4DF836D7A8FA5D36973CA54F77E72254B5A1111ED16BACD5FDE3B75FE03DE1D99FFC7D455025EF9AAACA72A403D1D65E08E0B61FA689A2A1
                      Malicious:false
                      Preview:............................................................................h...t...H...q.a.&...................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1..............................................................yJ...........q.a.&...........v.2._.O.U.T.L.O.O.K.:.1.a.4.8.:.9.6.5.2.c.e.0.b.2.4.3.d.4.5.6.3.9.d.d.9.7.9.7.d.b.9.6.2.7.7.3.4...C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.0.1.T.1.3.2.6.0.6.0.3.4.8.-.6.7.2.8...e.t.l.......P.P.t...H....Qd.&...................................................................................................................................................................................................................................................................................................

                      C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):30
                      Entropy (8bit):1.2389205950315936
                      Encrypted:false
                      SSDEEP:3:tohlX:Wh
                      MD5:C85B4B85C3EE0F3471BA0114C1BC8E90
                      SHA1:350388A7976C53058FF29AFE38728D64C90FA040
                      SHA-256:42B190BCC4E3F1124CD872487145B6F4A32136108D1D59096AD5A88C3195B732
                      SHA-512:F1C1F24238173CBD10AB9D1CD8EF1936E1ED5C46D8B4041BB0065A8206A49A3E6C0133B738179A5F717D3ABA4052CE959DADD9B1E1C18584FC76243ED42A68A5
                      Malicious:false
                      Preview:....Z\........................

                      C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:Composite Document File V2 Document, Cannot read section info
                      Category:dropped
                      Size (bytes):16384
                      Entropy (8bit):0.6702321944796772
                      Encrypted:false
                      SSDEEP:12:rl3baFzqLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheCIj:r3mnq1Py961I
                      MD5:03E8C8BBC264793B3428E60753795C12
                      SHA1:AC937BA5CD551EC5A42C2FE7A43D5ED696C6055B
                      SHA-256:CA5F01B65BDE01CDF9CE058644D2CB8C207620AD2F84084AB8728AECC64A817E
                      SHA-512:97412AC573D68C19A5A1138467A155D2B05025BEDA1F4B89846F8890A7E2A065FE7EA777DFCC93148C440234748C3CD5A0F3F56B7A1DC8990D7C012030781BF9
                      Malicious:false
                      Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:Microsoft Outlook email folder (>=2003)
                      Category:dropped
                      Size (bytes):271360
                      Entropy (8bit):2.276787202568378
                      Encrypted:false
                      SSDEEP:1536:jrTSGfiSYyBko5/o5fUi+yTNBeZTMbEja714+RZn2rT0W53jEpEHPVQ10BAwr1:DHYylMbaa7xBpj
                      MD5:C7A040F8891A582CCF76970460B8C859
                      SHA1:F449A9AA0878D19B54BE542BAA35BA373D4FDD49
                      SHA-256:6E2F539ACF01C9503EF87D9C7E1CE2C84A8315AE6B28AAE000CF0DBB05B23E37
                      SHA-512:55EFE8C1669FA173E3C62AF5429AC514FC3F5512904829DA0CBE4E695AEB0013AC0156E0E79135C3CE87A3A9EE0D441D01E5E3EB251347D127E5BFA2079AD067
                      Malicious:false
                      Preview:!BDN&.'1SM......\...=Y..........B.......`................@...........@...@...................................@...........................................................................$.......D......................A........n......>........................................................................................................................................................................................................................................................................................................f......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                      C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):131072
                      Entropy (8bit):3.3474249001141723
                      Encrypted:false
                      SSDEEP:1536:y+yTNBerToSbb9o5/o5fUVja714jvI1dT+W53jEpEHPVQ10BAwr113TOKi:zJbwa7goMpj
                      MD5:70920FCD22193AC258FCB20FF71A9282
                      SHA1:8A8725DBC314B1A5D5D5EA15A3BC495918C2BADB
                      SHA-256:8790877933B562B5CDB0BA8E8085BD1D2744AC991D32E60B4706C3E5E5388239
                      SHA-512:906ABD67D92A868320A22F51522CECDD72697DDDF560CF86AC4CD12C2E7165F86EB85F8A46BC9FB4E24086D1CC3FC7A636C907E5592C056FE36C3761541F3194
                      Malicious:false
                      Preview:..,.C...G.......H...M.K.&.....................#.!BDN&.'1SM......\...=Y..........B.......`................@...........@...@...................................@...........................................................................$.......D......................A........n......>........................................................................................................................................................................................................................................................................................................f..M.K.&........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

