Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.eml

Overview

General Information

Sample name:phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.eml
Analysis ID:1524346
MD5:cbc29359632670fdb52f4fabbac46e8b
SHA1:9355cc00597778efc10b73afe5c6430bd7291639
SHA256:b64389fd6fbf45aa015af1921cf9759f4dab650c7d5fe11c7e6da4d19131ac76
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 7528 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7880 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "5F83E289-E183-4AC6-A1BF-9EC97AD59C71" "A4CDD259-2D47-4082-8BBA-59DA513136F7" "7528" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7528, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknownDNS traffic detected: query: 241.42.69.40.in-addr.arpa replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: 241.42.69.40.in-addr.arpa
Source: phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.emlString found in binary or memory: http://email.sf-notifications.com/w=
Source: phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.emlString found in binary or memory: https://bakerlaw.sharef=
Source: phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.emlString found in binary or memory: https://bakerlaw.sharefile.com/?a=
Source: phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.emlString found in binary or memory: https://bakerlaw.sharefile.com/?a=3D8ac6b39caa69e5a6&=
Source: phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.emlString found in binary or memory: https://bakerlaw.sharefile.com/?a=3D8ac6b3=
Source: ~WRS{301D1048-16D3-4357-A6C6-A0368F7E8B60}.tmp.0.drString found in binary or memory: https://bakerlaw.sharefile.com/?a=8ac6b39caa69e5a6&cmd=ee&id=52d1699e-5e6f-4966-9166-4026e955d812
Source: phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.emlString found in binary or memory: https://bakerlaw.sharefile.com/css/img/LargeLinkArrowDark.=
Source: ~WRS{301D1048-16D3-4357-A6C6-A0368F7E8B60}.tmp.0.drString found in binary or memory: https://bakerlaw.sharefile.com/css/img/LargeLinkArrowDark.gif
Source: phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.emlString found in binary or memory: https://bakerlaw.sharefile.com/css/img/transparen=
Source: ~WRS{301D1048-16D3-4357-A6C6-A0368F7E8B60}.tmp.0.drString found in binary or memory: https://bakerlaw.sharefile.com/styles/images/a7924f6e-b34b-0b65-5f94-0d7526696658-20240809170943403-
Source: classification engineClassification label: clean1.winEML@3/10@1/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241002T1143000935-7528.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "5F83E289-E183-4AC6-A1BF-9EC97AD59C71" "A4CDD259-2D47-4082-8BBA-59DA513136F7" "7528" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "5F83E289-E183-4AC6-A1BF-9EC97AD59C71" "A4CDD259-2D47-4082-8BBA-59DA513136F7" "7528" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524346 Sample: phish_alert_sp2_2.0.0.0 - 2... Startdate: 02/10/2024 Architecture: WINDOWS Score: 1 10 241.42.69.40.in-addr.arpa 2->10 6 OUTLOOK.EXE 51 116 2->6         started        process3 process4 8 ai.exe 6->8         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
241.42.69.40.in-addr.arpa
unknown
unknownfalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://bakerlaw.sharefile.com/?a=3D8ac6b3=phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.emlfalse
      		unknown
      https://bakerlaw.sharefile.com/?a=8ac6b39caa69e5a6&cmd=ee&id=52d1699e-5e6f-4966-9166-4026e955d812~WRS{301D1048-16D3-4357-A6C6-A0368F7E8B60}.tmp.0.drfalse
        		unknown
        https://bakerlaw.sharefile.com/css/img/LargeLinkArrowDark.gif~WRS{301D1048-16D3-4357-A6C6-A0368F7E8B60}.tmp.0.drfalse
          		unknown
          https://bakerlaw.sharef=phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.emlfalse
            		unknown
            https://bakerlaw.sharefile.com/css/img/transparen=phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.emlfalse
              		unknown
              https://bakerlaw.sharefile.com/styles/images/a7924f6e-b34b-0b65-5f94-0d7526696658-20240809170943403-~WRS{301D1048-16D3-4357-A6C6-A0368F7E8B60}.tmp.0.drfalse
                		unknown
                https://bakerlaw.sharefile.com/?a=phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.emlfalse
                  		unknown
                  https://bakerlaw.sharefile.com/css/img/LargeLinkArrowDark.=phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.emlfalse
                    		unknown
                    https://bakerlaw.sharefile.com/?a=3D8ac6b39caa69e5a6&=phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.emlfalse
                      		unknown
                      http://email.sf-notifications.com/w=phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.emlfalse
                        		unknown

                        World Map of Contacted IPs

                        No contacted IP infos

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1524346
                        Start date and time:2024-10-02 17:41:51 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 4m 35s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:5
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.eml
                        Detection:CLEAN
                        Classification:clean1.winEML@3/10@1/0
                        EGA Information:Failed
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Found application associated with file extension: .eml

                        Warnings

                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                        • Excluded IPs from analysis (whitelisted): 52.113.194.132, 20.42.73.26
                        • Excluded domains from analysis (whitelisted): ecs.office.com, slscr.update.microsoft.com, s-0005.s-msedge.net, onedscolprdeus09.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, ecs.office.trafficmanager.net, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, mobile.events.data.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net
                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • VT rate limit hit for: phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.eml

                        Simulations

                        Behavior and APIs

                        No simulations

                        Joe Sandbox View / Context

                        IPs

                        No context

                        Domains

                        No context

                        ASNs

                        No context

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):231348
                        Entropy (8bit):4.386114041653736
                        Encrypted:false
                        SSDEEP:3072:brgWOvgamiGu24qoQDart0FvjWDgrv7Sml:bkPmi2l2grv7S8
                        MD5:CC28915C5EF48BD4506F22A4258641E2
                        SHA1:BE96719BD9DCF65CC3B9AB50CD239F9B3C53A31F
                        SHA-256:CF46D490948695D6DC1936051D5B594CA50DE9DA9C6DAA40E5DE0F3F8E1991EF
                        SHA-512:F49F1125CA5646AD56A043029046A5750A1CC33B06EF8F09F65BCF7D490E1534B3E3EB299A7506D53CD702179D83556A222888AD32E3E3A82CBC73905B88393E
                        Malicious:false
                        Reputation:low
                        Preview:TH02...... .............SM01X...,...0...............IPM.Activity...........h...............h............H..h...............h........`.\.H..h\alf ...AppD...h..c.0...P......h.....d........h........_`.j...h...@...I..v...h....H...8..j...0....T...............d.........2h...............k..............!h.............. h.:l.....h.....#h....8.........$h`.\.....8....."h.Wg......Yg...'h..............1h...<.........0h....4.....j../h....h......jH..h84d.p.........-h .............+h{................ ...... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

