Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
phish_alert_sp2_2.0.0.0.eml

Overview

General Information

Sample name:phish_alert_sp2_2.0.0.0.eml
Analysis ID:1486295
MD5:3ca27d913f217e45f50bab9fc8e0bc73
SHA1:b3f9509f2aa785bf9d8cb61d59c204dcbd7424a2
SHA256:d5986e069a8dece2eb00e0137d4414bd1c70c78f864a7412cc2aa32525b8360e
Infos:

Detection

Score:21
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

AI detected suspicious e-Mail
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 6156 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 2840 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "ED72A732-28E0-446F-A954-11D755EBF49D" "D617B9A2-E7BE-4063-901F-F9515E22E3C2" "6156" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • HxOutlook.exe (PID: 6648 cmdline: "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe" -ServerName:microsoft.windowslive.mail.AppXfbjsbkxvprcgqg6q4c9jfr0pn3kv9x5s.mca MD5: 6F8EAC2C377C8F16D91CB5AC8B8DBF5F)
  • HxAccounts.exe (PID: 2604 cmdline: "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe" -ServerName:microsoft.windowslive.manageaccounts.AppXdbf3yp5apt3t7q877db3gnz5zqpf71zj.mca MD5: 6FEB00C9A2C3FF66230658B3012BAB6A)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6156, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: classification engineClassification label: sus21.winEML@5/19@0/64
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240801T1632370773-6156.etl
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "ED72A732-28E0-446F-A954-11D755EBF49D" "D617B9A2-E7BE-4063-901F-F9515E22E3C2" "6156" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "ED72A732-28E0-446F-A954-11D755EBF49D" "D617B9A2-E7BE-4063-901F-F9515E22E3C2" "6156" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: unknownProcess created: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe" -ServerName:microsoft.windowslive.mail.AppXfbjsbkxvprcgqg6q4c9jfr0pn3kv9x5s.mca
Source: unknownProcess created: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe" -ServerName:microsoft.windowslive.manageaccounts.AppXdbf3yp5apt3t7q877db3gnz5zqpf71zj.mca
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: apphelp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: microsoft.applications.telemetry.windows.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: vccorlib140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: msoimm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: mso40uiimm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: mso30imm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: mso20imm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: office.ui.xaml.core.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: office.ui.xaml.word.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: vccorlib140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: mso98imm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: mso98imm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: mso50imm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: hxoutlook.model.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.storage.applicationdata.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: twinapi.appcore.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: wintypes.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: hxcomm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: cryptsp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.applicationmodel.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.globalization.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: bcp47langs.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: bcp47mrm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: profapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.staterepositorycore.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.networking.connectivity.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.networking.hostname.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.energy.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: rmclient.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.storage.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: wldp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: propsys.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: rometadata.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.system.diagnostics.telemetry.platformtelemetryclient.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: hxoutlook.view.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: office.ui.xaml.hxshared.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: hxoutlook.viewmodel.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: clipc.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: hxoutlook.resources.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: logoncli.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.ui.xaml.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: coremessaging.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: iertutil.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: dcomp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.ui.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windowmanagementapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: textinputframework.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: inputhost.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: coreuicomponents.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: ntmarta.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: uxtheme.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: urlmon.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: srvcli.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: netutils.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: dxgi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: resourcepolicyclient.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: mrmcorer.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: d3d11.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.staterepositoryclient.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: d3d10warp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: dxcore.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: d2d1.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: dwrite.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: textshaping.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.shell.servicehostbuilder.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: execmodelproxy.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: uiamanager.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.ui.core.textinput.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.ui.immersive.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: dataexchange.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: cryptbase.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: userenv.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: profext.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: office.ui.xaml.hx.mail.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: threadpoolwinrt.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.graphics.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: twinapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: office.ui.xaml.hxcalendar.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.ui.xaml.controls.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.system.remotedesktop.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: winsta.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: directmanipulation.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.system.profile.systemid.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.system.profile.retailinfo.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: msxml6.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: wininet.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: sspicli.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: winhttp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: mswsock.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: iphlpapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: winnsi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: winrttracing.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: dnsapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: rasadhlp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: fwpuclnt.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: schannel.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windowscodecs.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: photometadatahandler.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: ploptin.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: mskeyprotect.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: ntasn1.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: ncrypt.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: ncryptsslp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: msasn1.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: dpapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: rsaenh.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: gpapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: webservices.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: userdataaccountapis.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: userdataplatformhelperutil.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: windows.accountscontrol.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: xmllite.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: accountsrt.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: aphostclient.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: apphelp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: hxoutlook.model.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: microsoft.applications.telemetry.windows.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: mso20imm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: vccorlib140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: mso30imm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: mso20imm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: vcruntime140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: msvcp140_app.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.ui.xaml.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: coremessaging.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: bcp47langs.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: iertutil.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: dcomp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: twinapi.appcore.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: wintypes.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.staterepositorycore.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.ui.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windowmanagementapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: textinputframework.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: inputhost.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: propsys.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: coreuicomponents.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: coreuicomponents.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: ntmarta.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: uxtheme.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: urlmon.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: srvcli.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: netutils.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: dxgi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: resourcepolicyclient.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: office.ui.xaml.hxaccounts.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: d3d11.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.storage.applicationdata.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: d3d10warp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: dxcore.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: hxcomm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: cryptsp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: d2d1.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.applicationmodel.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: dwrite.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.globalization.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: bcp47mrm.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: textshaping.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: profapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.networking.connectivity.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.networking.hostname.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.energy.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: rmclient.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.storage.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: wldp.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: rometadata.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.system.diagnostics.telemetry.platformtelemetryclient.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: mrmcorer.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.staterepositoryclient.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.shell.servicehostbuilder.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: execmodelproxy.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: uiamanager.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.ui.core.textinput.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.ui.immersive.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: dataexchange.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: cryptbase.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.accountscontrol.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: xmllite.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.security.authentication.web.core.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: vaultcli.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.ui.xaml.controls.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: userenv.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: profext.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: directmanipulation.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: winrttracing.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: hxoutlook.resources.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: msftedit.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: globinputhost.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windowscodecs.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: windows.graphics.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: wuceffects.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: threadpoolwinrt.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: dwmapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeSection loaded: execmodelclient.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: dwmapi.dll
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeSection loaded: execmodelclient.dll
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeFile opened: C:\Windows\SYSTEM32\msftedit.dll
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Persistence and Installation Behavior

barindex
AI detected suspicious e-Mail
Source: e-MailLLM: Score: 9 Reasons: The email exhibits several characteristics of a phishing attempt. Firstly, it impersonates a brand, 'Gms Worldwide,' which may or may not be a legitimate brand. The sender's email address is not visible, but the URL provided for accessing the document is highly suspicious. The domain 'simplemagiclink.com' is not associated with 'Gms Worldwide,' and the use of a long, complex URL with multiple subdomains and parameters is a common tactic in phishing emails. Additionally, the email creates a sense of urgency by stating that the invite will only work for the recipient and people in 'Gms Worldwide,' which is a social engineering tactic to induce clicks. The email also includes a confidentiality notice, which is often used to add a false sense of legitimacy. Overall, the combination of brand impersonation, suspicious URL, and social engineering tactics strongly indicates that this is a phishing email.
