Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
phish_alert_sp2_2.0.0.0.eml

Overview

General Information

Sample name:phish_alert_sp2_2.0.0.0.eml
Analysis ID:1529361
MD5:67a4dcd8b166b29d85d9f24f91f82a54
SHA1:dfc63e9e76643ee96b10c5c402220f3c1d07acf1
SHA256:f3f37c37e07aeddbd348e4f1e766884e72a934cb0c2d5a9ac5cd28d28f9623d8
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 6660 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 6264 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "64F31229-3526-41A8-B3FF-577386D768AB" "7D96796A-F157-4C40-860D-76C722BF7505" "6660" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6660, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: phish_alert_sp2_2.0.0.0.eml, ~WRS{D5137B07-07DF-47E1-AB5E-D693DEE28C9A}.tmp.0.drString found in binary or memory: https://aka.ms/LearnAboutSenderIdentification
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://api.aadrm.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://api.aadrm.com/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://api.cortana.ai
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://api.microsoftstream.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://api.office.net
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://api.onedrive.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://api.scheduler.
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://app.powerbi.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://augloop.office.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://augloop.office.com/v2
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://canary.designerapp.
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://cdn.entity.
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://clients.config.office.net
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://clients.config.office.net/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://cortana.ai
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://cortana.ai/api
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://cr.office.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://d.docs.live.net
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://designerapp.azurewebsites.net
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://designerappservice.officeapps.live.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://dev.cortana.ai
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://devnull.onenote.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://directory.services.
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://ecs.office.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://edge.skype.com/rps
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://graph.windows.net
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://graph.windows.net/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://ic3.teams.office.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://invites.office.com/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://lifecycle.office.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://login.microsoftonline.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://login.microsoftonline.com/organizations
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://login.windows.local
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://make.powerautomate.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://management.azure.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://management.azure.com/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://messaging.action.office.com/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://messaging.office.com/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://mss.office.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://ncus.contentsync.
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://officeapps.live.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://officepyservice.office.net/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://onedrive.live.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://outlook.office.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://outlook.office.com/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://outlook.office365.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://outlook.office365.com/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://outlook.office365.com/connectors
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://powerlift.acompli.net
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://res.cdn.office.net
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://service.powerapps.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://settings.outlook.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://staging.cortana.ai
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://substrate.office.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://tasks.office.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://templatesmetadata.office.net/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://webshell.suite.office.com
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://wus2.contentsync.
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: clean1.winEML@3/18@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241008T1633150768-6660.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "64F31229-3526-41A8-B3FF-577386D768AB" "7D96796A-F157-4C40-860D-76C722BF7505" "6660" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "64F31229-3526-41A8-B3FF-577386D768AB" "7D96796A-F157-4C40-860D-76C722BF7505" "6660" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: phish_alert_sp2_2.0.0.0.emlStatic file information: File size 1501789 > 1048576
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: phish_alert_sp2_2.0.0.0.emlBinary or memory string: KM1m0X5VMLFepSqEER+m7KrjCuHJHGFsKYwfB+9jGRuoTVlFa61lZrbauzXWX3xsVS62WWVIRytv
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account Manager13
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1529361 Sample: phish_alert_sp2_2.0.0.0.eml Startdate: 08/10/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 67 135 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://api.diagnosticssdf.office.com0%URL Reputationsafe
https://login.microsoftonline.com/0%URL Reputationsafe
https://shell.suite.office.com:14430%URL Reputationsafe
https://designerapp.azurewebsites.net0%URL Reputationsafe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize0%URL Reputationsafe
https://autodiscover-s.outlook.com/0%URL Reputationsafe
https://useraudit.o365auditrealtimeingestion.manage.office.com0%URL Reputationsafe
https://outlook.office365.com/connectors0%URL Reputationsafe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://api.addins.omex.office.net/appinfo/query0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/tenantassociationkey0%URL Reputationsafe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://lookup.onenote.com/lookup/geolocation/v10%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/imports0%URL Reputationsafe
https://cloudfiles.onenote.com/upload.aspx0%URL Reputationsafe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://entitlement.diagnosticssdf.office.com0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://canary.designerapp.0%URL Reputationsafe
https://ic3.teams.office.com0%URL Reputationsafe
https://www.yammer.com0%URL Reputationsafe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies0%URL Reputationsafe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive0%URL Reputationsafe
https://cr.office.com0%URL Reputationsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%URL Reputationsafe
https://portal.office.com/account/?ref=ClientMeControl0%URL Reputationsafe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory0%URL Reputationsafe
https://edge.skype.com/registrar/prod0%URL Reputationsafe
https://graph.ppe.windows.net0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://tasks.office.com0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://edge.skype.com/rps0%URL Reputationsafe
https://globaldisco.crm.dynamics.com0%URL Reputationsafe
https://messaging.engagement.office.com/0%URL Reputationsafe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.diagnosticssdf.office.com/v2/feedback0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/groups0%URL Reputationsafe
https://web.microsoftstream.com/video/0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://graph.windows.net0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://analysis.windows.net/powerbi/api0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://substrate.office.com0%URL Reputationsafe
https://outlook.office365.com/autodiscover/autodiscover.json0%URL Reputationsafe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios0%URL Reputationsafe
https://consent.config.office.com/consentcheckin/v1.0/consents0%URL Reputationsafe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json0%URL Reputationsafe
https://safelinks.protection.outlook.com/api/GetPolicy0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/0%URL Reputationsafe
http://weather.service.msn.com/data.aspx0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://officepyservice.office.net/service.functionality0%URL Reputationsafe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks0%URL Reputationsafe
https://templatesmetadata.office.net/0%URL Reputationsafe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios0%URL Reputationsafe
https://messaging.lifecycle.office.com/0%URL Reputationsafe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml0%URL Reputationsafe
https://mss.office.com0%URL Reputationsafe
https://pushchannel.1drv.ms0%URL Reputationsafe
https://management.azure.com0%URL Reputationsafe
https://outlook.office365.com0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://incidents.diagnostics.office.com0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/ios0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://api.addins.omex.office.net/api/addins/search0%URL Reputationsafe
https://insertmedia.bing.office.net/odc/insertmedia0%URL Reputationsafe
https://outlook.office365.com/api/v1.0/me/Activities0%URL Reputationsafe
https://api.office.net0%URL Reputationsafe
https://incidents.diagnosticssdf.office.com0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/android/policies0%URL Reputationsafe