                        C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):32768
                        Entropy (8bit):0.04562918148302959
                        Encrypted:false
                        SSDEEP:3:GtlxtjlJ+pn9WMm4XuBoylxtjlJ+pn9WMm4XuBoXljR9//8l1lvlll1lllwlvll7:Gtwnv+5wnv++lt9X01PH4l942wU
                        MD5:8F6985C564C0813285534B61BD392C62
                        SHA1:7A0F55DF7061AAD1C4A37EB0CBF19456A276B546
                        SHA-256:47F5AC9E26E8C5C3C3B57DC5714B6E120A428FF889FCE1C20206586F000033E1
                        SHA-512:17861843FEE1E5C85522B0CAF7CD918D3C5FDD8AC0E82C18E4B35F078DB9034C1E445E3CF5AB5D09A2C7DBC35F6E85DF8EFF749E6419947251062146F504C3E5
                        Malicious:false
                        Reputation:low
                        Preview:..-......................7-[d..j$ZKd.3)hC..^.....-......................7-[d..j$ZKd.3)hC..^...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:SQLite Write-Ahead Log, version 3007000
                        Category:modified
                        Size (bytes):49472
                        Entropy (8bit):0.48345211011299183
                        Encrypted:false
                        SSDEEP:48:R7JJNlQ18Ull7DYM88zO8VFDYMqBO8VFDYML:BJS9ll4FkjVGHjVGC
                        MD5:7E1099076D321B2D72099C7FBC8044BB
                        SHA1:1B9A7612F3762CB0827E8187A18AC9E84A6C3F35
                        SHA-256:436E6799867AA91AC1FEB572CA1991F46AF353FB91CF4D65ADC7CA8CFABDE668
                        SHA-512:4EA75A727B98B974A25BB25FFA62757E05505A67E37EADB6082F7F73AB84118BE950A5A23676ABFAFE64D11C7F88BD4EE6C37B335F916DB4A96521882DD85BE3
                        Malicious:false
                        Reputation:low
                        Preview:7....-..........$ZKd.3)h92]7YCh.........$ZKd.3)hgx ..o..SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{301D1048-16D3-4357-A6C6-A0368F7E8B60}.tmp

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):9692
                        Entropy (8bit):3.561334349567171
                        Encrypted:false
                        SSDEEP:192:BYYnhc/rurururur+DyiB6kOzZzk6kDrC0ck:BYYnu4444aFcklXh
                        MD5:D9CC078FE4FC633152611E59785B0653
                        SHA1:166EE637B0F0867CBED92D2FF0015C8B507A76AC
                        SHA-256:916C4CED999B6BCE0FC5E076463118C402DF9695087D8E1A47D111EDD33A46C5
                        SHA-512:C9644CE159F0ADCE804881A374A8EAFD640A2310800271D4F0A3805566D94C517B1D369107537EAC6C9512B1DF4CC37CD4A76E7D953C00DB9195A649B5DF8215
                        Malicious:false
                        Reputation:low
                        Preview:..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................$..$.If....:V.......t.....6......4........4........a....*...$..$.If........!v..h.#v....:V.......t.....6......5.......4

                        C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1727883781386768900_AC7D0C7C-B3C9-4A1B-9691-0874332E608D.log

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:ASCII text, with very long lines (28776), with CRLF line terminators
                        Category:dropped
                        Size (bytes):20971520
                        Entropy (8bit):0.16133448613434223
                        Encrypted:false
                        SSDEEP:1536:bIhzB0nvTXqx4KWdLYxwLpoK1OzsPZj39zC0S+rN9SxmBn:E0v+x4ZiOhZ
                        MD5:2BFCACB77AB334A6D4134F95289AA125
                        SHA1:24275A296BC35978453BA1534401B560C9B834F1
                        SHA-256:1D8429CAEC52FC98217A9F3DE650BBDE5695358176829E0C047CF0B227486751
                        SHA-512:D5D04544423478105127336E7CF842A268C988082CB7276935D409F536191D96D65D04EDEF0F527B9B353354F7865D5435906312C579A8BBDF2AEE22A7E7753A
                        Malicious:false
                        Reputation:low
                        Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/02/2024 15:43:01.623.OUTLOOK (0x1D68).0x1D6C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":26,"Time":"2024-10-02T15:43:01.623Z","Contract":"Office.System.Activity","Activity.CV":"fAx9rMmzG0qWkQh0My5gjQ.4.11","Activity.Duration":15,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...10/02/2024 15:43:01.638.OUTLOOK (0x1D68).0x1D6C.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":28,"Time":"2024-10-02T15:43:01.638Z","Contract":"Office.System.Activity","Activity.CV":"fAx9rMmzG0qWkQh0My5gjQ.4.12","Activity.Duration":14867,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajor

                        C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1727883781393102400_AC7D0C7C-B3C9-4A1B-9691-0874332E608D.log

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):20971520
                        Entropy (8bit):0.0
                        Encrypted:false
                        SSDEEP:3::
                        MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                        SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                        SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                        SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241002T1143000935-7528.etl

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):106496
                        Entropy (8bit):4.497294678956681
                        Encrypted:false
                        SSDEEP:768:5fgsjQeD6tZsVXPRXW4Hwa9lybxMvq6XVx3VCo8WlWwzWQWulkY07:PY4Qa9lybivHXVx3VRle
                        MD5:B13F3B5AC93DEB38B4738AD6A27C7DAF
                        SHA1:B0DB516852F46DF72BE26A3882D09E5C21D08788
                        SHA-256:78FCD85C1B14A755715598DB9C2CA30FD937ED756AFF4AE3E970C7253E168CCD
                        SHA-512:D808ADA547DC0048786A559CD07F5F326F89076A29E5C455F5E0D6E453794EAB92FC7CA196183FCC110BE04D4334C2DD14D4FA6B30A4793A25BD9C68F5276102
                        Malicious:false
                        Reputation:low
                        Preview:............................................................................d...l...h..........................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1.............................................................J;...........................v.2._.O.U.T.L.O.O.K.:.1.d.6.8.:.1.5.f.1.b.1.7.0.a.8.8.3.4.e.e.9.b.0.2.8.2.2.f.a.e.d.d.1.e.0.9.b...C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.0.2.T.1.1.4.3.0.0.0.9.3.5.-.7.5.2.8...e.t.l...........P.P.l...h..........................................................................................................................................................................................................................................................................................................