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsym.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsym.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsb.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsb.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsb.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsb.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exeQueries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exeQueries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Process Injection		LSASS Memory14
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
52.113.194.132
unknownUnited States
8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
2.19.126.160
unknownEuropean Union
16625AKAMAI-ASUSfalse
52.109.89.18
unknownUnited States
8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
52.109.32.7
unknownUnited States
8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
52.168.117.168
unknownUnited States
8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
13.107.42.16
unknownUnited States
8068MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

General Information

Joe Sandbox version:40.0.0 Tourmaline
Analysis ID:1486295
Start date and time:2024-08-01 22:32:03 +02:00
Joe Sandbox product:CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:20
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • EGA enabled
Analysis Mode:stream
Analysis stop reason:Timeout
Sample name:phish_alert_sp2_2.0.0.0.eml
Detection:SUS
Classification:sus21.winEML@5/19@0/64
Cookbook Comments:
  • Found application associated with file extension: .eml

Warnings

  • Exclude process from analysis (whitelisted): dllhost.exe, SgrmBroker.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 52.109.89.18, 184.28.90.27
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, e16604.g.akamaiedge.net, ctldl.windowsupdate.com, officeclient.microsoft.com, weu-azsc-config.officeapps.live.com, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, europe.configsvc1.live.com.akadns.net
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtOpenKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • VT rate limit hit for: phish_alert_sp2_2.0.0.0.eml

LLM Input / Output

InputOutput
URL: e-Mail Model: gpt-4o
```json
{
  "riskscore": 9,
  "brand_impersonated": "Gms Worldwide",
  "reasons": "The email exhibits several characteristics of a phishing attempt. Firstly, it impersonates a brand, 'Gms Worldwide,' which may or may not be a legitimate brand. The sender's email address is not visible, but the URL provided for accessing the document is highly suspicious. The domain 'simplemagiclink.com' is not associated with 'Gms Worldwide,' and the use of a long, complex URL with multiple subdomains and parameters is a common tactic in phishing emails. Additionally, the email creates a sense of urgency by stating that the invite will only work for the recipient and people in 'Gms Worldwide,' which is a social engineering tactic to induce clicks. The email also includes a confidentiality notice, which is often used to add a false sense of legitimacy. Overall, the combination of brand impersonation, suspicious URL, and social engineering tactics strongly indicates that this is a phishing email."
}

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):231348
Entropy (8bit):4.394529052571661
Encrypted:false
SSDEEP:
MD5:5E950C5E3C741144982414D0291E0BF3
SHA1:FC8562A0CC40C316C69CA2ED7F894A8A6E7D7E42
SHA-256:419FD210D42878FF5A0E750B651756C3A2C957F125DBAADAC20D26D788FA79D3
SHA-512:80261401AA44F5DCBEEC137F2F1128E6C55F5EBD395D8B85BE60C226AC3E933F7E00EFBBC33F74A3E24ECEF3C58AD6146D7F76C7337FC83271D8A6AAB1E44B57
Malicious:false
Reputation:unknown
Preview:TH02...... ....Q.......SM01X...,... p..Q...........IPM.Activity...........h...............h............H..h.........Gr...h........(F..H..h\cal ...pDat...h@...0..........h@.4............h........_`Ck...h..4.@...I.lw...h....H...8.Hk...0....T...............d.........2h...............k_.D.....e.....!h.............. hH.............#h....8.........$h(F......8....."h@.............'h..............1h@.4.<.........0h....4....Hk../h....h.....HkH..hx...p.........-h .......<.....+h.4......................... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

C:\Users\user\AppData\Local\Microsoft\FontCache\4\CatalogCacheMetaData.xml

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:XML 1.0 document, ASCII text, with very long lines (1869), with no line terminators
Category:dropped
Size (bytes):1869
Entropy (8bit):5.084805852962181
Encrypted:false
SSDEEP:
MD5:A32B3AAD9C10089E45E778061D71055C
SHA1:279C540B9F7B3D37B00E55F0BA989A3C9DC31E27
SHA-256:1B55D4A86A24BAB9C86C2930BCDBAAC0EE67FD30D7C9D450F3604571EA6D3C07
SHA-512:016A959898B7C9235D919332BB8F02AF1CA7AEF44CFF04FEB96FB71738AB5ADD01D53340E6A803FEAFAA2E57A7EBF559ECDE3E1F667379C2F9E04A78DE93FFC9
Malicious:false
Reputation:unknown
Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?><root><version>1</version><Count>12</Count><Resource><Id>Aptos_26215680</Id><LAT>2024-08-01T20:32:39Z</LAT><key>29939506207.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos_45876480</Id><LAT>2024-08-01T20:32:39Z</LAT><key>27160079615.ttf</key><folder>Aptos</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_26215424</Id><LAT>2023-10-06T09:25:29Z</LAT><key>31558910439.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos Display_26215680</Id><LAT>2023-10-06T09:25:29Z</LAT><key>23001069669.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos Narrow_45876224</Id><LAT>2023-10-06T09:25:29Z</LAT><key>24153076628.ttf</key><folder>Aptos Narrow</folder><type>4</type></Resource><Resource><Id>Aptos Display_45876480</Id><LAT>2023-10-06T09:25:29Z</LAT><key>30264859306.ttf</key><folder>Aptos Display</folder><type>4</type></Resource><Resource><Id>Aptos_

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\01D9AD88-24AC-49A4-9EC1-1BB83F814805

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:modified
Size (bytes):175399
Entropy (8bit):5.288135471356618
Encrypted:false
SSDEEP:
MD5:9557186C62E42A8C450DF33C7A76069B
SHA1:B2472C35474A5FBECA81816544D0CC53D3FEEEA8
SHA-256:865CDF969BC4E4500E35DE9C20B5C0BD71BA0832D259DC5C7FDCFE6D8F72A59D
SHA-512:1632EC8E18A7B55818E894E248D648F00E28F63E24F8982ED3F2548F6821E90B05A1CC87DF86937156628DF1258265057C147A55D69F3A1E84E29EFDAB23EE47
Malicious:false
Reputation:unknown
Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-08-01T20:32:39">.. Build: 16.0.17902.40125-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:SQLite 3.x database, last written using SQLite version 3034001, writer version 2, read version 2, file counter 2, database pages 1, cookie 0, schema 0, largest root page 1, unknown 0 encoding, version-valid-for 2
Category:dropped
Size (bytes):4096
Entropy (8bit):0.09304735440217722
Encrypted:false
SSDEEP:
MD5:D0DE7DB24F7B0C0FE636B34E253F1562
SHA1:6EF2957FDEDDC3EB84974F136C22E39553287B80
SHA-256:B6DC74E4A39FFA38ED8C93D58AADEB7E7A0674DAC1152AF413E9DA7313ADE6ED
SHA-512:42D00510CD9771CE63D44991EA10C10C8FBCF69DF08819D60B7F8E7B0F9B1D385AE26912C847A024D1D127EC098904784147218869AE8D2050BCE9B306DB2DDE
Malicious:false
Reputation:unknown
Preview:SQLite format 3......@ ..........................................................................K.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:SQLite Rollback Journal
Category:dropped
Size (bytes):4616
Entropy (8bit):0.13784977103055013
Encrypted:false
SSDEEP:
MD5:C29D8D7527A6EE311A9B39D4D4FE1835
SHA1:CC93FDC3E001E5EB7E0A432A0CFB6483A6CD4FCC
SHA-256:B639E97232F2B4FC77BB81E51BA674E6DCD9E9E3E38290FCA25F6C7671F4FEE8
SHA-512:91A9755684A21288088183E1C8D8F8B94E0B2B1440DB7D0AD23C07FE16F33AC0791C7939AFBFC379A7A8CD1D3A1B53524B67F28E1822F723DEDFF69A65EB4D44
Malicious:false
Reputation:unknown
Preview:.... .c.....~k.r....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................SQLite format 3......@ ..........................................................................K.................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):32768
Entropy (8bit):0.04347391592914322
Encrypted:false
SSDEEP:
MD5:4BF35E9A33E820423B0852ED7FE70302
SHA1:371F7CC24EB78F3584DE5C04E1C106C8D97F308E
SHA-256:65595494AE9C50F4FDE9BCCDD390315F39780D247AE9A0B5D51DFF521FA2C3F7
SHA-512:E8931EAD452D8BC3A7297CE692B7E104CF228F716DACEF821EF4923F0B668C034CEC277A9DE289927EC03BA1DCF325909ECA4832BFBD25FCBA10027A3FD04DCA
Malicious:false
Reputation:unknown
Preview:..-.....................V..=......gb...&U.eee....-.....................V..=......gb...&U.eee..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:SQLite Write-Ahead Log, version 3007000
Category:modified
Size (bytes):45352
Entropy (8bit):0.3921331735287203
Encrypted:false
SSDEEP:
MD5:3FEC43B02C5B9242B0C69E11AFA21921
SHA1:F143A88BF03E521D596E09ADFA1E5BFDD3E8713A
SHA-256:CD32E95D5AE87325161679FE3B76A5E3FDF5E9EAFFC961E876E7179CD002CC8B
SHA-512:59A2B20A4798CED7170A9307F9F248E3D54D20A340B187321E6D2EE9B3C2D5FB0C9DE25E9CDEBDD9BE6490BBDC3A11D6E0C3E2D9996A6428E98E7C36CBB5B406
Malicious:false
Reputation:unknown
Preview:7....-.............gb...;..................gb....n....SQLite format 3......@ ..........................................................................K.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{483B28B5-DC53-44F0-9283-B09A6CF0AB83}.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):2248
Entropy (8bit):2.9091984941776894
Encrypted:false
SSDEEP:
MD5:A2CCF2DC68C18A94B466EE9EF3B1DE47
SHA1:77172DE0B2714944DF59D7E816F4EC84EB4A9E5B
SHA-256:30A279F92EE2B571E4763175788BE84E411F4D20729CAB2B78AB71827314C198
SHA-512:FB0B53ED724076F5FB8070B5FC73219F86CB1C1F8B846D45C453187262A9F62AF627BC3CB1DC4562E23CB34FEFAF222EF1B3EBCC4B7A4F4783FBEBFD1500721B
Malicious:false
Reputation:unknown
Preview:..........................A. .f.i.l.e. .h.a.s. .b.e.e.n. .s.h.a.r.e.d. .w.i.t.h. .G.m.s. .W.o.r.l.d.w.i.d.e. .........H.i.,. .P.l.e.a.s.e. .V.i.e.w. .t.h.e. .d.o.c.u.m.e.n.t. .f.o.r. .G.m.s. .W.o.r.l.d.w.i.d.e... ...T.h.a.n.k.s.,...J.o.s.e.p.h. .B.r.a.n.d.t.........H.Y.P.E.R.L.I.N.K. .".". .\.o. .".". .\.t. ."._.b.l.a.n.k.".......................................................................................................................................................................................................................................p...r...t...v..................................................................................................................................................................................................................................................$.........[$.\$.a$......$..d............[$.\$.a$.....$..$.If....:V.......t.....6......4........4........a....*...$..$.If........!v..h.#v....:V.......t.....6......5.......4........4........a

C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\AppData\Local\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7D731D1C-234D-4693-90A2-D812993FC5DB

Download File
Process:C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe
File Type:XML 1.0 document, ASCII text, with CRLF line terminators
Category:dropped
Size (bytes):172159
Entropy (8bit):5.291027210489096
Encrypted:false
SSDEEP:
MD5:A5BDD06995C858BFC4FC41FB477B6095
SHA1:13B01BCC31BF19ED857D3F69C5D707183C574744
SHA-256:B8905D67B267D203D9ED2E35C0F150EDEF97418BD3794D3D5EFA45F88354FB4E
SHA-512:C7FF79858B5971DE5A4A024D5F3E826F47F47DFB3B4E6493AE23F00FA20E52D000E8A2769A2B3A61CE485561ADB10F08BAA84534D3630A728929020B084AC6BD
Malicious:false
Reputation:unknown
Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-08-01T20:33:04">.. Build: 16.0.17902.40125-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxAccountsAlwaysOnLog.etl

Download File
Process:C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe
File Type:data
Category:modified
Size (bytes):131072
Entropy (8bit):0.2063416515581793
Encrypted:false
SSDEEP:
MD5:6171DE303A9C5F5B19BDC2479BE2CCA1
SHA1:0C3900F59B0B4234467148EBA02AE96432370D3B
SHA-256:D4BCFA30F3729B49A8A7EB41DB3D03D4D0FA0C97C675DF00BE72A43432585AFF
SHA-512:523C5B2A1FF30E146AC11734827B227D578B2B0E5FD54C0B4598B10882D9F1CB32BF3561DFD1DAE11F233029ACC9D80A2560CF929E608431441147E8641A5EB8