https://entitlement.diagnostics.office.com0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.comC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://login.microsoftonline.com/C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://shell.suite.office.com:1443C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://designerapp.azurewebsites.netC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorizeC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://autodiscover-s.outlook.com/C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://useraudit.o365auditrealtimeingestion.manage.office.comC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.com/connectorsC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://cdn.entity.C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://api.addins.omex.office.net/appinfo/queryC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/user/v1.0/tenantassociationkeyC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://powerlift.acompli.netC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://rpsticket.partnerservices.getmicrosoftkey.comC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://lookup.onenote.com/lookup/geolocation/v1C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://cortana.aiC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://api.powerbi.com/v1.0/myorg/importsC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://cloudfiles.onenote.com/upload.aspxC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://entitlement.diagnosticssdf.office.comC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://api.aadrm.com/C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://ofcrecsvcapi-int.azurewebsites.net/C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://canary.designerapp.C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://ic3.teams.office.comC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://www.yammer.comC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
  • URL Reputation: safe
unknown
https://api.microsoftstream.com/api/C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
    		unknown
    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
    • URL Reputation: safe
    		unknown
    https://cr.office.comC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
    • URL Reputation: safe
    		unknown
    https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;hC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
      		unknown
      https://messagebroker.mobile.m365.svc.cloud.microsoftC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
      • URL Reputation: safe
      		unknown
      https://otelrules.svc.static.microsoftC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
        		unknown
        https://portal.office.com/account/?ref=ClientMeControlC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
        • URL Reputation: safe
        		unknown
        https://clients.config.office.net/c2r/v1.0/DeltaAdvisoryC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
        • URL Reputation: safe
        		unknown
        https://edge.skype.com/registrar/prodC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
        • URL Reputation: safe
        		unknown
        https://graph.ppe.windows.netC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
        • URL Reputation: safe
        		unknown
        https://res.getmicrosoftkey.com/api/redemptioneventsC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
        • URL Reputation: safe
        		unknown
        https://powerlift-frontdesk.acompli.netC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
        • URL Reputation: safe
        		unknown
        https://tasks.office.comC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
        • URL Reputation: safe
        		unknown
        https://officeci.azurewebsites.net/api/C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
        • URL Reputation: safe
        		unknown
        https://sr.outlook.office.net/ws/speech/recognize/assistant/workC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
        • URL Reputation: safe
        		unknown
        https://api.scheduler.C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
        • URL Reputation: safe
        		unknown
        https://my.microsoftpersonalcontent.comC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
          		unknown
          https://store.office.cn/addinstemplateC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
          • URL Reputation: safe
          		unknown
          https://api.aadrm.comC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
          • URL Reputation: safe
          		unknown
          https://edge.skype.com/rpsC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
          • URL Reputation: safe
          		unknown
          https://outlook.office.com/autosuggest/api/v1/init?cvid=C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
            		unknown
            https://globaldisco.crm.dynamics.comC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
            • URL Reputation: safe
            		unknown
            https://messaging.engagement.office.com/C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
            • URL Reputation: safe
            		unknown
            https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
            • URL Reputation: safe
            		unknown
            https://dev0-api.acompli.net/autodetectC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
            • URL Reputation: safe
            		unknown
            https://www.odwebp.svc.msC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
            • URL Reputation: safe
            		unknown
            https://api.diagnosticssdf.office.com/v2/feedbackC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
            • URL Reputation: safe
            		unknown
            https://api.powerbi.com/v1.0/myorg/groupsC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
            • URL Reputation: safe
            		unknown
            https://web.microsoftstream.com/video/C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
            • URL Reputation: safe
            		unknown
            https://api.addins.store.officeppe.com/addinstemplateC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
            • URL Reputation: safe
            		unknown
            https://graph.windows.netC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
            • URL Reputation: safe
            		unknown
            https://dataservice.o365filtering.com/C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
            • URL Reputation: safe
            		unknown
            https://officesetup.getmicrosoftkey.comC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
            • URL Reputation: safe
            		unknown
            https://analysis.windows.net/powerbi/apiC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
            • URL Reputation: safe
            		unknown
            https://aka.ms/LearnAboutSenderIdentificationphish_alert_sp2_2.0.0.0.eml, ~WRS{D5137B07-07DF-47E1-AB5E-D693DEE28C9A}.tmp.0.drfalse
              		unknown
              https://prod-global-autodetect.acompli.net/autodetectC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
              • URL Reputation: safe
              		unknown
              https://substrate.office.comC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
              • URL Reputation: safe
              		unknown
              https://outlook.office365.com/autodiscover/autodiscover.jsonC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
              • URL Reputation: safe
              		unknown
              https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-iosC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
              • URL Reputation: safe
              		unknown
              https://consent.config.office.com/consentcheckin/v1.0/consentsC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
              • URL Reputation: safe
              		unknown
              https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
              • URL Reputation: safe
              		unknown
              https://learningtools.onenote.com/learningtoolsapi/v2.0/GetvoicesC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
              • URL Reputation: safe
              		unknown
              https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
              • URL Reputation: safe
              		unknown
              https://d.docs.live.netC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                		unknown
                https://safelinks.protection.outlook.com/api/GetPolicyC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                • URL Reputation: safe
                		unknown
                https://ncus.contentsync.C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                • URL Reputation: safe
                		unknown
                https://onedrive.live.com/about/download/?windows10SyncClientInstalled=falseC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  		unknown
                  https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  http://weather.service.msn.com/data.aspxC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://apis.live.net/v5.0/C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://officepyservice.office.net/service.functionalityC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asksC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://templatesmetadata.office.net/C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://messaging.lifecycle.office.com/C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://mss.office.comC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://pushchannel.1drv.msC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://management.azure.comC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://outlook.office365.comC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://wus2.contentsync.C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://incidents.diagnostics.office.comC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://clients.config.office.net/user/v1.0/iosC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://make.powerautomate.comC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://api.addins.omex.office.net/api/addins/searchC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://insertmedia.bing.office.net/odc/insertmediaC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://outlook.office365.com/api/v1.0/me/ActivitiesC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://api.office.netC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://incidents.diagnosticssdf.office.comC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://asgsmsproxyapi.azurewebsites.net/C7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://clients.config.office.net/user/v1.0/android/policiesC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown
                  https://entitlement.diagnostics.office.comC7CDC68E-78A2-450B-BB68-9A6090C96C81.0.drfalse
                  • URL Reputation: safe
                  		unknown