                        C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):30
                        Entropy (8bit):1.2389205950315936
                        Encrypted:false
                        SSDEEP:3:aMh/lt:aMr
                        MD5:984182C48F4875788DC295EB5A6A62F6
                        SHA1:7094A70DDF6C91BA45B2BC9E5100964E5BF9CFA5
                        SHA-256:727AFA0BFB844F5E5E92CCCCC809B7D66A99057BF955ACFBB7DCB968E38022B9
                        SHA-512:91349174B37F8240F055D0ACA6B8E7FB1E45ED69B3A4C5B45F75338F9A5DA9DD2036591BC49D75F51996B7474A0DC012C8D8FFBFBDC2F059123366E08999E06B
                        Malicious:false
                        Reputation:low
                        Preview:.....p........................

                        C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:Microsoft Outlook email folder (>=2003)
                        Category:dropped
                        Size (bytes):271360
                        Entropy (8bit):2.79413208210293
                        Encrypted:false
                        SSDEEP:1536:HFa7TZPtwxLyX6QHDo42DX3p9p7R31HRRPvqQQCmVKm9V9WImuqcIbVVQZ+hnoTU:83ZW+aXbP3aqcIbVVQWjYp9RIfMp9
                        MD5:87B05DC64FB7DC0FA04D3A0ADFFB7D81
                        SHA1:EC62D27468E8C5CABBF8C5ED0B13F63BF0F922BA
                        SHA-256:E979A4FDD8527C9175840C1ED9309D2CB1E43A71D1C5EDD61FE3FCFD8371792B
                        SHA-512:D477DF12F139FC75CB222AE78320376CDB86622BC459D3567F25554825DCA5B3E11DA66AD51CA0A4649533847126ED0E570CCADEE401357D21120A8FB9831F75
                        Malicious:false
                        Reputation:low
                        Preview:!BDNy<.YSM......\....l...Q..............X................@...........@...@...................................@...........................................................................$.......D.......7..........................................................................................................................................................................................................................................................................................................................T........[.+M9.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                        C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                        Download File
                        Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                        File Type:data
                        Category:dropped
                        Size (bytes):131072
                        Entropy (8bit):3.695955882752752
                        Encrypted:false
                        SSDEEP:1536:JeOSRp7R3eHRRPvqQQCmVKm9V9WHmlqcIbVVQI6R+h0W53jEpEHP4qQ10PAwrUTF:NSRP3ZqcIbVVQhp9Qu9H
                        MD5:A4CCBFEE2F35B7EB2E897AD506310B88
                        SHA1:A84519BFCE5AD6E7BE292E999F547E773926646E
                        SHA-256:609DF6376876A6837536D18A3FCA851E395F9392176ABDC861FCD24638FAD7F9
                        SHA-512:F37661E33B8AFD60559D097E12D36E4AE65A13A3CDB53F66318384518A4E896E0ADBBDF530C0E3FCE0D005F3C4874B7B74DEF2FE01ABD06F2857005E01E62E5F
                        Malicious:false
                        Preview:...C...r.......h...A.........................#.!BDNy<.YSM......\....l...Q..............X................@...........@...@...................................@...........................................................................$.......D.......7..........................................................................................................................................................................................................................................................................................................................T........[.+M9.A...................@.....#......AAAAAAA...A&AAA.d.A.A.A%ALAAA.AAAAAAA.6#.tA.ntA...A...6..LA..bA...A...A6#.A..bA...A.bbAb..A...A...A6!.A*.HA..bA.w.A..bA.w#A..bA.SAA.AbA.S.A.6?.AA.AAA..AAAAAAV.AA6AAA..AAbAAA..AA.AAA?A.A!AAAQA.AnAAA.A.A.AAAOA.A.AAA..AA]AAA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA6.AV.AAnAAAXAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.A?.AA.AAA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.A..AA.AAAA

                        Static File Info

                        General

                        File type:RFC 822 mail, ASCII text, with CRLF line terminators
                        Entropy (8bit):5.9596446881993
                        TrID:
                        • E-Mail message (Var. 5) (54515/1) 100.00%
                        File name:phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.eml
                        File size:21'637 bytes
                        MD5:cbc29359632670fdb52f4fabbac46e8b
                        SHA1:9355cc00597778efc10b73afe5c6430bd7291639
                        SHA256:b64389fd6fbf45aa015af1921cf9759f4dab650c7d5fe11c7e6da4d19131ac76
                        SHA512:5f9d419321884cc83689f0f818a84ff8e5ba2d739586b0675d0b4b4d69a440d1657aaac78015ae50100c97520360b9b7edb8ca0ee9e29c783e929cea36bc66ef
                        SSDEEP:384:4h/71IU5wwTQa9x4iC9RBDqJWDO2ACH+/3h2+vifRK7OdJwvP8zgjmwyC78:471IqwwTri9R4JkAq/g7OjEgzC78
                        TLSH:CAA24915E2861186EEF010D56602BDC5A2A2FD4D63B345B03D6AE078BD8D437AB1C6DF
                        File Content Preview:Received: from SA3PR19MB7418.namprd19.prod.outlook.com.. (2603:10b6:806:304::11) by PH0PR19MB5410.namprd19.prod.outlook.com with.. HTTPS; Tue, 1 Oct 2024 19:11:32 +0000..Received: from PH7P220CA0136.NAMP220.PROD.OUTLOOK.COM.. (2603:10b6:510:327::8) by SA3