                      Static File Info

                      General

                      File type:RFC 822 mail, ASCII text, with CRLF line terminators
                      Entropy (8bit):5.779639090860595
                      TrID:
                      • E-Mail message (Var. 5) (54515/1) 100.00%
                      File name:nested-You have been hacked.eml
                      File size:13'569 bytes
                      MD5:4c80fb2cc840aa9ad363b8090fd85d39
                      SHA1:aa2650ee1b06d28fd3251605b2b305ab85a1eaf1
                      SHA256:19bd7400e067cc7f34434ecc14e6335cd704c39ee123b39319498614fb4f6eb7
                      SHA512:88658c24f431207b21cd7b9f021e60534e92137df43c3e2d6344b7d066c677778ca7710446b808f2dbf160a76eb14e447afa1fe83c702e27b28187f20a558129
                      SSDEEP:192:qkEhxJWM0reiWFpX/+iiCv5E3TeBGPu06R87KG9:qkEY9rxWFh+BNeJrm9
                      TLSH:A552DA271AA8947040366DF13F003B0D62E66D9A2CF26952F67F88F53BDD899C91294F
                      File Content Preview:Received: from YT4PR01MB9816.CANPRD01.PROD.OUTLOOK.COM (2603:10b6:b01:e2::7).. by YT2PR01MB9890.CANPRD01.PROD.OUTLOOK.COM with HTTPS; Fri, 27 Sep 2024.. 08:25:48 +0000..Received: from YT4P288CA0028.CANP288.PROD.OUTLOOK.COM (2603:10b6:b01:d3::14).. by YT4P