                  World Map of Contacted IPs

                  No contacted IP infos

                  General Information

                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1529361
                  Start date and time:2024-10-08 22:32:40 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 4m 22s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:defaultwindowsinteractivecookbook.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:13
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:phish_alert_sp2_2.0.0.0.eml
                  Detection:CLEAN
                  Classification:clean1.winEML@3/18@0/0
                  EGA Information:Failed
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .eml

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.113.194.132, 52.109.68.129, 2.19.126.160, 2.19.126.151, 20.42.73.25
                  • Excluded domains from analysis (whitelisted): omex.cdn.office.net, slscr.update.microsoft.com, eur.roaming1.live.com.akadns.net, mobile.events.data.microsoft.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, login.live.com, onedscolprdeus06.eastus.cloudapp.azure.com, frc-azsc-000.roaming.officeapps.live.com, officeclient.microsoft.com, ukw-azsc-config.officeapps.live.com, a1864.dscd.akamai.net, ecs.office.com, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, s-0005.s-msedge.net, config.officeapps.live.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • VT rate limit hit for: phish_alert_sp2_2.0.0.0.eml

                  Simulations

                  Behavior and APIs

                  No simulations

                  LLM Input / Output

                  InputOutput
                  URL: Email Model: jbxai
                  {
"brand":["DocuSign"],
"contains_trigger_text":true,
"trigger_text":"DocuSign: Standard_O",
"prominent_button_name":"unknown",
"text_input_field_labels":"unknown",
"pdf_icon_visible":false,
"has_visible_captcha":false,
"has_urgent_text":false,
"text":"You don't often get email from wilsonbernardzp@icloud.com. Learn why this is important steven.rodriguez@gtfcu.org",
"has_visible_qrcode":false}

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

                  Download File
                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):231348
                  Entropy (8bit):4.378344591875858
                  Encrypted:false
                  SSDEEP:1536:G1YLUxgsbyj284JifgsMGNcAz79ysQqt2oT+njqoQP0rcm0Fvhe7yDq/AqQekk70:RygoL8gAmiGu21qoQ8rt0FvBS6yAxBv
                  MD5:24CA466EC6400B62D8A9FEEF57F0EF80
                  SHA1:1830E1E95086FA1115AAF7FDF62CC393DCA67B2E
                  SHA-256:A1E99B5B9DB0C5CCB7F1205E393479FE3968B86E92C607D8BA78C5D603002351
                  SHA-512:15C69A5EB061B04A4D3CB105096AF789DBABF72ABD0AF7AFE606731061269E837B0897D2E09F68CC4CCCF7DB44DAB95241652AA1A0B27A82E7590EDCD346F66B
                  Malicious:false
                  Reputation:low
                  Preview:TH02...... ....B........SM01X...,......B............IPM.Activity...........h...............h............H..h..S...........h..........H..h\cal ...pDat...h(]..0...p.S....h...............h........_`Rk...h....@...I.lw...h....H...8.Wk...0....T...............d.........2h...............k..............!h.............. h0.>$......S...#h....8.........$h......8....."h..............'h..e...........1h....<.........0h....4....Wk../h....h.....WkH..h...p.....S...-h .........S...+hE........S................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000....Microsoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

                  Download File
                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:ASCII text, with very long lines (65536), with no line terminators
                  Category:dropped
                  Size (bytes):322260
                  Entropy (8bit):4.000299760592446
                  Encrypted:false
                  SSDEEP:6144:dztCFLNyoAHq5Rv2SCtUTnRe4N2+A/3oKBL37GZbTSB+pMZIrh:HMLgvKz9CtgRemO3oUHi3SBSMZIl
                  MD5:CC90D669144261B198DEAD45AA266572
                  SHA1:EF164048A8BC8BD3A015CF63E78BDAC720071305
                  SHA-256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
                  SHA-512:16F8A8A6DCBAEAEFB88C7CFF910BCCC71B76A723CF808B810F500E28E543112C2FAE2491D4D209569BD810490EDFF564A2B084709B02963BCAF6FDF1AEEC59AC
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview:51253fe60063c31af0d295afb42228b0:v2:2:1:1590:2:8479:76bd602437550e98c9043d06a55186ab7d95dea5a0e935a599f73e62a8c9b158e0afcb19351f6c353940c06a38172b94d18c02cf92bb8a80184eccca0392b259ab3e71dae73e491c7941997cb36ad4a198661f622dad478d840f66d530a0dde78acea3367f91fff62fbb3dc18faff0c708ad30edef5bea8b22c5fd782b770d8993386eaa784fd19a3c3e1db3b537b1a94d3d4fbd46f8df8fddf6d16611969fe0a97c50e0f3ac24750c93257cf5c161184aa7385800c87d803b339632a3d8ec7fe17a0afd83ce9e9d0e3f7b8d579637928a811f1f7e6d1887df2ddc7d4f752c4d600235e426c92c7bf8a1362f95457998cc0e5d4261f0efa4fada0f866dbcefb407dacab7a2914e91c2f08200f38c2d9d621962145b1464b0f204b326118a53ecdcab22bff005fdd5257c99a6dc51ac0600a49f2ef782396987e78c08b846dad5db55e8ccefffc64863bc2c3e90b95a09d25d0814a848c98fe01a82d4e30e6682dd546e12c45ca0d280a45295ab4bd632dafb070edfdc3c9e38313d5aeb195972986f8011b66817028fd8c78b67a0ac7e780eecc3fb6a31f5a025b8a9a3db278a98c0696aeaac739b18688b0f9c7d751bba02cc5f4e41853fb119b3c0c915059aaa92971244a1989124f12881ca88e6410df70b793a2c3a736ff4

                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

                  Download File
                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:ASCII text, with no line terminators
                  Category:dropped
                  Size (bytes):10
                  Entropy (8bit):2.9219280948873623
                  Encrypted:false
                  SSDEEP:3:LNRUcrn:hRFrn
                  MD5:8DC736425899CF671557A85DFED2242B
                  SHA1:ECD6838E621FDE98A8269A998FA1008CEADA6E1D
                  SHA-256:3C5EC4E085CA7BE245E43C0B08E6FA6B4F775F32119BE3D38C84DD30D68DDA96
                  SHA-512:E3B1A4400A4706CA2200687F22E3240B357723DB97A0DF0C911C804436E578E2D994FF62BAE6644B4354F2254AFAEDC4FF83350F588A33FE590522E0FF2B311F
                  Malicious:false
                  Reputation:low
                  Preview:1728419600