                        Static Mail

                        General

                        Subject:[EXTERNAL Email] ShareFile Login Information
                        From:Jonas Rice <mail@sf-notifications.com>
                        To:Kathi Rabun <KRabun@highlandsmortgage.com>
                        Cc:
                        BCC:
                        Date:Tue, 01 Oct 2024 19:09:48 +0000
                        Communications:
                        • ShareFile Login InformationJonas Rice has sent you files using ShareFile.You will receive another email shortly with a download link that will require you to log in. To receive your login credentials, you must first activate your account and set your personal password.This link is unique to you and must be used within the next 30 days.Click here to activate your user accountShareFile is a tool for sending, receiving, and organizing your business files online. It can be used as a password-protected area for sharing information with clients and partners, and it's an easy way to send files that are too large to e-mail.Trouble with the above link? You can copy and paste the following URL into your web browser:https://bakerlaw.sharefile.com/?a=8ac6b39caa69e5a6&cmd=ee&id=52d1699e-5e6f-4966-9166-4026e955d812Baker Law, PLLC 5802 Woody Grove Road Indian Trail, NC 28079 704.369.5550 Fax: 704.731.0812 ***PLEASE NOTE: ALL FUNDS DUE TO THIS OFFICE IN EXCESS OF $5,000.00 MUST BE IN THE FORM OF A WIRE TRANSFER (NO ACH TRANSFERS WILL BE ACCEPTED) NO EXCEPTIONS.*** ShareFile Login Information ShareFile Login Information #outlook a {padding:0;} .ExternalClass {width:100%;} .ExternalClass, .ExternalClass p, .ExternalClass span, .ExternalClass font, .ExternalClass td, .ExternalClass div {line-height: 100%;} table td {border-collapse: collapse;} a:hover { text-decoration: underline; } Jonas Rice has sent you files using ShareFile.You will receive another email shortly with a download link that will require you to log in. To receive your login credentials, you must first activate your account and set your personal password.This link is unique to you and must be used within the next 30 days.Click here to activate your user accountShareFile is a tool for sending, receiving, and organizing your business files online. It can be used as a password-protected area for sharing information with clients and partners, and it's an easy way to send files that are too large to e-mail.Trouble with the above link? You can copy and paste the following URL into your web browser:https://bakerlaw.sharefile.com/?a=8ac6b39caa69e5a6&cmd=ee&id=52d1699e-5e6f-4966-9166-4026e955d812Baker Law, PLLC 5802 Woody Grove Road Indian Trail, NC 28079 704.369.5550 Fax: 704.731.0812 ***PLEASE NOTE: ALL FUNDS DUE TO THIS OFFICE IN EXCESS OF $5,000.00 MUST BE IN THE FORM OF A WIRE TRANSFER (NO ACH TRANSFERS WILL BE ACCEPTED) NO EXCEPTIONS.*** Jonas Rice has sent you files using ShareFile.You will receive another email shortly with a download link that will require you to log in. To receive your login credentials, you must first activate your account and set your personal password.This link is unique to you and must be used within the next 30 days.Click here to activate your user accountShareFile is a tool for sending, receiving, and organizing your business files online. It can be used as a password-protected area for sharing information with clients and partners, and it's an easy way to send files that are too large to e-mail.Trouble with the above link? You can copy and paste the following URL into your web browser:https://bakerlaw.sharefile.com/?a=8ac6b39caa69e5a6&cmd=ee&id=52d1699e-5e6f-4966-9166-4026e955d812Baker Law, PLLC 5802 Woody Grove Road Indian Trail, NC 28079 704.369.5550 Fax: 704.731.0812 ***PLEASE NOTE: ALL FUNDS DUE TO THIS OFFICE IN EXCESS OF $5,000.00 MUST BE IN THE FORM OF A WIRE TRANSFER (NO ACH TRANSFERS WILL BE ACCEPTED) NO EXCEPTIONS.*** Jonas Rice has sent you files using ShareFile.You will receive another email shortly with a download link that will require you to log in. To receive your login credentials, you must first activate your account and set your personal password.This link is unique to you and must be used within the next 30 days.Click here to activate your user accountShareFile is a tool for sending, receiving, and organizing your business files online. It can be used as a password-protected area for sharing information with clients and partners, and it's an easy way to send files that are too large to e-mail.Trouble with the above link? You can copy and paste the following URL into your web browser:https://bakerlaw.sharefile.com/?a=8ac6b39caa69e5a6&cmd=ee&id=52d1699e-5e6f-4966-9166-4026e955d812Baker Law, PLLC 5802 Woody Grove Road Indian Trail, NC 28079 704.369.5550 Fax: 704.731.0812 ***PLEASE NOTE: ALL FUNDS DUE TO THIS OFFICE IN EXCESS OF $5,000.00 MUST BE IN THE FORM OF A WIRE TRANSFER (NO ACH TRANSFERS WILL BE ACCEPTED) NO EXCEPTIONS.*** Jonas Rice has sent you files using ShareFile.You will receive another email shortly with a download link that will require you to log in. To receive your login credentials, you must first activate your account and set your personal password.This link is unique to you and must be used within the next 30 days.Click here to activate your user accountShareFile is a tool for sending, receiving, and organizing your business files online. It can be used as a password-protected area for sharing information with clients and partners, and it's an easy way to send files that are too large to e-mail.Trouble with the above link? You can copy and paste the following URL into your web browser:https://bakerlaw.sharefile.com/?a=8ac6b39caa69e5a6&cmd=ee&id=52d1699e-5e6f-4966-9166-4026e955d812Baker Law, PLLC 5802 Woody Grove Road Indian Trail, NC 28079 704.369.5550 Fax: 704.731.0812 ***PLEASE NOTE: ALL FUNDS DUE TO THIS OFFICE IN EXCESS OF $5,000.00 MUST BE IN THE FORM OF A WIRE TRANSFER (NO ACH TRANSFERS WILL BE ACCEPTED) NO EXCEPTIONS.*** Jonas Rice has sent you files using ShareFile.You will receive another email shortly with a download link that will require you to log in. To receive your login credentials, you must first activate your account and set your personal password.This link is unique to you and must be used within the next 30 days.Click here to activate your user accountShareFile is a tool for sending, receiving, and organizing your business files online. It can be used as a password-protected area for sharing information with clients and partners, and it's an easy way to send files that are too large to e-mail.Trouble with the above link? You can copy and paste the following URL into your web browser:https://bakerlaw.sharefile.com/?a=8ac6b39caa69e5a6&cmd=ee&id=52d1699e-5e6f-4966-9166-4026e955d812Baker Law, PLLC 5802 Woody Grove Road Indian Trail, NC 28079 704.369.5550 Fax: 704.731.0812 ***PLEASE NOTE: ALL FUNDS DUE TO THIS OFFICE IN EXCESS OF $5,000.00 MUST BE IN THE FORM OF A WIRE TRANSFER (NO ACH TRANSFERS WILL BE ACCEPTED) NO EXCEPTIONS.