                      Static Mail

                      General

                      Subject:You have been hacked
                      From:"cconrad@markham.ca" <cconrad@markham.ca>
                      To:cconrad@markham.ca
                      Cc:
                      BCC:
                      Date:Fri, 27 Sep 2024 01:25:41 -0700
                      Communications:
                      • Hello pervert, I've sent this message from your account. I want to inform you about a very bad situation for you. However, you can benefit from it, if you will act wisly. Have you heard of Pegasus? This is a spyware program that installs on computers and smartphones and allows hackers to monitor the activity of device owners. It provides access to your webcam, messengers, emails, call records, etc. It works well on Android, iOS, macOS and Windows. I guess, you already figured out where Im getting at. Its been a few months since I installed it on all your dvis because you were not quite choosy about what links to click on the intrnt. During this period, Ive learned about all aspects of your private life, but n is of special significance to me. Ive recorded many videos of you jerking off to highly controversial rn videos. Given that the questionable genre is almost always the same, I can conclude that you have sick rvrsin. I doubt youd want your friends, family and co-workers to know about it. However, I can do it in a few clicks. Every number in your contact Iist will suddenly receive these vids on WhatsApp, on Telegram, on Instagram, on Facebook, on email everywhere. It is going to be a tsunami that will sweep away everything in its path, and first of all, your frmr life. Dont think of yourself as an innocent victim. No one knows where your rvrsin might lead in the future, so consider this a kind of deserved unishmnt to stop you. Im some kind of God who sees everything. However, dont panic. As we know, God is merciful and forgiving, and so do I. But my mry is not free. Transfer 1200$ to my Litecoin (LTC) wallet: ltc1q2qdtf4dvtuxgm8pj0y2wr53ch776dx9rmtaegs Once I receive confirmation of the transaction, I will rmanently delete all videos compromising you, uninstll Pegasus from all of your devices, and disappear from your life. You can be sure my benefit is only money. Otherwise, I wouldnt be writing to you, but destroy your life without a word in a second. Ill be notified when you open my email, and from that moment you have exactly 48 hours to send the money. If cryptocurrencies are unchartered waters for you, dont worry, its very simple. Just google crypto exchange or "buy Litecoin" and then it will be no harder than buying some useless stuff on Amazon. I strongly warn you against the following: * Do not reply to this email. I've sent it from your account.* Do not contact the police. I have access to all your dvis, and as soon as I find out you ran to the cops, videos will be published.* Dont try to reset or destroy your dvis. As I mentioned above: Im monitoring all your activity, so you either agree to my terms or the vids are ublished. Also, dont forget that cryptocurrencies are anonymous, so its impossible to identify me using the provided ddrss. Good luck, my perverted friend. I hope this is the last time we hear from each other.And some friendly advice: from now on, dont be so careless about your online security. Hello pervert, I've sent this message from your account. I want to inform you about a very bad situation for you. However, you can benefit from it, if you will act wisly. Have you heard of Pegasus? This is a spyware program that installs on computers and smartphones and allows hackers to monitor the activity of device owners. It provides access to your webcam, messengers, emails, call records, etc. It works well on Android, iOS, macOS and Windows. I guess, you already figured out where Im getting at. Its been a few months since I installed it on all your dvis because you were not quite choosy about what links to click on the intrnt. During this period, Ive learned about all aspects of your private life, but n is of special significance to me. Ive recorded many videos of you jerking off to highly controversial rn videos. Given that the questionable genre is almost always the same, I can conclude that you have sick rvrsin. I doubt youd want your friends, family and co-workers to know about it. However, I can do it in a few clicks. Every number in your contact Iist will suddenly receive these vids on WhatsApp, on Telegram, on Instagram, on Facebook, on email everywhere. It is going to be a tsunami that will sweep away everything in its path, and first of all, your frmr life. Dont think of yourself as an innocent victim. No one knows where your rvrsin might lead in the future, so consider this a kind of deserved unishmnt to stop you. Im some kind of God who sees everything. However, dont panic. As we know, God is merciful and forgiving, and so do I. But my mry is not free. Transfer 1200$ to my Litecoin (LTC) wallet: ltc1q2qdtf4dvtuxgm8pj0y2wr53ch776dx9rmtaegs Once I receive confirmation of the transaction, I will rmanently delete all videos compromising you, uninstll Pegasus from all of your devices, and disappear from your life. You can be sure my benefit is only money. Otherwise, I wouldnt be writing to you, but destroy your life without a word in a second. Ill be notified when you open my email, and from that moment you have exactly 48 hours to send the money. If cryptocurrencies are unchartered waters for you, dont worry, its very simple. Just google crypto exchange or "buy Litecoin" and then it will be no harder than buying some useless stuff on Amazon. I strongly warn you against the following: * Do not reply to this email. I've sent it from your account.* Do not contact the police. I have access to all your dvis, and as soon as I find out you ran to the cops, videos will be published.