                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C7CDC68E-78A2-450B-BB68-9A6090C96C81

                  Download File
                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):177810
                  Entropy (8bit):5.287208533716258
                  Encrypted:false
                  SSDEEP:1536:2i2XfRAqcbH41gwEwLe7HW8bM/o/NMdcAZl1p5ihs7EXXPEAD2Odavo:jCe7HW8bM/o/TXsk4o
                  MD5:CD76266EC09F85F88F691DFDA1BD3C78
                  SHA1:3D0C904FEB768EBE5C8D30CF942D257ED4113ACB
                  SHA-256:9E734CFBAAE2E8DCBF3E94A33B842B2A0F31D2F80A03BFE0BAA6E0F6F5B0DDA9
                  SHA-512:7A8068CA5B0E3EDDD5858555DFCE3A9BB3435DB1C791CEF55C13E5DE34BDADE1946EF56E05547408C41780CD66B1D89F999628956504207613508F2FF3703A2C
                  Malicious:false
                  Reputation:low
                  Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-08T20:33:18">.. Build: 16.0.18124.40132-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

                  Download File
                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:SQLite 3.x database, last written using SQLite version 3034001, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
                  Category:dropped
                  Size (bytes):4096
                  Entropy (8bit):0.09304735440217722
                  Encrypted:false
                  SSDEEP:3:lSWFN3l/klslpEl9Xll:l9F8E+9
                  MD5:D0DE7DB24F7B0C0FE636B34E253F1562
                  SHA1:6EF2957FDEDDC3EB84974F136C22E39553287B80
                  SHA-256:B6DC74E4A39FFA38ED8C93D58AADEB7E7A0674DAC1152AF413E9DA7313ADE6ED
                  SHA-512:42D00510CD9771CE63D44991EA10C10C8FBCF69DF08819D60B7F8E7B0F9B1D385AE26912C847A024D1D127EC098904784147218869AE8D2050BCE9B306DB2DDE
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview:SQLite format 3......@ ..........................................................................K.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

                  Download File
                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:SQLite Rollback Journal
                  Category:dropped
                  Size (bytes):4616
                  Entropy (8bit):0.13681650948595175
                  Encrypted:false
                  SSDEEP:3:7FEG2l+jkY/FllkpMRgSWbNFl/sl+ltlslN04l9Xllo:7+/lVAg9bNFlEs1E39w
                  MD5:66E62764CABBE014B8CD45761409D4C9
                  SHA1:225C3AACEF555439E9249CFA67442B4B5686DC37
                  SHA-256:55E4ABAB89704263AE825E718917A987E54B6EB97D3EA8A8DD0907F52141B5B8
                  SHA-512:2DD06AEE436707DE21CE98657864031287E70BB428E847BBC1743AFB6546A6D8F93D7E27F4A5F7D9C5F8D5F12B4A6005862F2AF11FB3A11D5C9AE7549F92CE55
                  Malicious:false
                  Preview:.... .c.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..........................................................................K.................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

                  Download File
                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):32768
                  Entropy (8bit):0.04453451757384427
                  Encrypted:false
                  SSDEEP:6:G4l2Nwqr7hlNl2Nwqr7h/t0L9XXPH4l942U:l2GqXhl2GqXh/S5A0
                  MD5:01B9D42BD728434BF939AE34AB00E199
                  SHA1:C54AD0B1B1BEE8DE82AB71AB4EF1C8CD3B0ECF74
                  SHA-256:08EB8EBB44736CA3DF85F4E5546D1EACD91949A9124ADE20B304A531F9D5532A
                  SHA-512:B7EC98371AFD8BC9329C777F620080670E4D28444E614A8C91EE16A60860826961777CA831922FC66C572E3802E35DC530B5DFA1C8451AF5F5CE09AF6FE742DA
                  Malicious:false
                  Preview:..-......................&./t-N0.5w}........3...-......................&./t-N0.5w}........3.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

                  Download File
                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:SQLite Write-Ahead Log, version 3007000
                  Category:modified
                  Size (bytes):45352
                  Entropy (8bit):0.39471995343232147
                  Encrypted:false
                  SSDEEP:24:Kg7kloEpQMIzRDwYE9Till7DBtDi4kZERDwjgJ+Ehxqt8VtbDBtDi4kZERDwsrDe:Dklo8Qjloill7DYMQgUAxO8VFDYMf
                  MD5:C9AAE22BE6C942DF26391857BA692DF2
                  SHA1:DAFC60BC0424BB9BABCC4FABC7C5CACF017DF865
                  SHA-256:45DDFDE6EA1BA3F8083876A9B0B62F3AB97B0E33F637977714752B8C4676C372
                  SHA-512:4E5E41BB80FBE7A8F522AAD8BA2612717D46CF59A1C45E6891D2E976255EAF500699C01DBE27A73B437F6F76162FA8883D90E2D482F1D43A5BB88F563ED6AB06
                  Malicious:false
                  Preview:7....-...........5w}....R^9..............5w}.....A.Q>._OSQLite format 3......@ ..........................................................................K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D168A16B.dat

                  Download File
                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 2052x3594, components 3
                  Category:dropped
                  Size (bytes):1081960
                  Entropy (8bit):7.894946711662072
                  Encrypted:false
                  SSDEEP:24576:+yky8222qjUy/s/eTMoN5bxGJZ45gyA/lTTWh:+ykyt7/ejoJagyA/lPWh
                  MD5:5052180E576BFF7EA2159B174404C7C2
                  SHA1:2A7811D57ACB8B040B931090470E78050D1F11D2
                  SHA-256:C045C8EAEA51B631EC2E64AB7BDEFDBD085BE30A7F22CBF1C4290CE31317A327
                  SHA-512:D5F2CE584A65263D80C3C76D0AF26AC2AC88B42846309653A9F74DEDDC05CA9AAB28831168E9B150DED2F35137395289F30418FC37F6A4480B61A02F26B6197C
                  Malicious:false
                  Preview:......JFIF.............(ICC_PROFILE...............mntrRGB XYZ ............acsp.......................................-....................................................desc.......trXYZ...d....gXYZ...x....bXYZ........rTRC.......(gTRC.......(bTRC.......(wtpt........cprt.......<mluc............enUS...X.....s.R.G.B................................................................................XYZ ......o...8.....XYZ ......b.........XYZ ......$.........para..........ff......Y.......[........XYZ ...............-mluc............enUS... .....G.o.o.g.l.e. .I.n.c... .2.0.1.6...C....................................................................C............................................................................"............................................................#.................!..X."189w.....#$7Uvx......%26AHVWu...345Qst....&:BYaqr....'T......RSf...CDhy...)Gbc...e.......................................m...........................!.".1.#2A..QV....$3BUa..67RWq.....45CFGbtu.