Malicious:false
Reputation:unknown
Preview:............................................................................b...<...,.........................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................`.Zq.Y..............R...........H.x.A.c.c.o.u.n.t.s.A.l.w.a.y.s.O.n.L.o.g.g.e.r...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.a.c.k.a.g.e.s.\.m.i.c.r.o.s.o.f.t...w.i.n.d.o.w.s.c.o.m.m.u.n.i.c.a.t.i.o.n.s.a.p.p.s._.8.w.e.k.y.b.3.d.8.b.b.w.e.\.L.o.c.a.l.S.t.a.t.e.\.H.x.A.c.c.o.u.n.t.s.A.l.w.a.y.s.O.n.L.o.g...e.t.l.............P.P.<...,...WF.....................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxmAlwaysOnLog.etl

Download File
Process:C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe
File Type:data
Category:dropped
Size (bytes):65536
Entropy (8bit):0.11973726254482248
Encrypted:false
SSDEEP:
MD5:2638F4D5FC4C32AF71FB9AA85A7F11DB
SHA1:E3D79E660C4B716B9D673571563B418243A41E87
SHA-256:B65F246756C14F89C5B259F858E199623087D59CF7A25C06FB394318589D30D9
SHA-512:CE79E968A2C982C6635A10B352A0675A0C723C05A591180C8E020A8328D9ECB6D1A897CAFE3D17C2B8B9248B9BF37D7F66178F4746841860A076A164C6D74044
Malicious:false
Reputation:unknown
Preview:............................................................................@...8.........8.....................eJ..............Zb..............................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................`.Zq.Y...........#M.R...........H.x.M.A.l.w.a.y.s.O.n.L.o.g...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.P.a.c.k.a.g.e.s.\.m.i.c.r.o.s.o.f.t...w.i.n.d.o.w.s.c.o.m.m.u.n.i.c.a.t.i.o.n.s.a.p.p.s._.8.w.e.k.y.b.3.d.8.b.b.w.e.\.L.o.c.a.l.S.t.a.t.e.\.H.x.m.A.l.w.a.y.s.O.n.L.o.g...e.t.l.......P.P.8........9.............................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat

Download File
Process:C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe
File Type:MS Windows registry file, NT/2000 or above
Category:dropped
Size (bytes):524288
Entropy (8bit):2.5808517128582356
Encrypted:false
SSDEEP:
MD5:22392D6FA5363B4ED8EC59E219FD3BB1
SHA1:C58A86384DC9BA7F033FE60ECE753989A4B203B1
SHA-256:23556BEA6F61D55FFC7868601EC489D5963AB8EA2707908F5A2D4AD60842D19C
SHA-512:DC0ECCE9D0FDBEE1F5EF3BF65E5852A740CE748A6ECBFA85905541A3BCB3C92746BA082339BAAFE53BD5B15C39AC52019C613ACBD9A42E4151A7A43C03F830C0
Malicious:false
Reputation:unknown
Preview:regf........b.Q.7.................. ....P......y.b.3.d.8.b.b.w.e.\.S.e.t.t.i.n.g.s.\.s.e.t.t.i.n.g.s...d.a.t...y..j.....J.....y..j.....J.........z..j.....J.....rmtm~V..Q................................................................................................................................................................................................................................................................................................................................................7)s........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1722544357985570900_B73AB043-0867-44D0-83DA-992166307611.log

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:ASCII text, with very long lines (28730), with CRLF line terminators
Category:dropped
Size (bytes):20971520
Entropy (8bit):0.17668930616489464
Encrypted:false
SSDEEP:
MD5:35A11D9F9507F7359FBD3F70D90862DA
SHA1:7A737F6E2028548956E8D03A9F535F16A9AA7D7B
SHA-256:FE104F364FBA2A9BE7606DE043899A128CF7020D0D1B56C82BA1C01F0DB97037
SHA-512:D732D45E6D50FBFA76F88B252C786B7BC324A0336FD31ED16B3DE10E381E6DF065F1C51379BDF09F6011F6369C846FC897374AE94BBF69C45C52580E47ACA813
Malicious:false
Reputation:unknown
Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..08/01/2024 20:32:38.029.OUTLOOK (0x180C).0xF80.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":21,"Time":"2024-08-01T20:32:38.029Z","Contract":"Office.System.Activity","Activity.CV":"Q7A6t2cI0ESD2pkhZjB2EQ.4.9","Activity.Duration":13,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...08/01/2024 20:32:38.045.OUTLOOK (0x180C).0xF80.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":23,"Time":"2024-08-01T20:32:38.045Z","Contract":"Office.System.Activity","Activity.CV":"Q7A6t2cI0ESD2pkhZjB2EQ.4.10","Activity.Duration":13276,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorVer

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1722544357986312000_B73AB043-0867-44D0-83DA-992166307611.log

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):20971520
Entropy (8bit):0.0
Encrypted:false
SSDEEP:
MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
Malicious:false
Reputation:unknown
Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240801T1632370773-6156.etl

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:modified
Size (bytes):106496
Entropy (8bit):4.517808270624704
Encrypted:false
SSDEEP:
MD5:A2EC9904CFF4F0F2249561BDE187EEBC
SHA1:9B88DFF255E8BDEBB5EA9815248F248C03EB4A3B
SHA-256:1C456FFF82EB6AC3D43D783BBD9D83CC73DC4254E606B3FEACB731573FEE05C3
SHA-512:7A07BD32DF333BD0707F0176C62BF51C8076F738C9EE9DA8F4221047523C1CD38F4A14C726C25E7F1C7D3B444CFF4D1E2E709E919D75E72B38DDCAB2C7D9D1B6
Malicious:false
Reputation:unknown
Preview:............................................................................`...............Q...................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...........................................................`.Zq.Y..............Q...........v.2._.O.U.T.L.O.O.K.:.1.8.0.c.:.0.d.e.0.b.3.3.5.9.9.2.c.4.4.4.7.a.f.2.0.f.d.6.1.c.3.5.f.6.0.b.1...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.8.0.1.T.1.6.3.2.3.7.0.7.7.3.-.6.1.5.6...e.t.l.......P.P............Q...........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):30
Entropy (8bit):1.2389205950315936
Encrypted:false
SSDEEP:
MD5:5E6CB478183A1722DB1DC2203D381909
SHA1:A73D1473A83A8D0BF2F63B6DA81C9F32AA922E46
SHA-256:4852109CC16CD37BF56B4E1C1529916E237F775AF914E263C19E1CB7201941C9
SHA-512:26FD610724C0C495F9099EAB0B29D0ADCA2E25B4D42B46B038A688C4871A11B7397711454EE8A1F805F9656AED5F58EEC3A8E95EEF5EB03804800E5520048CFF
Malicious:false
Reputation:unknown
Preview:..............................