* Dont try to reset or destroy your dvis. As I mentioned above: Im monitoring all your activity, so you either agree to my terms or the vids are ublished. Also, dont forget that cryptocurrencies are anonymous, so its impossible to identify me using the provided ddrss. Good luck, my perverted friend. I hope this is the last time we hear from each other.And some friendly advice: from now on, dont be so careless about your online security. Hello pervert, I've sent this message from your account. Hello pervert, I've sent this message from your account. Hello pervert, I've sent this message from your account. Hello pervert, I've sent this message from your account. I want to inform you about a very bad situation for you. However, you can benefit from it, if you will act wisly. I want to inform you about a very bad situation for you. However, you can benefit from it, if you will act wisly. Have you heard of Pegasus? This is a spyware program that installs on computers and smartphones and allows hackers to monitor the activity of device owners. It provides access to your webcam, messengers, emails, call records, etc. It works well on Android, iOS, macOS and Windows. I guess, you already figured out where Im getting at. Have you heard of Pegasus? This is a spyware program that installs on computers and smartphones and allows hackers to monitor the activity of device owners. It provides access to your webcam, messengers, emails, call records, etc. It works well on Android, iOS, macOS and Windows. I guess, you already figured out where Im getting at. Its been a few months since I installed it on all your dvis because you were not quite choosy about what links to click on the intrnt. During this period, Ive learned about all aspects of your private life, but n is of special significance to me. Its been a few months since I installed it on all your dvis because you were not quite choosy about what links to click on the intrnt. During this period, Ive learned about all aspects of your private life, but n is of special significance to me. Ive recorded many videos of you jerking off to highly controversial rn videos. Given that the questionable genre is almost always the same, I can conclude that you have sick rvrsin. Ive recorded many videos of you jerking off to highly controversial rn videos. Given that the questionable genre is almost always the same, I can conclude that you have sick rvrsin. I doubt youd want your friends, family and co-workers to know about it. However, I can do it in a few clicks. I doubt youd want your friends, family and co-workers to know about it. However, I can do it in a few clicks. Every number in your contact Iist will suddenly receive these vids on WhatsApp, on Telegram, on Instagram, on Facebook, on email everywhere. It is going to be a tsunami that will sweep away everything in its path, and first of all, your frmr life. Every number in your contact Iist will suddenly receive these vids on WhatsApp, on Telegram, on Instagram, on Facebook, on email everywhere. It is going to be a tsunami that will sweep away everything in its path, and first of all, your frmr life. Dont think of yourself as an innocent victim. No one knows where your rvrsin might lead in the future, so consider this a kind of deserved unishmnt to stop you. Dont think of yourself as an innocent victim. No one knows where your rvrsin might lead in the future, so consider this a kind of deserved unishmnt to stop you. Im some kind of God who sees everything. However, dont panic. As we know, God is merciful and forgiving, and so do I. But my mry is not free. Im some kind of God who sees everything. However, dont panic. As we know, God is merciful and forgiving, and so do I. But my mry is not free. Transfer 1200$ to my Litecoin (LTC) wallet: ltc1q2qdtf4dvtuxgm8pj0y2wr53ch776dx9rmtaegs Transfer 1200$ to my Litecoin (LTC) wallet: ltc1q2qdtf4dvtuxgm8pj0y2wr53ch776dx9rmtaegs 1200$ ltc1q2qdtf4dvtuxgm8pj0y2wr53ch776dx9rmtaegs Once I receive confirmation of the transaction, I will rmanently delete all videos compromising you, uninstll Pegasus from all of your devices, and disappear from your life. You can be sure my benefit is only money. Otherwise, I wouldnt be writing to you, but destroy your life without a word in a second. Once I receive confirmation of the transaction, I will rmanently delete all videos compromising you, uninstll Pegasus from all of your devices, and disappear from your life. You can be sure my benefit is only money. Otherwise, I wouldnt be writing to you, but destroy your life without a word in a second. Ill be notified when you open my email, and from that moment you have exactly 48 hours to send the money. If cryptocurrencies are unchartered waters for you, dont worry, its very simple. Just google crypto exchange or "buy Litecoin" and then it will be no harder than buying some useless stuff on Amazon. Ill be notified when you open my email, and from that moment you have exactly 48 hours to send the money. If cryptocurrencies are unchartered waters for you, dont worry, its very simple. Just google crypto exchange or "buy Litecoin" and then it will be no harder than buying some useless stuff on Amazon. 48 hours I strongly warn you against the following: * Do not reply to this email. I've sent it from your account. I strongly warn you against the following: * Do not reply to this email. I've sent it from your account. * Do not contact the police. I have access to all your dvis, and as soon as I find out you ran to the cops, videos will be published. * Do not contact the police. I have access to all your dvis, and as soon as I find out you ran to the cops, videos will be published. * Dont try to reset or destroy your dvis. As I mentioned above: Im monitoring all your activity, so you either agree to my terms or the vids are ublished. * Dont try to reset or destroy your dvis. As I mentioned above: Im monitoring all your activity, so you either agree to my terms or the vids are ublished. Also, dont forget that cryptocurrencies are anonymous, so its impossible to identify me using the provided ddrss. Also, dont forget that cryptocurrencies are anonymous, so its impossible to identify me using the provided ddrss. Good luck, my perverted friend. I hope this is the last time we hear from each other. Good luck, my perverted friend. I hope this is the last time we hear from each other. And some friendly advice: from now on, dont be so careless about your online security. And some friendly advice: from now on, dont be so careless about your online security.
                      Attachments:

                        Headers

                        Key Value
                        Receivedfrom me1187.com (193.160.73.87) by YT2PEPF000001CA.mail.protection.outlook.com (10.167.241.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8005.15 via Frontend Transport; Fri, 27 Sep 2024 08:25:43 +0000
                        Authentication-Resultsspf=softfail (sender IP is 193.160.73.87) smtp.mailfrom=markham.ca; dkim=none (message not signed) header.d=none;dmarc=fail action=none header.from=markham.ca;compauth=fail reason=601
                        Received-SPFSoftFail (protection.outlook.com: domain of transitioning markham.ca discourages use of 193.160.73.87 as permitted sender)
                        Message-ID<0fcccc6697c7878cabe1a80365c1eacff0d3fa@markham.ca>
                        From"cconrad@markham.ca" <cconrad@markham.ca>
                        Tocconrad@markham.ca
                        SubjectYou have been hacked
                        DateFri, 27 Sep 2024 01:25:41 -0700
                        MIME-Version1.0
                        Return-Pathcconrad@markham.ca
                        X-MS-Exchange-Organization-ExpirationStartTime27 Sep 2024 08:25:44.4242 (UTC)
                        X-MS-Exchange-Organization-ExpirationStartTimeReasonOriginalSubmit
                        X-MS-Exchange-Organization-ExpirationInterval1:00:00:00.0000000
                        X-MS-Exchange-Organization-ExpirationIntervalReasonOriginalSubmit
                        X-MS-Exchange-Organization-Network-Message-Id7a8ba46a-24e9-4dec-ef75-08dcdecdfb38
                        X-EOPAttributedMessage0
                        X-EOPTenantAttributedMessage0f65dc8a-9589-4971-8749-84de0478ddac:0
                        X-MS-Exchange-Organization-MessageDirectionalityIncoming
                        X-MS-PublicTrafficTypeEmail
                        X-MS-TrafficTypeDiagnosticYT2PEPF000001CA:EE_|YT4PR01MB9816:EE_|YT2PR01MB9890:EE_
                        X-MS-Exchange-Organization-AuthSourceYT2PEPF000001CA.CANPRD01.PROD.OUTLOOK.COM
                        X-MS-Exchange-Organization-AuthAsAnonymous
                        X-MS-Office365-Filtering-Correlation-Id7a8ba46a-24e9-4dec-ef75-08dcdecdfb38
                        X-MS-Exchange-AtpMessagePropertiesSA|SL
                        X-MS-Exchange-Organization-SCL-1
                        X-Microsoft-AntispamBCL:0;ARA:13230040;
                        X-Forefront-Antispam-ReportCIP:193.160.73.87;CTRY:JP;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:SKN;H:me1187.com;PTR:ErrorRetry;CAT:NONE;SFS:(13230040);DIR:INB;
                        X-MS-Exchange-CrossTenant-OriginalArrivalTime27 Sep 2024 08:25:43.6586 (UTC)
                        X-MS-Exchange-CrossTenant-Network-Message-Id7a8ba46a-24e9-4dec-ef75-08dcdecdfb38