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{D5137B07-07DF-47E1-AB5E-D693DEE28C9A}.tmp

                  Download File
                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):1604
                  Entropy (8bit):1.2088812415803292
                  Encrypted:false
                  SSDEEP:6:t+RCNl8a+5MVJBX1TP9AKY2EAhkly/n8irwl2FlXMvOwWlqH4/rH:tXz+5uJREL2Vkl5iklUlXUIH
                  MD5:E5CF9B4C3B67E31A28B44CBF78E7DAE7
                  SHA1:3DF75F1A73E83CC0E3575ECCA0DE8DDDF2C251D9
                  SHA-256:3CC53BEB3FA5DF3DBFFDF57733AC780B2F130C03E2992C7E8558BE5D3D5EB54B
                  SHA-512:399B484A6CE40D9029DCE9583A261B8160334F7574DEFAE9C10F797C385DBFA58975BB13900832D94329DDA0D6705B50C394379EAD5F56B392876BADB7699C49
                  Malicious:false
                  Preview:......Y.o.u. .d.o.n.'.t. .o.f.t.e.n. .g.e.t. .e.m.a.i.l. .f.r.o.m. .w.i.l.s.o.n.b.e.r.n.a.r.d.z.p.@.i.c.l.o.u.d...c.o.m... .H.Y.P.E.R.L.I.N.K. .".h.t.t.p.s.:././.a.k.a...m.s./.L.e.a.r.n.A.b.o.u.t.S.e.n.d.e.r.I.d.e.n.t.i.f.i.c.a.t.i.o.n."...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1728419595959268800_C3301A6F-486D-4CA1-9E5C-F367483E7C7D.log

                  Download File
                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:ASCII text, with very long lines (28728), with CRLF line terminators
                  Category:dropped
                  Size (bytes):20971520
                  Entropy (8bit):0.16130701752656884
                  Encrypted:false
                  SSDEEP:1536:x4/drLu4peTjDdWo8tv76eoDB5H7yMKSpjQ8+CyYqUgSznB8:0LTgTdWLmNpM
                  MD5:B0AA5E250C88A6FD64C893A56879BC97
                  SHA1:F0EF9788945CD88A761DC45FEC460F43B2CA9969
                  SHA-256:B878F1D5DE27A44451043C6634C18083F766E8DF81DB8A3BA218E19372C6DAB6
                  SHA-512:E0EE8A1E621BDBEDA4EE9414465351F9EF717CA3E3DF85D3A9FD1DE2184D13311CCEE1D668E92258B7A0018AA42B88A7DF06F08C2335D5EFAC728A7F98B4E83A
                  Malicious:false
                  Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/08/2024 20:33:15.991.OUTLOOK (0x1A04).0x1A18.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":21,"Time":"2024-10-08T20:33:15.991Z","Contract":"Office.System.Activity","Activity.CV":"bxoww21IoUyeXPNnSD58fQ.4.9","Activity.Duration":12,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...10/08/2024 20:33:16.023.OUTLOOK (0x1A04).0x1A18.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":23,"Time":"2024-10-08T20:33:16.023Z","Contract":"Office.System.Activity","Activity.CV":"bxoww21IoUyeXPNnSD58fQ.4.10","Activity.Duration":11904,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

                  C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1728419595959920200_C3301A6F-486D-4CA1-9E5C-F367483E7C7D.log

                  Download File
                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):20971520
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3::
                  MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
                  SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
                  SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
                  SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
                  Malicious:false
                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241008T1633150768-6660.etl

                  Download File
                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):102400
                  Entropy (8bit):4.470865572354777
                  Encrypted:false
                  SSDEEP:768:u8m/rXQDUaBvDMArO4g0u9LkSPZ4EUSXYjCuaQdx:u8S4g0u9LkSxMSXYmQx
                  MD5:8B6BEC2A507F687FEAF2E1F19CB2A42A
                  SHA1:E5DDF79CDC9E8C3385E0CA40C0D8728A2F4A28D9
                  SHA-256:03C4820279756E52A48E600DB72B6FF0D17B43C3FD6E3171AA2F653EAC251390
                  SHA-512:ABF03826B402830970209B53670A169A0558040234D269D6F0AF77FEAB1EA45C8A0BBC9A7C6BC5F37639BAFEE259818E88984C522E2DFFC328AB130449838320
                  Malicious:false
                  Preview:............................................................................`.............M....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................@.8..Y............M............v.2._.O.U.T.L.O.O.K.:.1.a.0.4.:.2.7.4.0.6.d.2.2.a.c.9.1.4.d.8.3.9.0.b.2.a.f.3.a.e.1.e.b.6.7.0.7...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.0.8.T.1.6.3.3.1.5.0.7.6.8.-.6.6.6.0...e.t.l.......P.P...........M............................................................................................................................................................................................................................................................................................................