C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:Composite Document File V2 Document, Cannot read section info
Category:dropped
Size (bytes):16384
Entropy (8bit):0.6695826288335578
Encrypted:false
SSDEEP:
MD5:75AC29E779F28F8E45CE816BFAEE793D
SHA1:0C8BDB56F43853573A32F8B3BECE2D75FBF06851
SHA-256:8266BDBBA50ED43EE75652A0C5F947FD6DF075A1523C52DE03E1F963B5A1AF9C
SHA-512:3B0BA34A8985946CBFC6AC78CC94AACB301ADB3067E85F62FF10361D394B02F08BCC4D20822205A9DF32CE903B4F241409EDEEE7246E97D8222E66D7D0FAE96B
Malicious:false
Reputation:unknown
Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:Microsoft Outlook email folder (>=2003)
Category:dropped
Size (bytes):271360
Entropy (8bit):2.377777293191977
Encrypted:false
SSDEEP:
MD5:A3048A6D039EAF4F72F989D7426CF9F6
SHA1:961ABFFBCA937873C611FD120031DFC13A020C29
SHA-256:6CFC82365668D21C32824660223E1E88BDD4513F92CB9D5426DD1654C98FE097
SHA-512:3B5EF885356839AE03D0748275AC4C2BF39037D53AF0ECE9DC495DB6E05C43A3856A2C41730CA4DEA5C4BDD47EF15834D4BEF0ADC186AB13A3B065EEE4C10EEB
Malicious:false
Reputation:unknown
Preview:!BDN....SM......\...=...........=......._................@...........@...@...................................@...........................................................................$.......D......@...............<...............9........\..........................................................................................................................................................................................................................................................................................+...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Download File
Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:data
Category:dropped
Size (bytes):131072
Entropy (8bit):3.5109511141334333
Encrypted:false
SSDEEP:
MD5:6E1248A4E9B05FFE715FBC5DC036A7F1
SHA1:FD59C15E4868E6502C33F7ABD6B4130F6F43C1FF
SHA-256:78D2A0EFAF134DCA636D73CAFAE908CD8A129EB8E196D1B4FB8D8D2561963D0F
SHA-512:34AC95E021BCA1758567E55A4EE42CCD65F38B3305385F88CC912AF20F8902833ED31536EEFD09EAB7E4F0AF9373FDC155A840775226BA7644CFA8131DF281F8
Malicious:false
Reputation:unknown
Preview:....C...I..............Q.....................#.!BDN....SM......\...=...........=......._................@...........@...@...................................@...........................................................................$.......D......@...............<...............9........\..........................................................................................................................................................................................................................................................................................+..........Q........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:RFC 822 mail, ASCII text, with very long lines (2137), with CRLF line terminators
Entropy (8bit):5.939859836217948
TrID:
  • E-Mail message (Var. 5) (54515/1) 100.00%
File name:phish_alert_sp2_2.0.0.0.eml
File size:14'876 bytes
MD5:3ca27d913f217e45f50bab9fc8e0bc73
SHA1:b3f9509f2aa785bf9d8cb61d59c204dcbd7424a2
SHA256:d5986e069a8dece2eb00e0137d4414bd1c70c78f864a7412cc2aa32525b8360e
SHA512:f4d8b825eafde1854fc6e6704adb3bea31edea2ac13282812077c6fc88177268c6cf912e23da9d42dae48fa406c35f150fecb29843e251113605665bda802c55
SSDEEP:192:sodg2PR65HhpNNIbhQYAgPbhqQx7fCDA5mF+8sKDpfnJdZA/Ro9pR4CRB5dXGyBB:sodg2PR2jmbeSzXjuG18MRWRBrhlKW
TLSH:E0623925E18211A05AF58BD4F0563D6143F16C9CCB6389D0FD7BA5F81CCA8B63B5838E
File Content Preview:Received: from DB9P189MB1836.EURP189.PROD.OUTLOOK.COM.. (2603:10a6:10:326::21) by AM8P189MB1316.EURP189.PROD.OUTLOOK.COM with.. HTTPS; Thu, 1 Aug 2024 11:14:37 +0000..Received: from DUZPR01CA0065.eurprd01.prod.exchangelabs.com.. (2603:10a6:10:3c2::8) by D

Static Mail

General

Subject:Gms Worldwide has been invited to view "Procurement/Disbursement Document"
From:Joseph Brandt <tracy@nycscs.us>
To:Dmytro Drobot <D.DROBOT@GMS-WORLDWIDE.COM>
Cc:
BCC:
Date:Thu, 01 Aug 2024 11:14:27 +0000
Communications:
  • A file has been shared with Gms Worldwide Hi, Please View the document for Gms Worldwide. Thanks,Joseph BrandtGms Worldwide - 496229 - HZBGA This invite will only work for you and people in Gms-Worldwide. In the event that the provided link does not function as expected, please copy the following link and paste it directly into your web browser's address bar:"sharepoint.com-singin@serverconnecting-clientfiles-auth38392919.simplemagiclink.com/authenticating#D.DROBOT@GMS-WORLDWIDE.COM" IMPORTANT: The documents accompanying this transmission contain CONFIDENTIAL INFORMATION belonging to the sender that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information to any other party and is required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that any reading, disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. Violators may be prosecuted. If you have received this email in error, please notify the sender immediately and destroy the transmitted information. body { font-size: 20px; } A file has been shared with Gms Worldwide Hi, Please View the document for Gms Worldwide. Thanks,Joseph BrandtGms Worldwide - 496229 - HZBGA This invite will only work for you and people in Gms-Worldwide. In the event that the provided link does not function as expected, please copy the following link and paste it directly into your web browser's address bar:"sharepoint.com-singin@serverconnecting-clientfiles-auth38392919.simplemagiclink.com/authenticating#D.DROBOT@GMS-WORLDWIDE.COM" IMPORTANT: The documents accompanying this transmission contain CONFIDENTIAL INFORMATION belonging to the sender that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information to any other party and is required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that any reading, disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. Violators may be prosecuted. If you have received this email in error, please notify the sender immediately and destroy the transmitted information. A file has been shared with Gms Worldwide Hi, Please View the document for Gms Worldwide. Thanks,Joseph BrandtGms Worldwide - 496229 - HZBGA This invite will only work for you and people in Gms-Worldwide. In the event that the provided link does not function as expected, please copy the following link and paste it directly into your web browser's address bar:"sharepoint.com-singin@serverconnecting-clientfiles-auth38392919.simplemagiclink.com/authenticating#D.DROBOT@GMS-WORLDWIDE.COM" IMPORTANT: The documents accompanying this transmission contain CONFIDENTIAL INFORMATION belonging to the sender that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information to any other party and is required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that any reading, disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. Violators may be prosecuted. If you have received this email in error, please notify the sender immediately and destroy the transmitted information. A file has been shared with Gms Worldwide Hi, Please View the document for Gms Worldwide. Thanks,Joseph BrandtGms Worldwide - 496229 - HZBGA This invite will only work for you and people in Gms-Worldwide. In the event that the provided link does not function as expected, please copy the following link and paste it directly into your web browser's address bar:"sharepoint.com-singin@serverconnecting-clientfiles-auth38392919.simplemagiclink.com/authenticating#D.DROBOT@GMS-WORLDWIDE.COM" IMPORTANT: The documents accompanying this transmission contain CONFIDENTIAL INFORMATION belonging to the sender that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information to any other party and is required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that any reading, disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. Violators may be prosecuted. If you have received this email in error, please notify the sender immediately and destroy the transmitted information. A