*** Jonas Rice has sent you files using ShareFile.You will receive another email shortly with a download link that will require you to log in. To receive your login credentials, you must first activate your account and set your personal password.This link is unique to you and must be used within the next 30 days.Click here to activate your user accountShareFile is a tool for sending, receiving, and organizing your business files online. It can be used as a password-protected area for sharing information with clients and partners, and it's an easy way to send files that are too large to e-mail.Trouble with the above link? You can copy and paste the following URL into your web browser:https://bakerlaw.sharefile.com/?a=8ac6b39caa69e5a6&cmd=ee&id=52d1699e-5e6f-4966-9166-4026e955d812Baker Law, PLLC 5802 Woody Grove Road Indian Trail, NC 28079 704.369.5550 Fax: 704.731.0812 ***PLEASE NOTE: ALL FUNDS DUE TO THIS OFFICE IN EXCESS OF $5,000.00 MUST BE IN THE FORM OF A WIRE TRANSFER (NO ACH TRANSFERS WILL BE ACCEPTED) NO EXCEPTIONS.*** Jonas Rice has sent you files using ShareFile.You will receive another email shortly with a download link that will require you to log in. To receive your login credentials, you must first activate your account and set your personal password.This link is unique to you and must be used within the next 30 days.Click here to activate your user accountShareFile is a tool for sending, receiving, and organizing your business files online. It can be used as a password-protected area for sharing information with clients and partners, and it's an easy way to send files that are too large to e-mail.Trouble with the above link? You can copy and paste the following URL into your web browser:https://bakerlaw.sharefile.com/?a=8ac6b39caa69e5a6&cmd=ee&id=52d1699e-5e6f-4966-9166-4026e955d812Baker Law, PLLC 5802 Woody Grove Road Indian Trail, NC 28079 704.369.5550 Fax: 704.731.0812 ***PLEASE NOTE: ALL FUNDS DUE TO THIS OFFICE IN EXCESS OF $5,000.00 MUST BE IN THE FORM OF A WIRE TRANSFER (NO ACH TRANSFERS WILL BE ACCEPTED) NO EXCEPTIONS.*** Jonas Rice has sent you files using ShareFile.You will receive another email shortly with a download link that will require you to log in. To receive your login credentials, you must first activate your account and set your personal password.This link is unique to you and must be used within the next 30 days. Jonas Rice has sent you files using ShareFile.You will receive another email shortly with a download link that will require you to log in. To receive your login credentials, you must first activate your account and set your personal password.This link is unique to you and must be used within the next 30 days. Jonas Rice has sent you files using ShareFile. You will receive another email shortly with a download link that will require you to log in. To receive your login credentials, you must first activate your account and set your personal password.This link is unique to you and must be used within the next 30 days. This link is unique to you and must be used within the next 30 days. Click here to activate your user account Click here to activate your user account Click here to activate your user account Click here to activate your user account Click here to activate your user account Click here to activate your user account Click here to activate your user account Click here to activate your user account Click here to activate your user account https://bakerlaw.sharefile.com/?a=8ac6b39caa69e5a6&cmd=ee&id=52d1699e-5e6f-4966-9166-4026e955d812 Click here to activate your user account Click here to activate your user account Click here to activate your user account https://bakerlaw.sharefile.com/?a=8ac6b39caa69e5a6&cmd=ee&id=52d1699e-5e6f-4966-9166-4026e955d812 Click here ShareFile is a tool for sending, receiving, and organizing your business files online. It can be used as a password-protected area for sharing information with clients and partners, and it's an easy way to send files that are too large to e-mail. ShareFile is a tool for sending, receiving, and organizing your business files online. It can be used as a password-protected area for sharing information with clients and partners, and it's an easy way to send files that are too large to e-mail. ShareFile is a tool for sending, receiving, and organizing your business files online. It can be used as a password-protected area for sharing information with clients and partners, and it's an easy way to send files that are too large to e-mail. Trouble with the above link? You can copy and paste the following URL into your web browser:https://bakerlaw.sharefile.com/?a=8ac6b39caa69e5a6&cmd=ee&id=52d1699e-5e6f-4966-9166-4026e955d812 Trouble with the above link? You can copy and paste the following URL into your web browser:https://bakerlaw.sharefile.com/?a=8ac6b39caa69e5a6&cmd=ee&id=52d1699e-5e6f-4966-9166-4026e955d812 Trouble with the above link? You can copy and paste the following URL into your web browser:https://bakerlaw.sharefile.com/?a=8ac6b39caa69e5a6&cmd=ee&id=52d1699e-5e6f-4966-9166-4026e955d812 Trouble with the above link? You can copy and paste the following URL into your web browser:https://bakerlaw.sharefile.com/?a=8ac6b39caa69e5a6&cmd=ee&id=52d1699e-5e6f-4966-9166-4026e955d812 Trouble with the above link? You can copy and paste the following URL into your web browser:https://bakerlaw.sharefile.com/?a=8ac6b39caa69e5a6&cmd=ee&id=52d1699e-5e6f-4966-9166-4026e955d812 Trouble with the above link? You can copy and paste the following URL into your web browser:https://bakerlaw.sharefile.com/?a=8ac6b39caa69e5a6&cmd=ee&id=52d1699e-5e6f-4966-9166-4026e955d812 Trouble with the above link? You can copy and paste the following URL into your web browser:https://bakerlaw.sharefile.com/?a=8ac6b39caa69e5a6&cmd=ee&id=52d1699e-5e6f-4966-9166-4026e955d812 https://bakerlaw.sharefile.com/?a=8ac6b39caa69e5a6&cmd=ee&id=52d1699e-5e6f-4966-9166-4026e955d812 https://bakerlaw.sharefile.com/?a=8ac6b39caa69e5a6&cmd=ee&id=52d1699e-5e6f-4966-9166-4026e955d812 https://bakerlaw.sharefile.com/?a=8ac6b39caa69e5a6&cmd=ee&id=52d1699e-5e6f-4966-9166-4026e955d812 Baker Law, PLLC 5802 Woody Grove Road Indian Trail, NC 28079 704.369.5550 Fax: 704.731.0812 ***PLEASE NOTE: ALL FUNDS DUE TO THIS OFFICE IN EXCESS OF $5,000.00 MUST BE IN THE FORM OF A WIRE TRANSFER (NO ACH TRANSFERS WILL BE ACCEPTED) NO EXCEPTIONS.*** Baker Law, PLLC 5802 Woody Grove Road Indian Trail, NC 28079 704.369.5550 Fax: 704.731.0812 ***PLEASE NOTE: ALL FUNDS DUE TO THIS OFFICE IN EXCESS OF $5,000.00 MUST BE IN THE FORM OF A WIRE TRANSFER (NO ACH TRANSFERS WILL BE ACCEPTED) NO EXCEPTIONS.*** Baker Law, PLLC 5802 Woody Grove Road Indian Trail, NC 28079 704.369.5550 Fax: 704.731.0812 ***PLEASE NOTE: ALL FUNDS DUE TO THIS OFFICE IN EXCESS OF $5,000.00 MUST BE IN THE FORM OF A WIRE TRANSFER (NO ACH TRANSFERS WILL BE ACCEPTED) NO EXCEPTIONS.*** Baker Law, PLLC 5802 Woody Grove Road Indian Trail, NC 28079 704.369.5550 Fax: 704.731.0812 ***PLEASE NOTE: ALL FUNDS DUE TO THIS OFFICE IN EXCESS OF $5,000.00 MUST BE IN THE FORM OF A WIRE TRANSFER (NO ACH TRANSFERS WILL BE ACCEPTED) NO EXCEPTIONS.*** Baker Law, PLLC 5802 Woody Grove Road Indian Trail, NC 28079 704.369.5550 Fax: 704.731.0812 ***PLEASE NOTE: ALL FUNDS DUE TO THIS OFFICE IN EXCESS OF $5,000.00 MUST BE IN THE FORM OF A WIRE TRANSFER (NO ACH TRANSFERS WILL BE ACCEPTED) NO EXCEPTIONS.*** Baker Law, PLLC 5802 Woody Grove Road Indian Trail, NC 28079 704.369.5550 Fax: 704.731.0812 ***PLEASE NOTE: ALL FUNDS DUE TO THIS OFFICE IN EXCESS OF $5,000.00 MUST BE IN THE FORM OF A WIRE TRANSFER (NO ACH TRANSFERS WILL BE ACCEPTED) NO EXCEPTIONS.***
                        Attachments:

                          Headers

                          Key Value
                          Receivedfrom IP-AC102889 ([127.0.0.1]) by IP-AC102889.sf-notifications.com with Microsoft SMTPSVC(8.5.9600.16384); Tue, 1 Oct 2024 15:09:44 -0400
                          Arc-Seali=1; s=201903; d=dkim.mimecast.com; t=1727809888; a=rsa-sha256; cv=none; b=VoIjVC1YeXyTptdbJHRPlirym0w87vGC6q6hL8MWnih0LQzERVSKQ+bp0te1Kmt/QIZgjf NVQXr9lsm4UnTvHcWRYyx3ElPROW1X6DTK8Etk1K7+uaoAQgnIA00BZFCW6GzhnQ9g7hDG 4eyr1FuNVyWr/0N8Jyk8D1/d/WCsAwzyOD+W6hLO9objFCnCYzyLOhHM6MZWYWaiJ+OlA7 rCdGOVCBIiiLIqhCQLXrwbJmPa58gvH6GgAlwPblN6gsGYjGyRLDoJG16PlUBBjX6HWogY W77XmQPpm5/K8Xc+14IEg4Ol8cHhHPfApcpV5tsuK3i7Yrfma1CrJSFXbo8tJw==
                          Arc-Message-Signaturei=1; a=rsa-sha256; c=relaxed/relaxed; d=dkim.mimecast.com; s=201903; t=1727809888; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:dkim-signature; bh=BTLqGC60f0Z///l61Z+Y5WAQPnRj4ghX86WHsTZUyU8=; b=lmo/wmZGc5iIlA2kY20i9ZhByPBWtWmzm3R2kn/gcMc5bKscq4HK75rILBeYsbZMIlXoDp BD18Vrb2H5bY9hDTDj1L8d3tUWuCt6KJeuAkarlguc9wl3DV9itErQiEwOGvuCdiRHKm18 LLhfFrIi6ALzNoq2vKcefiUYvhFbb17a1jnQ0efLqwe7GqnB82lNYUyAaIGQq0LplXEBe1 BbE55BADpL/FoLqtrmjTh1zx1Rndfde1WZhD1F1IDmqlAYjOFfO84W2OovdcryJRtDqJZX cPFdWLfKZGOilS5NKFeI3nSZ2a/HKpR7qYAhvqxQobfysPG02J1d85UOBFPepA==
                          Arc-Authentication-Resultsi=1; relay.mimecast.com; dkim=pass header.d=sf-notifications.com header.s=s1 header.b=jch3qdC0; dmarc=pass (policy=quarantine) header.from=sf-notifications.com; spf=pass (relay.mimecast.com: domain of "bounces+552310-9387-krabun=highlandsmortgage.com@em6701.sf-notifications.com" designates 167.89.16.232 as permitted sender) smtp.mailfrom="bounces+552310-9387-krabun=highlandsmortgage.com@em6701.sf-notifications.com"
                          Authentication-Resultsspf=fail (sender IP is 205.139.110.120) smtp.mailfrom=em6701.sf-notifications.com; dkim=fail (signature did not verify) header.d=sf-notifications.com;dmarc=fail action=pctquarantine header.from=sf-notifications.com;compauth=none reason=451
                          Received-SpfFail (protection.outlook.com: domain of em6701.sf-notifications.com does not designate 205.139.110.120 as permitted sender) receiver=protection.outlook.com; client-ip=205.139.110.120; helo=us-smtp-inbound-delivery-1.mimecast.com
                          Authentication-Results-Originalrelay.mimecast.com; dkim=pass header.d=sf-notifications.com header.s=s1 header.b=jch3qdC0; dmarc=pass (policy=quarantine) header.from=sf-notifications.com; spf=pass (relay.mimecast.com: domain of "bounces+552310-9387-krabun=highlandsmortgage.com@em6701.sf-notifications.com" designates 167.89.16.232 as permitted sender) smtp.mailfrom="bounces+552310-9387-krabun=highlandsmortgage.com@em6701.sf-notifications.com"
                          X-Mc-UniqueVcECnzLUPTKWGxKova-uzQ-1
                          Dkim-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=sf-notifications.com; h=mime-version:content-type:sender:from:subject:reply-to:to:cc: content-type:from:subject:to; s=s1; bh=nbBu7B8e3G65+hlIkShLmxUKtDGR35zvgRVgNM9Ot5Y=; b=jch3qdC0JM/ep//Q3g5elNNrEyc4xTQvCygqkMV5/6fy/4QZdD8f3TdXlVN2Y1u3rtwb XaNSP+vDpWoeXs5mOtv7ydg2+y5D7O0B+Yh6+H04+DFnyAI62liIIKfW0YTcmN9g1G4hEn jZfb6lwD0/50//mx+fDbyvU4bVzphDIGZpLrA/RjoiBzG3CuneLlXYSDleQ3WJF3kOiZK2 4NcTSKWXdNrY9ySrNdh2si2yX91u7gd7zytWxI1r/bCorX6Ce4RSlMcG7OeBlcumRdXGda lcThja2SKb1lmYldyP1y+B/FQnkm8Uf0plkXbAx3h//gdjLnuuniic1xMbgI2VUA==
                          DateTue, 01 Oct 2024 19:09:48 +0000
                          Message-Id<B8699E91DB553C0E37822E1C7A2AB478CAC964DD@IP0AC102889>
                          Sendermail@sf-notifications.com
                          FromJonas Rice <mail@sf-notifications.com>
                          Subject[EXTERNAL Email] ShareFile Login Information
                          Return-Path bounces+552310-9387-krabun=highlandsmortgage.com@em6701.sf-notifications.com
                          X-Originalarrivaltime01 Oct 2024 19:09:44.0321 (UTC) FILETIME=[79954710:01DB1435]
                          Reply-Tojonas@labakerlaw.com
                          X-Sg-Eidu001.95PbW2L/KmzCvqTiMn9tE6Y+R7OvrZywS5XpDn6TCNfX74gRav7HAJCZbD0OPIxhi5CsF4mRxwc4tlbttoTBefUtUE7mrJ4L2gZI05EPcVtdPSyBF0mv5HUrusHAHqDISyvj1FTSC8T9IFoNRs/IE3x5x46T/BJgCQ0QiWSNvGH2kd3f9w1O7sAYccHbWPi6VsSYhaGC9udNxw6A6EViHuVTKjZPklj+4gDQ69E6lAWGXAqL3Qv7X3LosYzYb6vf
                          X-Sg-Idu001.SdBcvi+Evd/bQef8eZF3BpTL9BgbK5wfSJMJGMsmprBdiDR+bQ7bMIKuEiWng/gpkUa1tev2F6kno+cTnqNWsI4u8lSxVViA6zPszNJJilxrbWLqNj4F1yZQMtLlfVGj
                          ToKathi Rabun <KRabun@highlandsmortgage.com>
                          X-Entity-Idu001.+3KkpFIqx/zwVtrqWuPUFg==
                          X-Mimecast-Spam-Score1
                          X-Ms-Exchange-Organization-Expirationstarttime01 Oct 2024 19:11:28.6600 (UTC)