                        X-MS-Exchange-CrossTenant-Id0f65dc8a-9589-4971-8749-84de0478ddac
                        X-MS-Exchange-CrossTenant-AuthSourceYT2PEPF000001CA.CANPRD01.PROD.OUTLOOK.COM
                        X-MS-Exchange-CrossTenant-AuthAsAnonymous
                        X-MS-Exchange-CrossTenant-FromEntityHeaderInternet
                        X-MS-Exchange-Transport-CrossTenantHeadersStampedYT4PR01MB9816
                        X-MS-Exchange-Transport-EndToEndLatency00:00:05.2052073
                        X-MS-Exchange-Processed-By-BccFoldering15.20.7982.022
                        X-Microsoft-Antispam-Mailbox-Deliveryucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
                        X-Microsoft-Antispam-Message-InfotR/E60qncD2k3y3DLPSnznwW1zNAq38kd9gnDdj/W5CheuAt0I6hiVt06B9j61+gXzB0m0DAwKHxYPp6N5AiaYev97au8pQAgVXXZTLHlRLhsNY0jr0vWwuzzpwz3hC/iEj3Qt/vDJXR6h0GXsOvJxUM+SGtZ0+sRAIbN/34Rns887BO4WjJUkxQn8I1npbJA0giMaVO1Xd2sKrmn88dZCNmkEIrj5d33HqaLwCP8hCKlqbDWLgPO4/whShWtx8DIk5W+HDd0e3uIDHhlPeHOQ2rM/NYQ7OHXqlyyC6dEyeaSxk4PtnLbVasUgAtDtrWzt9kFqTBRIxW8MwtSyAxscC5/QJQvbN5+ar+KAnS4Txl3nkFAIcOZbH/VHgBFdlzVim6V+54ek0o0GOBYw2HVyNMUnGAp3D/bdjSQ9yi1uP13Z/KWeItn51bfc61DGjdfz1W417OgWERYyOjvgjgyi0RUMmN1jw/TrAtyd5P864uh4fIMQKJzNjZTQrHcMXr7+AdwNKJhATbduxaPbRf0+ja+rEJjrDLpytn7GAETgfBfRLsU7DJhS4XVxgIfpfo+PXxC+JOFVYd1urHbOEo2Z+j6UVmUOx+nuXzIyLXmwLH3pqrEqbrRls3v+XiF6tmFRqVD3QoiMuS2FnB7vxZG2pEo04M3wT8LIpWOmPzYba6Q1rJ3+Wxp1gCJS3B6T7ZwNWFUvINKQ8dHvwMPhL1LLwVphPwsy1oQ8z2SuwSizq6tl2sULJ0W6GrJFrxfJXUcFzsQWJXMUJvEKvhyI+ay0SNs4H4ylSiWvQSwUJRx24/KBsJnTwYPrxxXppyR/R4FQbr8N0VUt2V42rwStK+6tbFw5LX2JXNleXku4LyZP4alvWFxYLgROkk43BVyc3wkTXLhCHpQb5wRdcFA8EGC67W6zfbwtgolvBnRYTYO84wtU+8hIWQ2rrefRkrqeVmDnD2YDquFFeCuBEkyOF89tl0An9VhMWF8v9HvqdYZ8rInBikg2R4JyhHVgOrV09oJPoTlJRn57l+zBZ9j8G1Hm3a/sSkSLfUGUTuLml7TMM1vXFQoUIDq6npB8qfZdKxdlOpGS5aHBkpZwchI+wd5J+FOm0I0YgZQDxw4jnTGFXJvP02NNocDLvx777Gz6P/vnK5vBhnRBI0UEGl0t4WBNfCIvmQSHJ49uoqx11MPICIP7GmJDJY2yKox9hmpyxTLcFEZ2n8fAT+LwmNAzcDgwPAuW+5gRQRtd2DjeMTN3DfmkGbKMZQzIofxy/cqHGrN/mN7fTetyMwgZAZBhSvVQkLHLYGY9CGod84C3fE5uXIJuUUJH+NiZJ1ydzmilFryd4+HkhtEQC4tJXb3CnRZouYKZfXTn8SaFMm5LNI4rO7pdrzN86al392wdCJjak7m6ADIZeQgRVkO7ZPD0hibiLReBSXMVqAKKu7J576KyH08dzh38//xWpgIofVp26j/aCdC0OQxbL+byAWdvMQ2HAsCd3SMRvuzwGz50qxT51lKGs/N1bjw2oUwIYwUP3J9ciVDm6EmKc0ADczvm6pYttZqXnH7HQFuOnu0uiG5QhI86TOMylv5SFz5XMMXrdaFRrL606oHIMQhP8PpUKdeXf2J3wKpbObL9ojEYiNSm1N3iksD3pFwEiEnBp/7qfWd45ZPS4PkpUq5wHx1Tz1WtwpJSigfYiJRKzE0y9ftq3aYIFVlLGRNM1sA+Vu4nRicQ4o5iE8Y2kqvkScHqIdoDTXFn8Eq94oFkDR4a95F5dlYPg0ohaZjRo1nvXzGsEGDCFUK3x2JmYCS78YiJ9PzuXclEawQEWKVmL3fIy0++Sz97sy9fW4i6yH7gDIfppvisESKHqFne++7QFh1SQ/E750x55QpcAMJLYeiLyWkPqg631G9Kwcqjq+2vOsNXKLOMkuk9naTj6GVrGtFt9+c9MqrdRqNRQD9lxKYn4NCXW+XFF30Tqmr73Eotcq5X8FEBbBJ6+/D4FwPpDkjE6uxh5KCRhuW+kfj2XMo9gEY9OvufuVA1Ws2whhdN7Hq+TUDNazOMgMsuJH8BUSvgKP3qQQcJXaYu0xL3XCCz9z6o9urF1/eBMJTBP6AZR7Y9vHvPYQn7jiIhNmGxrFy3wALNNd5fI1WODmICm7K7bnjxmOr5EQzdTrjCDAoMgRAu6bZRdhxWB2w6MgmVQEoklLhlX1lYhWGq0aBVYNQDCX7PYL3PYTUzRm+bYivbg+ywDw65VTgyG78a0zczL2HLvFLR+izK/FV7/08oYUghBSRW61w11l58o5Qd3YSp4XOg9MV144uXnS9MdMd61ejBqgF127g6QEm9ikKbF6LcIHK0Zhbmju+YOZ+YaW6BgA5U2RQZTLbnYRw9n6IS55i3FEgrT0/Bjb/tBQftyb3Q9pBsmtg4cuc5kS4n15FOh9wwwt
                        X-Priority3
                        ImportanceNormal
                        x-ms-exchange-organization-originalclientipaddress193.160.73.87
                        x-ms-exchange-organization-originalserveripaddress10.167.241.22
                        Content-Typemultipart/alternative; boundary="------_=_NextPart_001_175DADF3.EE4C374D"

                        File Icon

                        Icon Hash:46070c0a8e0c67d6

                        Network Behavior

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Oct 1, 2024 19:26:13.424099922 CEST1.1.1.1192.168.2.60x2d3bNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                        Oct 1, 2024 19:26:13.424099922 CEST1.1.1.1192.168.2.60x2d3bNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        Behavior

                        Click to jump to process

                        System Behavior

                        General

                        Target ID:0
                        Start time:13:26:04
                        Start date:01/10/2024
                        Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        Wow64 process (32bit):true
                        Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\nested-You have been hacked.eml"
                        Imagebase:0x100000
                        File size:34'446'744 bytes
                        MD5 hash:91A5292942864110ED734005B7E005C0
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:false

                        General

                        Target ID:3
                        Start time:13:26:10
                        Start date:01/10/2024
                        Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                        Wow64 process (32bit):false
                        Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "E0922D0D-BE47-4AAC-91A8-7111C894EA27" "B883F684-C4AC-4D33-B325-87D36D804D0D" "6728" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                        Imagebase:0x7ff6f03f0000
                        File size:710'048 bytes
                        MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Reputation:high
                        Has exited:false

                        Disassembly

                        No disassembly