file has been shared with Gms Worldwide A file has been shared with Gms Worldwide A file has been shared with Gms Worldwide A file has been shared with Gms Worldwide A file has been shared with Gms Worldwide Hi, Please View the document for Gms Worldwide. Thanks,Joseph Brandt Hi, Please View the document for Gms Worldwide. Thanks,Joseph Brandt Hi, Please View the document for Gms Worldwide. Thanks,Joseph Brandt Hi, Please View the document for Gms Worldwide. Thanks,Joseph Brandt Gms Worldwide - 496229 - HZBGA Gms Worldwide - 496229 - HZBGA Gms Worldwide - 496229 - HZBGA Gms Worldwide - 496229 - HZBGA Gms Worldwide - 496229 - HZBGA Gms Worldwide - 496229 - HZBGA Gms Worldwide - 496229 - HZBGA Gms Worldwide - 496229 - HZBGA Gms Worldwide - 496229 - HZBGA Gms Worldwide - 496229 - HZBGA Gms Worldwide - 496229 - HZBGA This invite will only work for you and people in Gms-Worldwide. This invite will only work for you and people in Gms-Worldwide. This invite will only work for you and people in Gms-Worldwide. This invite will only work for you and people in Gms-Worldwide. This invite will only work for you and people in Gms-Worldwide. This invite will only work for you and people in Gms-Worldwide. This invite will only work for you and people in Gms-Worldwide. This invite will only work for you and people in Gms-Worldwide. This invite will only work for you and people in Gms-Worldwide. In the event that the provided link does not function as expected, please copy the following link and paste it directly into your web browser's address bar:"sharepoint.com-singin@serverconnecting-clientfiles-auth38392919.simplemagiclink.com/authenticating#D.DROBOT@GMS-WORLDWIDE.COM" IMPORTANT: The documents accompanying this transmission contain CONFIDENTIAL INFORMATION belonging to the sender that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information to any other party and is required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that any reading, disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. Violators may be prosecuted. If you have received this email in error, please notify the sender immediately and destroy the transmitted information. In the event that the provided link does not function as expected, please copy the following link and paste it directly into your web browser's address bar:"sharepoint.com-singin@serverconnecting-clientfiles-auth38392919.simplemagiclink.com/authenticating#D.DROBOT@GMS-WORLDWIDE.COM" IMPORTANT: The documents accompanying this transmission contain CONFIDENTIAL INFORMATION belonging to the sender that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information to any other party and is required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that any reading, disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. Violators may be prosecuted. If you have received this email in error, please notify the sender immediately and destroy the transmitted information. In the event that the provided link does not function as expected, please copy the following link and paste it directly into your web browser's address bar:"sharepoint.com-singin@serverconnecting-clientfiles-auth38392919.simplemagiclink.com/authenticating#D.DROBOT@GMS-WORLDWIDE.COM" IMPORTANT: The documents accompanying this transmission contain CONFIDENTIAL INFORMATION belonging to the sender that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information to any other party and is required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that any reading, disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. Violators may be prosecuted. If you have received this email in error, please notify the sender immediately and destroy the transmitted information. In the event that the provided link does not function as expected, please copy the following link and paste it directly into your web browser's address bar:"sharepoint.com-singin@serverconnecting-clientfiles-auth38392919.simplemagiclink.com/authenticating#D.DROBOT@GMS-WORLDWIDE.COM" IMPORTANT: The documents accompanying this transmission contain CONFIDENTIAL INFORMATION belonging to the sender that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information to any other party and is required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that any reading, disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. Violators may be prosecuted. If you have received this email in error, please notify the sender immediately and destroy the transmitted information. In the event that the provided link does not function as expected, please copy the following link and paste it directly into your web browser's address bar:"sharepoint.com-singin@serverconnecting-clientfiles-auth38392919.simplemagiclink.com/authenticating#D.DROBOT@GMS-WORLDWIDE.COM" IMPORTANT: The documents accompanying this transmission contain CONFIDENTIAL INFORMATION belonging to the sender that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information to any other party and is required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that any reading, disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. Violators may be prosecuted. If you have received this email in error, please notify the sender immediately and destroy the transmitted information. In the event that the provided link does not function as expected, please copy the following link and paste it directly into your web browser's address bar:"sharepoint.com-singin@serverconnecting-clientfiles-auth38392919.simplemagiclink.com/authenticating#D.DROBOT@GMS-WORLDWIDE.COM" In the event that the provided link does not function as expected, please copy the following link and paste it directly into your web browser's address bar:"sharepoint.com-singin@serverconnecting-clientfiles-auth38392919.simplemagiclink.com/authenticating#D.DROBOT@GMS-WORLDWIDE.COM" In the event that the provided link does not function as expected, please copy the following link and paste it directly into your web browser's address bar:"sharepoint.com-singin@serverconnecting-clientfiles-auth38392919.simplemagiclink.com/authenticating#D.DROBOT@GMS-WORLDWIDE.COM" "sharepoint.com-singin@serverconnecting-clientfiles-auth38392919.simplemagiclink.com/authenticating#D.DROBOT@GMS-WORLDWIDE.COM" IMPORTANT: The documents accompanying this transmission contain CONFIDENTIAL INFORMATION belonging to the sender that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information to any other party and is required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that any reading, disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. Violators may be prosecuted. If you have received this email in error, please notify the sender immediately and destroy the transmitted information. IMPORTANT: The documents accompanying this transmission contain CONFIDENTIAL INFORMATION belonging to the sender that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information to any other party and is required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that any reading, disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. Violators may be prosecuted. If you have received this email in error, please notify the sender immediately and destroy the transmitted information. IMPORTANT: The documents accompanying this transmission contain CONFIDENTIAL INFORMATION belonging to the sender that is legally privileged. This information is intended only for the use of the individual or entity named above. The authorized recipient of this information to any other party and is required to destroy the information after its stated need has been fulfilled. If you are not the intended recipient, you are hereby notified that any reading, disclosure, copying, distribution, or action taken in reliance on the contents of these documents is strictly prohibited. Violators may be prosecuted. If you have received this email in error, please notify the sender immediately and destroy the transmitted information.