                          X-Ms-Exchange-Organization-ExpirationstarttimereasonOriginalSubmit
                          X-Ms-Exchange-Organization-Expirationinterval1:00:00:00.0000000
                          X-Ms-Exchange-Organization-ExpirationintervalreasonOriginalSubmit
                          X-Ms-Exchange-Organization-Network-Message-Id 00d108e0-a950-4458-280e-08dce24cda3d
                          X-Eopattributedmessage0
                          X-Eoptenantattributedmessage615a646c-2d45-4a1b-b3c6-5970189da9c4:0
                          X-Ms-Exchange-Organization-MessagedirectionalityIncoming
                          X-Ms-PublictraffictypeEmail
                          X-Ms-Traffictypediagnostic BL6PEPF0001AB73:EE_|SA3PR19MB7418:EE_|PH0PR19MB5410:EE_
                          X-Ms-Exchange-Organization-Authsource BL6PEPF0001AB73.namprd02.prod.outlook.com
                          X-Ms-Exchange-Organization-AuthasAnonymous
                          X-Ms-Office365-Filtering-Correlation-Id00d108e0-a950-4458-280e-08dce24cda3d
                          X-Ms-Exchange-Organization-Scl-1
                          X-Microsoft-AntispamBCL:0;ARA:13230040|12012899012|13012899012|13102899012|3072899012|1032899013|4092899012|5062899012|3092899012|2092899012|31092699021|29132699027|5082899009|69100299015
                          X-Forefront-Antispam-ReportCIP:205.139.110.120;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:CAL;SFV:SKN;H:us-smtp-inbound-delivery-1.mimecast.com;PTR:us-smtp-delivery-1.mimecast.com;CAT:NONE;SFS:(13230040)(12012899012)(13012899012)(13102899012)(3072899012)(1032899013)(4092899012)(5062899012)(3092899012)(2092899012)(31092699021)(29132699027)(5082899009)(69100299015);DIR:INB
                          X-Ms-Exchange-Crosstenant-Originalarrivaltime01 Oct 2024 19:11:28.5975 (UTC)
                          X-Ms-Exchange-Crosstenant-Network-Message-Id 00d108e0-a950-4458-280e-08dce24cda3d
                          X-Ms-Exchange-Crosstenant-Id615a646c-2d45-4a1b-b3c6-5970189da9c4
                          X-Ms-Exchange-Crosstenant-Authsource BL6PEPF0001AB73.namprd02.prod.outlook.com
                          X-Ms-Exchange-Crosstenant-AuthasAnonymous
                          X-Ms-Exchange-Crosstenant-FromentityheaderInternet
                          X-Ms-Exchange-Transport-CrosstenantheadersstampedSA3PR19MB7418
                          X-Ms-Exchange-Transport-Endtoendlatency00:00:04.0355803
                          X-Ms-Exchange-Processed-By-Bccfoldering15.20.8026.016
                          X-Microsoft-Antispam-Mailbox-Deliveryucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003)
                          X-Microsoft-Antispam-Message-Info tw69jZKq/wwY/79xG7Him8oYVxSMgZerB++HeCjTPs5aCKcsctPLKjxDf/vUbmf8/PgLUI3LcHPV/7sB3F6VjavvOQ30uJzNvHvv8gvtW/Nv0uH/t19r1mDO6pJqqng1ASM7DBAAT1cuoo8X0y9YQJhyEFJj6oD4ZyT65MYlhPlyXPTuh3TZRamOpgbKMJYPnM8ylPQ9wYR3tV0C6ojvNdt175KbmPnDc8w/4j0bWnIzDLgJYNy1Cfz+CL9VZAkXQ9hK/QzxV7BA41Q9PcOtAwmtVqZpzVjhNJON32mNJezSW2zDnlif+svXDGaC2tJVT7R+/izZA+akriX1r9Z9DfUVJwPeGMnEMKmvBZf0+6eN04MaXVlCfRUtWwSnHnx+yJluseBo3nQAZmElkgxKn6sN/yzucSDq7r4rQPPhMvUGGGce4iIx8yUCoGln5Y7sjnb5RR+of//9i5qfujN8hI/rJoAITWZkUineHxcY43EHMfW08i1DctHsYg9lFQ/fzQNi6wtf54xHtxL8JY+0BBgYz7l118MKXBnSxU6GoI4LH7a7bgOZoJZVCXW1M1WoSXaO46Ly3d8y3RlTqhT8y6Ay6BFY1Sq20G//zjhBR+xi+gKbezYGRCKqP38Vafz15iiyTMNdCkdRhNxBndIYaInCfAMzbwRtDSCGgfWgvj1ozsqKCRbFgviVd3/kfYa7jaYLNsqznCNLQY1ZntN/xrxFJBB6YtT7JdoAPgecABULzX9IlffqWuZD8JuJDQfQcxaBWjmtbUdaiVm4rMU0EkmOtEqhdLmlg8KyLMzN17QG+wMXczmDlSPKLmAK4P2JQCZMyrp0OhdxlSh1eP/ihEHjgkQDSn5RdDF8JgR9iB5ZO+0sHcUkW8FYxX6RVEUoDIP8MZdkqLvRZHDJaZ7CcBNUTDOvCgm2MnndtJEnlrxfEiAiR6+Ynl1dC8jpo/PjH3nSRnvuE9cxxjBPljOz14oKaGXMddzDI66BiDHTd9jFYnTJUXs8LkVxaZ15W8+DpYFuQLCiIqcLbakwE04QTdiGkpcM8gHq4XpHVgPMztXcLTMIpmcHa0DIYZSyzQhB5WNhzCgQYmSBsJb3bN9/VcKI3G+qnqxbTwSoRy5JmtBVwMJeNMUIbz8GlylZ/jzG73cyn5NL4P3VkaCccn64ndr9q/F6qOxuO37cMdmLwFOjcL+0zUqtFPWZDUf9zL0l6j8V2OBv+WazJWqKiJip4EBLNPUOLaChSOvJZJ4nia/V/OiqBbyk8ZbzrNcRaBWgMjXtRUA8MQFrYLUStfB5Kl/BUMOzpfGbuq1ZO4UN96i7w8cLmhxUUKgnHa58VKxXeqEd8wFRlnHrYt/Eoezp/5sQAAeJXRqAZI/pyw8LuRkgQD/+ADPStpVw+z7X03LTTX99xgaLzrmB4rNnnIvOuOQVl1KOOichVtu0zzjwcwc8waZxTbhDbgK13ObF3Ro7UalS158+yycUf+5/LplX4/egLP8Fc+HRRTz3+8azvvdalyMRAfqmkQukk0bvYB/9GJZCtFVf45lFZNPeG0ysgV5DscBENeHWSXIX5jX9q5ggHupzqeqyAhSE44f7xvVHD2w5U4YQwNNYC3urzL/uny2GwQc738oH3pLEQi0sJtTVvqKDTdm4BGJVbAf7YZ7LdzUnCtVTiGmj7xIZfx1u0TIz3gPJTDviQI/aM3FCDbyHSqlJsgeR5t9KFoq0yMWcnqza8ykRONaKq7SimLoglT/sfvtQXkWUWpmYsdD5swasUlS2C03NRzK4bf9/zFv2O9cp5PAbjYgrfePzpZ6QftL2D3UTerk87pV7Oc+pgx3UTuuKIol0I/gamQZYyiLsOdBVLq65YeGfrsEPXM7zVgoXt5hmGpxUeGRNFoL83UfTKdlb85rUqi3fEFGajEm/Jos9iraw78mEA8F3a94mNg==
                          Content-Typemultipart/mixed; boundary="----sinikael-?=_1-17278099636180.9908322910656406"
                          MIME-Version1.0
                          X-Priority3 (Normal)