                  C:\Users\user\AppData\Local\Temp\olkEBA3.tmp

                  Download File
                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):950888
                  Entropy (8bit):7.90053377103191
                  Encrypted:false
                  SSDEEP:24576:q8222qjUy/s/eTMoN5bxGJZ45gyA/lTTWh:qt7/ejoJagyA/lPWh
                  MD5:6981811C750C0C65633A8025EE2FB4FF
                  SHA1:7EC2B31CBC88858650F4197D1D8D24962E69FCEA
                  SHA-256:29661C7A39FF1CFFBAE52314E177BE2B6C603B7448CB97B7130108565CF65F47
                  SHA-512:4AF22FD6BE58FF9B81AB042FF13AE9E610E4C7CF0F012806E1151660DB12B0AD14A502D41D3D62468E0B7FF07E42482FAC7DB1D9DCD82416E1537E05EC1927AB
                  Malicious:false
                  Preview:.T.....9...H..O.....'F..V4O.go...8..........U/./.G...!Y;/d]7...m=.3...`..m...N...{...I.z\...f.i..+.##.2G..n.$.Rc....W.4.....sA.n..nF....u..],4.n.=6=F...l...6..[3^.5..I.k:.v'z..K...d...R..u._z..2+..<./......;................'..:......MW....BZ~J.......e.d.A..].6I.y.c....G...{.7H.*c....K.K....T.........zC.........i9YW.P.....`......}.....k......X...x..f6=f...JSM.Z....l*.....16..uz.})..<s....h...5.5..Tl.D..@........=....rie..}V.X.M0...K.c$Y<K.d\&o.......@V.e}........:*.:......... ...q,...b.=E..A.._P ....F.......a8P.......................................,....5Z...l....0.V.,s..4.2n.!$......I..3.....E...(.r|.`.D.....+.e..ET.m.5.X.@..mw..;..;;..I.f`...WZT..BUR......Z...eE.T......@..@..@..@..@..@..@..K.._R...We..J...9..x..6...m.hT..:.<1jw.J..]I..zg..B$..&..T.Y.}.Nw...u7.>8.?.M.......C......7.^..T.:gM........R.....b.(.*EE..h...uOP.8..M.r....YB.r...'v o...ZIy.Y9wDI72..$......w.Tt..*.*.R*.....|....9..g...DZ.+E....(.*...?....l...2r2.k.r..'".;...c[m.@..

                  C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

                  Download File
                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):30
                  Entropy (8bit):1.2389205950315936
                  Encrypted:false
                  SSDEEP:3:Gpt:Gp
                  MD5:94B9FC13C2B09E3F7BF86987DEEC9733
                  SHA1:B0C3399B157E0FAC0B2EAFBC83A27DD13BDE381A
                  SHA-256:E15B541C81DD34377ECE56C2B73C13BD5692A39AE3714620898384DFD30EFE2C
                  SHA-512:455325AFB41B1BB9EBABA399E6B83AA4CEA1FB511E164FAF070F62D34B3203F51311B566D1AABD850018B3077FC23BB03B30642BA151BFE220D4C578596FE343
                  Malicious:false
                  Preview:....1.........................

                  C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

                  Download File
                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:Composite Document File V2 Document, Cannot read section info
                  Category:dropped
                  Size (bytes):16384
                  Entropy (8bit):0.670905929311311
                  Encrypted:false
                  SSDEEP:12:rl3baFe9CqLKeTy2MyheC8T23BMyhe+S7wzQP9zNMyhe+S7xMyheC4tUpm:rHRmnq1Py961dpm
                  MD5:4B153C4FC497C79F3DB66F6BAE3D617A
                  SHA1:3E2ADF5469D2A47AB9C1CEE246D8CA6B41123962
                  SHA-256:7901F9C7C5C18C638D061B52849D43A4607FBF312FB4FBC184066128985782E0
                  SHA-512:2138155F05B0C2E12B4C783810BF7490A2240E5727F18131D76A829BDDC961293BF2784FD281ED795E91317B8455ADAAAF131A6113B89D291A12EA5777E22F37
                  Malicious:false
                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

                  Download File
                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:Microsoft Outlook email folder (>=2003)
                  Category:dropped
                  Size (bytes):2302976
                  Entropy (8bit):4.9891648732057
                  Encrypted:false
                  SSDEEP:49152:pfOJBZxn9GYwGbux81CsU1CsUzisUSCsUfCsUWqkkxPysU:0JBZxn0Gb
                  MD5:B83B2BD1049CA638733CA43827E8B8DE
                  SHA1:AE536DBB85D98901C6EC1D51DBFA6339E1791529
                  SHA-256:24CC5F46C509A91C75CC1F18CBA6A0CF1D11FF58574B3DC6628D6F9DBDE6E03E
                  SHA-512:30ECD7E5F082455C9B7CDC225348122AA549AAB5B196F357D446B0BBE7CD842EA1D2B7B075E8C6840B2F49BCFA0B349E1067AB29728300CA9E9BA3F10C3C227A
                  Malicious:false
                  Preview:!BDN^.X6SM......\...6...........B.......e................@...........@...@...................................@...........................................................................$#......D......................A...............>........~..........................................................................................................................................................................................................................................................................................".wnX.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                  C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

                  Download File
                  Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                  File Type:data
                  Category:dropped
                  Size (bytes):1179648
                  Entropy (8bit):7.783948714724789
                  Encrypted:false
                  SSDEEP:24576:dCsU1CsUzisUSCsUfCsUSqkkxPysUOPEfKeuYlegnmQs2Uo7eDJ4JWAH5+QG:dCsU1CsUzisUSCsUfCsUSqkkxPysUhfC
                  MD5:38748ED34DBDF2A74E50DB1CC2E45799
                  SHA1:23965E05071E713BC51B2641413585300A34B17C
                  SHA-256:A905C3A088783A6328B1A2CC151F257592E7D6C0D0E0765ABC70560AC199FD22
                  SHA-512:49B0B2DB77016B2338B88AF3FDDC057F6C1D0598C79623CECFE0F0CD6D2C0E020A3D6BB5DCB4E3F99F14A776A374463F414D0803D2CCFC2A2CE8123ACAD82330
                  Malicious:false
                  Preview:..g.C...............).UM......................#.!BDN^.X6SM......\...6...........B.......e................@...........@...@...................................@...........................................................................$#......D......................A...............>........~..........................................................................................................................................................................................................................................................................................".wnX...).UM.........B............#........................... .............................................................................................................................................................................................................................................................................................................................................................................