Attachments:

    Headers

    Key Value
    Receivedfrom ##victimfulldomain## (127.0.0.1) by winhex19beus6.winusa.mail 10.72.152.143) with Microsoft SMTP Server (version=TLS1_2,cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.2.1544.11; 14:24:11 -0400
    Authentication-Resultsspf=fail (sender IP is 74.208.4.194) smtp.mailfrom=nycscs.us; dkim=none (message not signed) header.d=none;dmarc=fail action=none header.from=nycscs.us;compauth=softpass reason=201
    Received-SpfFail (protection.outlook.com: domain of nycscs.us does not designate 74.208.4.194 as permitted sender) receiver=protection.outlook.com; client-ip=74.208.4.194; helo=mout.perfora.net;
    Content-Typemultipart/mixed; boundary="----sinikael-?=_1-17225314554070.6658605929566916"
    MIME-Version1.0
    FromJoseph Brandt <tracy@nycscs.us>
    ToDmytro Drobot <D.DROBOT@GMS-WORLDWIDE.COM>
    SubjectGms Worldwide has been invited to view "Procurement/Disbursement Document"
    DateThu, 01 Aug 2024 11:14:27 +0000
    X-QhqpjyrlAARVILH
    X-PcvbbBLRVWZCC
    X-Accept-Languageen-us, en
    X-Priority2
    X-Msmail-PriorityHigh
    ImportanceHigh
    Message-Id<bcb3d23eee97ad3df732b0f6c4239d79@##victimfulldomain##>
    Return-Pathtracy@nycscs.us
    X-Clientproxiedbywinhex19beus1.winusa.mail (10.72.152.11) To winhex19beus3.winusa.mail (10.72.152.12)
    X-Spam-FlagNO
    Ui-Outboundreport notjunk:1;M01:P0:vq93/oobkF8=;wjhdhL/rlBXTa6+DdpKZt1ePsP5 rJccVe3duMJRZc0CxLLHjsfzFoKGFd2UD/FSFbkWt93Y9MM3kTKmH2noEEil7LAmfZUAYdb9a q3i+EDzMDL9n1dmR03TsC8Bq6HCmnGIzF7SdZx3NpTlXNC+HBep5/QBbxmF+f3BDyPCuo5ata /gtyATUsqtnHkysiNE8Pncadv1zhpEeBizcZave8VZnXGdLOKWv5ob1/o+eVyFp6GvbQUVolv NTOkjrJMgNPdfmBg1Mm2omGexqPzA0kjg6J+iF1H7FT5vqFwkcP//J5oQEQV+3udM1xlpEzvV 4y6UTANSioUfGZsZTgDVTCSZynrtkqMj+hyoXja/d1b+uUwVy1PqRkyWsiigk5lEbyszT4fth 5QfSyOunw8SbczHjocctxAa/hw7otlN+lqao9dFVfY4kM4P36UIYWumHa929lY5GyQZL0CoOc 0LZN4Tp6EzY5xBawXJt5nCMsRT0Uu19N1Jeo9u8hWTwKskoi10rNoAIX8uICNqUASHgKNr3Gm B9YtvenldCDKJ+O+ISqQgK20J0bn2lzaAcDIkn32Q9BtMYIFyCuxVAcG/52mYA9f9crvtMgba feIBEI7Q3+tcGBJKeYz5zdblPbrGNEnOmuZfGz1Vl8ZihrjHvVqSXUEfqoQuToLqHUJykdb/t Hj+w02hEX9obC0lw81ZGIWhuCda0cAARYQLsw0Dy/jbGvcgk3ak71vu6cu6QPN/OhO8wzvPs/ 7VdQtfWOqD+1VDJN64aj9T6jFqag75XRw==
    X-Ms-Exchange-Organization-Expirationstarttime01 Aug 2024 11:14:32.0258 (UTC)
    X-Ms-Exchange-Organization-ExpirationstarttimereasonOriginalSubmit
    X-Ms-Exchange-Organization-Expirationinterval1:00:00:00.0000000
    X-Ms-Exchange-Organization-ExpirationintervalreasonOriginalSubmit
    X-Ms-Exchange-Organization-Network-Message-Id 48c0818a-de68-4199-8e41-08dcb21b1e32
    X-Eopattributedmessage0
    X-Eoptenantattributedmessageb257b72a-b83c-4005-915b-ce5ce92eaad2:0
    X-Ms-Exchange-Organization-MessagedirectionalityIncoming
    X-Ms-PublictraffictypeEmail
    X-Ms-Traffictypediagnostic DB1PEPF000509FA:EE_|DB9P189MB1836:EE_|AM8P189MB1316:EE_
    X-Ms-Exchange-Organization-Authsource DB1PEPF000509FA.eurprd03.prod.outlook.com
    X-Ms-Exchange-Organization-AuthasAnonymous
    X-Ms-Office365-Filtering-Correlation-Id 48c0818a-de68-4199-8e41-08dcb21b1e32
    X-Ms-Exchange-AtpmessagepropertiesSA|SL
    X-Ms-Exchange-Organization-Scl1
    X-Microsoft-Antispam BCL:0;ARA:13230040|12012899012|41022699024|2092899012|80162021|10800299015;