                          File Icon

                          Icon Hash:46070c0a8e0c67d6

                          Network Behavior

                          Network Port Distribution

                          UDP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Oct 2, 2024 17:43:28.241271973 CEST5363357162.159.36.2192.168.2.5
                          Oct 2, 2024 17:43:28.724921942 CEST6276253192.168.2.51.1.1.1
                          Oct 2, 2024 17:43:28.732338905 CEST53627621.1.1.1192.168.2.5

                          DNS Queries

                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Oct 2, 2024 17:43:28.724921942 CEST192.168.2.51.1.1.10x1d45Standard query (0)241.42.69.40.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Oct 2, 2024 17:43:28.732338905 CEST1.1.1.1192.168.2.50x1d45Name error (3)241.42.69.40.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:11:42:57
                          Start date:02/10/2024
                          Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                          Wow64 process (32bit):true
                          Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.eml"
                          Imagebase:0xfe0000
                          File size:34'446'744 bytes
                          MD5 hash:91A5292942864110ED734005B7E005C0
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:3
                          Start time:11:43:03
                          Start date:02/10/2024
                          Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "5F83E289-E183-4AC6-A1BF-9EC97AD59C71" "A4CDD259-2D47-4082-8BBA-59DA513136F7" "7528" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                          Imagebase:0x7ff722120000
                          File size:710'048 bytes
                          MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false

                          Disassembly

                          No disassembly