                  Static File Info

                  General

                  File type:RFC 822 mail, ASCII text, with very long lines (1945), with CRLF line terminators
                  Entropy (8bit):6.017792895299113
                  TrID:
                  • E-Mail message (Var. 5) (54515/1) 100.00%
                  File name:phish_alert_sp2_2.0.0.0.eml
                  File size:1'501'789 bytes
                  MD5:67a4dcd8b166b29d85d9f24f91f82a54
                  SHA1:dfc63e9e76643ee96b10c5c402220f3c1d07acf1
                  SHA256:f3f37c37e07aeddbd348e4f1e766884e72a934cb0c2d5a9ac5cd28d28f9623d8
                  SHA512:52a2687e35d05f2d96bd0aed1aea30bd92dd9fc597d01c1bb3eea592a332b2e1b9f0f960a58b2d5f73c983039c5337f8cae80eda7557dac84c670aa3dc5319d9
                  SSDEEP:24576:5C+8kvuxzhooCmf9q+FQ7zfBVMIiLhoo9zv/OT4LVO:B/uDoP1BV8VO
                  TLSH:E865BCF9B893FDB97B2341D3C1066624FEE4099FCA020B12865917749BEC8694F73C99
                  File Content Preview:Received: from DM4PR02MB9213.namprd02.prod.outlook.com (::1) by.. BL0PR02MB3825.namprd02.prod.outlook.com with HTTPS; Fri, 4 Oct 2024.. 19:57:35 +0000..Received: from SJ0PR13CA0157.namprd13.prod.outlook.com.. (2603:10b6:a03:2c7::12) by DM4PR02MB9213.nampr

                  Static Mail

                  General

                  Subject:Gtfcu Review And Download 10:55:15 AM
                  From:Access Document <Wilsonbernardzp@icloud.com>
                  To:Steven Rodriguez <Steven.Rodriguez@gtfcu.org>
                  Cc:
                  BCC:
                  Date:Fri, 04 Oct 2024 19:57:21 +0000
                  Communications:
                  • You don't often get email from wilsonbernardzp@icloud.com. Learn why this is important You don't often get email from wilsonbernardzp@icloud.com. Learn why this is important You don't often get email from wilsonbernardzp@icloud.com. Learn why this is important You don't often get email from wilsonbernardzp@icloud.com. Learn why this is important You don't often get email from wilsonbernardzp@icloud.com. Learn why this is important You don't often get email from wilsonbernardzp@icloud.com. Learn why this is important You don't often get email from wilsonbernardzp@icloud.com. Learn why this is important Learn why this is important https://aka.ms/LearnAboutSenderIdentification
                  Attachments:
                  • attachment-2.png
                  • ACHPAYMENT66.html