    X-Forefront-Antispam-Report CIP:74.208.4.194;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mout.perfora.net;PTR:mout.perfora.net;CAT:NONE;SFS:(13230040)(12012899012)(41022699024)(2092899012)(80162021)(10800299015);DIR:INB;
    X-Ms-Exchange-Crosstenant-Originalarrivaltime01 Aug 2024 11:14:31.7758 (UTC)
    X-Ms-Exchange-Crosstenant-Network-Message-Id 48c0818a-de68-4199-8e41-08dcb21b1e32
    X-Ms-Exchange-Crosstenant-Idb257b72a-b83c-4005-915b-ce5ce92eaad2
    X-Ms-Exchange-Crosstenant-Authsource DB1PEPF000509FA.eurprd03.prod.outlook.com
    X-Ms-Exchange-Crosstenant-AuthasAnonymous
    X-Ms-Exchange-Crosstenant-FromentityheaderInternet
    X-Ms-Exchange-Transport-CrosstenantheadersstampedDB9P189MB1836
    X-Ms-Exchange-Transport-Endtoendlatency00:00:05.3187271
    X-Ms-Exchange-Processed-By-Bccfoldering15.20.7828.000
    X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003)(1420198);
    X-Microsoft-Antispam-Message-Info zSpCoTLed0Xdp3b33TWh6yRiefcHA3aXEqYBwMg35U4trtBkgA0YdKxcnbNmEBZuJTOei+iWX45wP/wIPu/eRy6L0wql3jgNZXpYuCcIh4ErTy4xwV85YMp7dX+0UvK67uVqz4X/dSzdL4ffQmz5QvDPrypM7wFJYZSo4V69yYNlcj1UZeFIScyRwZyJ9UosqFVsxG00ILUrX2TaSaKGqkMbDuZwCTKbTXTtQTHFksGqheAONE3R+8ltmV+2x7v6xNhiBZgcFREZ6vtu2wu5+k74acE2w8FMMAWybO3tgwqo4dy2cdXOQKsx5K3O0Ej7RnpbhzxgVNHqdj69mOQ+++6YrBdTSjyFL007WSP/+gB5oew7ncYsfT7lyj7wqJLh8TADFUkYP4raqFzSkPmCQXv7dCwoMwkvxAk2oYXCG4NbLluGIoq3anwlPl/JKnEJPvkmk3y5JKYvmuPDOtVDxlYSPU3tsxUlB9vXlV296sDQUrJodR+rwAOAOWZ+KrNP1TzYPl49hHBNAg5EA61TQnA+GcBERhLK0IY3i9/hWjYgWpigjTqQi92Fk9rrE8/N7Zny6hSyHNw3PSurkU6mY8998LTOsMep1aw1bZEUSFvYYKbQRPOZWvIE2DWlwoSFgtE86FoTk8vsYQwF8FBQW396rsR+CjuR6CJ1iy2wg7XhN2MbSm7i9MJ6Bth/CfGxAPjhzannzagAT8zYim9muDxdAcrs0gseFY4UB1lCljz0EMk79FeqRuuqx4vz8mW+AjXMssmUCoOIDQuN1/OaN6OLT0PW41UmVUdbXZEznltcpzjUaWI9KYp6n1lnOxl+UcbiNkDx3CPoRL8Nv473l8a6nq+sRJLbHTY0ChNCyvOVFA0t/pNE65Ir1I+ewwJ71mTbU8CGuVb4Hl/K/n0vb/GMix0N/rmCir3hlWjmHe8XlIEqce6r1mXwsdraEANQZt8WHvfpPTsmbgSSY7YRQqFsUxcl92n8u2DUckPRc1wZaEbcMHYnQUW1AEEojSp5Cd9UX75gMjD942Q0ZIzCLVh2YZkAA0JnVA5ZcD56nzNlo5pK4XRHsu2wPiZbLbiON5QAJoKlMhh+71Grldwm+wkCEQRju9ePmbn3AuZ7vO6iwwxcL5/nixhhcXyIUag3bPsRuKYNz3bsmDCg+Mv4wvyuwwgV5tgmEiuIIJoAV59fIcRA1nH/zReO126bk3zYJkYEZKbaJg5QpDtFPRsrT98mdgh085RSDNQF33YU7E3lcje1I6IIb5OVUVllYdtEy9uvDGqNemjYPeIBuUbWvq8Y8wiO6N5rfDr8IcOjvUEYRbf1KUiivgdWYZVrgce7qvAoVP/hhMzzlfDSAnkZAFKQdPp+yceSrgli5D7lWo0VspdxT9SXmc4mv19wMqTybXNmTY6QrTvDZ5GXOww8KEUsLSiUyR8SkL5S15cV2dba1pfL495DDYnwOix3gSD1NRg6+owOBUHWQl/f4pFox696Ys/f0hi6NnxGgwjlB5/1JW+f/7P0OJZMf0wwx20XMAo8Bh+K2StzxznGTe7pAJ27cB3DZs1jzroJ/hULlkiHrU2FUARpf4N/I2E47b/bpOfm9wPcEGKegyDqHWfX6LkQnIMSxitoY6IeZjgzwKNsvlD1xN7UHeUl6JeNIRp30tzwbuvLsrYjhEhF81vtGtZFeIE/Nail0N+P+b1sABXP5qe7ofzKxemRfRUjhlUZnQ2Y6GKTkRnzCDXV2tp5UxrLGD/Lh0VB4qi8Dylbb1V1Ehcmoz8e3v0vfhxNrk4Y9XsEhCTe0EctsRkbamo64nTSohmg93U5xhNoEu9uuN5K6QGJUCfp6KjDFj8xie0/BqCKcNCh4Q5H26IPdaRTU30fcWIQP2xcI7vrdyAy52eS/WrPgbu1jqbl1Y+tyM4TwaGmGMRJNu5kYsCJyEVyZahdVaTX8Kl4N6wtWIanBEhiYIkWsd5yM4ReKXwO6MWCHlKqgkpQRFtNp+4uu3WCrJM/2KVTxx3FZ66cd73Uxs5r+9MjlGTj1+4Dwu39xAYCHnHSNife9FJQ4gEPI8Rd/TCkAYwAJ5QOTlKTl08lftVO6LnUck4jkOX3WGRI6e5VRVoWJt5ZP4JNJONMbw53Lw==
    Content-Transfer-Encoding7bit

    File Icon

    Icon Hash:46070c0a8e0c67d6