                  Headers

                  Key Value
                  Receivedfrom icloud.com (qs51p00im-dlb-asmtp-mailmevip.me.com [17.57.155.28]) by qs51p00im-qukt01072502.me.com (Postfix) with ESMTPSA id 42AA76EC03D6 for <steven.rodriguez@gtfcu.org>; Fri, 4 Oct 2024 19:57:21 +0000 (UTC)
                  Authentication-Resultsspf=pass (sender IP is 17.57.155.15) smtp.mailfrom=icloud.com; dkim=pass (signature was verified) header.d=icloud.com;dmarc=pass action=none header.from=icloud.com;compauth=pass reason=100
                  Received-SpfPass (protection.outlook.com: domain of icloud.com designates 17.57.155.15 as permitted sender) receiver=protection.outlook.com; client-ip=17.57.155.15; helo=qs51p00im-qukt01072502.me.com; pr=C
                  Dkim-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=1a1hai; t=1728071843; bh=f7CaaIZZq27m/QQodsbUUBI1DpCPWDJpxB4ZNA5N30U=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=VPRdO6foTMhKHr40JU57Jkm48ul90IkQGoQlDA0afcFrPUX7Y85uW8KwLoDU5iMF6 icJArAYeqHEBu3SOrbEQhWnsR3LJQTQEcznFxs6pm5MbQCchY3KhTBICL0ePZwMDg9 7VMVsCIr8eetIqc00QLudi31jFf0+AZ3tGhN6T7nuS9nCi5uxsc8CFTelNZmwwqxFK RWg1SYgdOdfTC49F3oar8oK65QQiMD0UMPfSH3iDEhgn5P3FdcHXNMHC+RfGgaHsOm byz3YGchzsdnCZ4jXN1wIfeYg+KwBhVFMkCK6/BlvoBeGKcLqeAqXHWWEYkp40hunX TlarKcrrj+iwA==
                  FromAccess Document <Wilsonbernardzp@icloud.com>
                  ToSteven Rodriguez <Steven.Rodriguez@gtfcu.org>
                  SubjectGtfcu Review And Download 10:55:15 AM
                  Message-Id<b403d18f-7e51-72cd-a7c1-a629ad1c75d6@icloud.com>
                  X-Priority1 (Highest)
                  X-Msmail-PriorityHigh
                  ImportanceHigh
                  DateFri, 04 Oct 2024 19:57:21 +0000
                  MIME-Version1.0
                  Content-Typemultipart/mixed; boundary="----sinikael-?=_1-17280731489050.8302846164470943"
                  Return-PathWilsonbernardzp@icloud.com
                  X-Ms-Exchange-Organization-Expirationstarttime04 Oct 2024 19:57:25.1297 (UTC)
                  X-Ms-Exchange-Organization-ExpirationstarttimereasonOriginalSubmit
                  X-Ms-Exchange-Organization-Expirationinterval1:00:00:00.0000000
                  X-Ms-Exchange-Organization-ExpirationintervalreasonOriginalSubmit
                  X-Ms-Exchange-Organization-Network-Message-Id 55f92dfb-a50a-41cd-4d8c-08dce4aec476
                  X-Eopattributedmessage0
                  X-Eoptenantattributedmessageb9030599-0415-473e-b655-bb93120dc9cf:0
                  X-Ms-Exchange-Organization-MessagedirectionalityIncoming
                  X-Ms-PublictraffictypeEmail
                  X-Ms-Traffictypediagnostic SJ1PEPF00002320:EE_|DM4PR02MB9213:EE_|BL0PR02MB3825:EE_
                  X-Ms-Exchange-Organization-Authsource SJ1PEPF00002320.namprd03.prod.outlook.com
                  X-Ms-Exchange-Organization-AuthasAnonymous
                  X-Ms-Office365-Filtering-Correlation-Id 55f92dfb-a50a-41cd-4d8c-08dce4aec476
                  X-Ms-Exchange-AtpmessagepropertiesSA|SL
                  X-Ms-Exchange-Organization-Scl1
                  X-Microsoft-Antispam BCL:0;ARA:13230040|5073199012|7093399012|4073199012|2722699018|38000299018|43540500003;
                  X-Forefront-Antispam-Report CIP:17.57.155.15;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:qs51p00im-qukt01072502.me.com;PTR:qs51p00im-qukt01072502.me.com;CAT:NONE;SFTY:9.25;SFS:(13230040)(5073199012)(7093399012)(4073199012)(2722699018)(38000299018)(43540500003);DIR:INB;SFTY:9.25;
                  X-Ms-Exchange-Crosstenant-Originalarrivaltime04 Oct 2024 19:57:24.7078 (UTC)
                  X-Ms-Exchange-Crosstenant-Network-Message-Id 55f92dfb-a50a-41cd-4d8c-08dce4aec476
                  X-Ms-Exchange-Crosstenant-Idb9030599-0415-473e-b655-bb93120dc9cf
                  X-Ms-Exchange-Crosstenant-Authsource SJ1PEPF00002320.namprd03.prod.outlook.com
                  X-Ms-Exchange-Crosstenant-AuthasAnonymous
                  X-Ms-Exchange-Crosstenant-FromentityheaderInternet
                  X-Ms-Exchange-Transport-CrosstenantheadersstampedDM4PR02MB9213
                  X-Ms-Exchange-Transport-Endtoendlatency00:00:10.9070326
                  X-Ms-Exchange-Processed-By-Bccfoldering15.20.8026.016
                  X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003)(1420198);
                  X-Microsoft-Antispam-Message-Info 8I8+GEmhR6NCJFRETzaYLCa0XEFkDf9eH78BQYx7qwaldd/nvap4mHrDeoEu+tZ/ymuNMO+USWb7/EUbvBB6enWxiVLr4aw7j9EsAXzTsOW6RZ0EE4CU9ZrI1QSkhlOPiyHDufFUbKcHiHHPYG/pqxe4p6z/7f+m2ORwezq57JUkgQyM9CnHbaDOs07pdT+OYGZNNV+UCxCM7qJB31CS0LAjJpECukzyKXYiRdZS7e+414CSQ31iJlv/zx1XbqSUd7lg2z1z4YQDe+rDCK9vryV+zSMmKDEpqIeNX1fhiDw+EOG/SvPi/1Z2vWbKxWPrOVIiQKZd9L00Zz+rdMUg1B9/11nemztDa6lq4c1c7UuDvNbZCeisJKIoFxDV6LtS6JL5LreOJpN3a4UNo8MvlqQ2m7aNVh8hQJhQyd7YuWA7P3eCYpq2ZZ1YIKqgBOwCVs8HbPlNGTGwAF1UYpyfvjIgRmqFBT3Cf9IzrgI6m72sbavgQ0u05uvJ1vQnaNL+6cMm7MJVd9VTs4IfH/IOAKuBnTpEF5eUUf4LlyfbOnDclxDVY6lPHQzLhtPq0qNwvDtfCRY5I0VU9G62AA71kXt0oBPqg+wmWZndWJMyTcMc+es5aC2iuUme7tDKzz6FdHjIkuRen2B/POPXyE3ycL8+lhJslR5jZlNbtvl4FUViaBU/F/hp+Iwtwjlwg0Pnd3tU1FrirHmDWO+e8NwDMc9B5aGktPvkyXeZVF8aBkfV7xqmgxsxsGVE0rIbusQH8R42D8Xidmml8t9ldLmI2oLDhLQfM6fiMz5cVr4AN/L6u1C6admchnHQfd3Q7WfLwBXbgblCEb+NI9/9JpJy+g0EnSqPIJYOLgeNL32gy2+6zh3EOVAEqmTAZtUt/rjwsWn6BVtJiGPfvsBEXGB4Rv8s+fGV9rK6BDAa2Mbz2PzucvRE84m92FZjeIxhDgME4etgiS1Muh4YWD+wVO/erdAI4FPZgG1dBDAap7L492pvsa0eMWYjesCTJLGk19Y9ctIHZRykBI6LnyqlIDHmG7zHeUOGKRY8YZjrdyJqYmqWidQMQmtQeRqr7JmXKkic50sXzMVXID4u4Q9HN/pHY5pKiPyNHYkHeiJD26KII7Um0yrC1KYQDzYBaBGDTPs8YV+FmFMA55O5OfAdzuIY/1dFyc3j0Loi2dqB6SUXm8WdIHhCsLV36Syvth47W2/8Ar5R8OtupCBg/TrZHecImkwSdCeP1IMunMdZnAxGrue7m2q6QBgxsBWlSqJFd0VDE5ahZzyZt5mawCwyv/iTYWcfDDWtIYW0boJg7NRKdlqYpq5RueGGBgWD873fyy6i0/2Uwlt7K+L+pCn/gnYImzau/yL1r8wb18SPQ+8PbnIjQ9IEI434Yy0TnP1FAoKbMRMCeZ9f+a8Ebl0UWAmJXzxO4HnHDVFOcEuaJVwDa1Od3pO3B2GwsZxyqNyoH+3H4no189ZDU0v8YvDXfseACtOxCM9+OmwCaWMwQHt3FMFNHaDle+4m+zdKHC1AKPi+naXGZTl++sqagNi1HF46zJ+gE+AkuNXn4F3rcEFiOKFj+QfjGsjeVZkUvwGN9PNH74/4AHCtCBknb/bq4Wjj1G+6vDcvdtxAa8KIsRFS0mdMlZTtfva+GzTQJucafY1bq8vfmEZpz0SH7uNERrdGbS9EHEH18j3+xVVOQZZIlXq3UiI5ljyDlDLtiMkmlSth8XcEMFhnTwnK7KJKJ3FBegjnZLb/QT6N7L6Wrv54Xx9WYDcvecAmQkzCDG7We0IHl2WSd2U9dtx3dXk700bDXNnp6i5XjUpbQXrLblLSNhBTPe3DO39HSIRzVbB2xjeFgllYvZ49juEzXmNMFAXPuX3CsN73QVOEpRH2Zo0ni7eE5WRp5jrZl/SH7k7vSuusdOuR0Gy1Q65ZAnKjxnOJwg==
                  Content-Transfer-Encoding7bit

                  File Icon

                  Icon Hash:46070c0a8e0c67d6

                  Network Behavior

                  No network behavior found

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:16:33:15
                  Start date:08/10/2024
                  Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                  Wow64 process (32bit):true
                  Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml"
                  Imagebase:0xa90000
                  File size:34'446'744 bytes
                  MD5 hash:91A5292942864110ED734005B7E005C0
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  General

                  Target ID:7
                  Start time:16:33:17
                  Start date:08/10/2024
                  Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
                  Wow64 process (32bit):false
                  Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "64F31229-3526-41A8-B3FF-577386D768AB" "7D96796A-F157-4C40-860D-76C722BF7505" "6660" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
                  Imagebase:0x7ff605400000
                  File size:710'048 bytes
                  MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:false

                  Disassembly

                  No disassembly