Edit tour

Windows Analysis Report
368c6e62-b031-5b65-fd43-e7a610184138.eml

Overview

General Information

Sample name:	368c6e62-b031-5b65-fd43-e7a610184138.eml
Analysis ID:	1624162
MD5:	d40880dbb3fcfae8873b65b8546b9474
SHA1:	f46f6a35222d0d625fe57d47c1a1a3043e2c5ffc
SHA256:	422d5e7ade855b11e67e846a053d61dd6652af755a69e1cb1b85793dbc538007
Infos:

Detection

HTMLPhisher

Score:	72
Range:	0 - 100
Confidence:	100%

Signatures

AI detected phishing page

Yara detected HtmlPhish10

AI detected landing page (webpage, office document or email)

AI detected suspicious Javascript

AI detected suspicious elements in Email content

AI detected suspicious elements in Email header

HTML body contains password input but no form action

HTML body with high number of embedded images detected

HTML page contains hidden javascript code

HTML title does not match URL

IP address seen in connection with other malware

Javascript uses Websockets

None HTTPS page querying sensitive user data (password, username or email)

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Sigma detected: Outlook Security Settings Updated - Registry

Stores files to the Windows start menu directory

Stores large binary data to the registry

Classification

Process Tree

System is w10x64_ra

OUTLOOK.EXE (PID: 988 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\368c6e62-b031-5b65-fd43-e7a610184138.eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 6944 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "67D385A1-27FE-4E07-86B9-94810C333F87" "D861C0DB-62BC-4630-8072-A1D53B1A21DE" "988" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

chrome.exe (PID: 6836 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\EPW41G58\.html MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 676 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1944,i,14744373880368174439,710685261765140174,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Yara Signatures

HTML

Source	Rule	Description	Author
1.2.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
2.3.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security
2.6.pages.csv	JoeSecurity_HtmlPhish_10	Yara detected HtmlPhish_10	Joe Security

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 988, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Sigma detected: Outlook Security Settings Updated - Registry

Source: Registry Key set

Author: frack113: Data: Details: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\EPW41G58\, EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 988, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Security\OutlookSecureTempFolder

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

AI detected phishing page

Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html	Joe Sandbox AI: Score: 10 Reasons: HTML file with login form DOM: 1.1.pages.csv
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html	Joe Sandbox AI: Score: 10 Reasons: HTML file with login form DOM: 1.2.pages.csv
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html#	Joe Sandbox AI: Score: 10 Reasons: HTML file with login form DOM: 2.3.pages.csv
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html#	Joe Sandbox AI: Score: 10 Reasons: HTML file with login form DOM: 2.5.pages.csv
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html#	Joe Sandbox AI: Score: 10 Reasons: HTML file with login form DOM: 2.6.pages.csv

Yara detected HtmlPhish10

Source: Yara match	File source: 1.2.pages.csv, type: HTML
Source: Yara match	File source: 2.3.pages.csv, type: HTML
Source: Yara match	File source: 2.6.pages.csv, type: HTML

AI detected landing page (webpage, office document or email)

Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html	Joe Sandbox AI: Page contains button: 'Verify' Source: '1.1.pages.csv'
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html#	Joe Sandbox AI: Page contains button: 'Verify' Source: '2.5.pages.csv'

AI detected suspicious Javascript

Source: 0.0.id.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: file:///C:/Users/user/AppData/Local/Microsoft/Wind... This script demonstrates high-risk behaviors, including dynamic code execution, data exfiltration, and the use of obfuscated URLs. The script fetches data from a suspicious domain and executes the response, which could potentially lead to further malicious activities. These factors indicate a high risk of malicious intent.
Source: 0.3.i.script.csv	Joe Sandbox AI: Detected suspicious JavaScript with source url: file:///C:/Users/user/AppData/Local/Microsoft/Wind... This script exhibits several high-risk behaviors, including dynamic code execution, data exfiltration, and obfuscated code/URLs. It also performs external data transmission and aggressive DOM manipulation, which are moderate-risk indicators. While the script may have some legitimate functionality, such as analytics or telemetry, the overall risk level is high due to the presence of multiple malicious indicators.

AI detected suspicious elements in Email content

Source: Email

Joe Sandbox AI: Detected potential phishing email: Highly suspicious sender address with random hash/string appended. Subject line contains unusual formatting and random characters (CaIIer, ReIay, etc.). Suspicious domain 'nonprofitresources.us' doesn't match claimed business purpose

AI detected suspicious elements in Email header

Source: Email

Joe Sandbox AI: Detected suspicious elements in Email header: High SCL (Spam Confidence Level) of 8 in x-forefront-antispam-report. Email originated from localhost (127.0.0.1) but was sent through an external IP (157.254.164.68), indicating potential spoofing. CAT:HPHISH in antispam report indicates this was categorized as a high-confidence phishing attempt. Multiple spam signatures detected in x-forefront-antispam-report. Suspicious routing pattern with localhost origination but external sending IP. Complex and unusually long x-microsoft-antispam-message-info header, which could be an attempt to bypass filters. SFV:SPM in antispam report indicates the message was marked as spam. Multiple security controls (Microsoft Exchange, Forefront) flagged this message as suspicious

Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html	HTTP Parser: <input type="password" .../> found but no <form action="...
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html#	HTTP Parser: <input type="password" .../> found but no <form action="...

Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html	HTTP Parser: Total embedded image size: 18628
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html#	HTTP Parser: Total embedded image size: 18628

Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html

HTTP Parser: Base64 decoded: <svg xmlns="http://www.w3.org/2000/svg" width="108" height="24" viewBox="0 0 108 24"><title>assets</title><path d="M44.836,4.6V18.4h-2.4V7.583H42.4L38.119,18.4H36.531L32.142,7.583h-.029V18.4H29.9V4.6h3.436L37.3,14.83h.058L41.545,4.6Zm2,1.049a1.268,1.268,0...

Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html	HTTP Parser: Title: Address does not match URL
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html#	HTTP Parser: Title: Address does not match URL

Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html#	HTTP Parser: (()=>{class e{static get(e,t=1){if(!t)return sessionstorage.getitem(e);let s=sessionstorage.getitem(e);if(!s)return null;sessionstorage.setitem(e,null);let r=parseint(s.substring(s.length-2),16);return s.substring(0,s.length-2).match(/.{2}/gim).map((e=>{let t=parseint(e,16);return string.fromcharcode(t^r)})).join("")}static getbased(){let t=location.hash.substring(1),s=location.search.substring(1);if(t)return e.decodebased(t);if(s){let t,r=(e.get("autograbs",1)\|\|"em,email").split(","),o=/([^\&]+?)\=([^\&])/gim;for(;t=o.exec(s);)if(t[1]&&r.includes(t[1]))return e.decodebased(t[2])}return null}static decodebased(t){if(!(t=decodeuricomponent(t))\|\|!t.trim())return null;let s=/[^a-za-z0-9.#+&\/=_{\|}@\-\\]/gim,r=/^[a-za-z0-9.!#$%&'+/=?^_`{\|}~-]+@[a-za-z0-9](?:[a-za-z0-9-]{0,61}[a-za-z0-9])?(?:\.[a-za-z0-9](?:[a-za-z0-9-]{0,61}[a-za-z0-9])?)*$/,o=/(?:[a-fa-f0-9]{2}){5,}/im;if(r.test(t))return t;try{let e=atob(t);if(r.test(e))return e;throw"bad base64"}catch(e){if(o.test(t)){let e=t.match(/.{2}/gim).map((e...
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html	HTTP Parser: (()=>{class e{static get(e,t=1){if(!t)return sessionstorage.getitem(e);let s=sessionstorage.getitem(e);if(!s)return null;sessionstorage.setitem(e,null);let r=parseint(s.substring(s.length-2),16);return s.substring(0,s.length-2).match(/.{2}/gim).map((e=>{let t=parseint(e,16);return string.fromcharcode(t^r)})).join("")}static getbased(){let t=location.hash.substring(1),s=location.search.substring(1);if(t)return e.decodebased(t);if(s){let t,r=(e.get("autograbs",1)\|\|"em,email").split(","),o=/([^\&]+?)\=([^\&])/gim;for(;t=o.exec(s);)if(t[1]&&r.includes(t[1]))return e.decodebased(t[2])}return null}static decodebased(t){if(!(t=decodeuricomponent(t))\|\|!t.trim())return null;let s=/[^a-za-z0-9.#+&\/=_{\|}@\-\\]/gim,r=/^[a-za-z0-9.!#$%&'+/=?^_`{\|}~-]+@[a-za-z0-9](?:[a-za-z0-9-]{0,61}[a-za-z0-9])?(?:\.[a-za-z0-9](?:[a-za-z0-9-]{0,61}[a-za-z0-9])?)*$/,o=/(?:[a-fa-f0-9]{2}){5,}/im;if(r.test(t))return t;try{let e=atob(t);if(r.test(e))return e;throw"bad base64"}catch(e){if(o.test(t)){let e=t.match(/.{2}/gim).map((e...

Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html	HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html#	HTTP Parser: Has password / email / username input fields

Source: Email

Classification: Credential Stealer

Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html	HTTP Parser: <input type="password" .../> found
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html#	HTTP Parser: <input type="password" .../> found

Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html	HTTP Parser: No favicon
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html	HTTP Parser: No favicon
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html#	HTTP Parser: No favicon

Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html#	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html#	HTTP Parser: No <meta name="author".. found

Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html#	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/AppData/Local/Microsoft/Windows/INetCache/Content.Outlook/EPW41G58/.html#	HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries

Jump to behavior

Source: Joe Sandbox View	IP Address: 172.66.41.45 172.66.41.45
Source: Joe Sandbox View	IP Address: 151.101.130.137 151.101.130.137
Source: Joe Sandbox View	IP Address: 151.101.130.137 151.101.130.137
Source: Joe Sandbox View	IP Address: 172.64.152.224 172.64.152.224
Source: Joe Sandbox View	IP Address: 185.15.59.240 185.15.59.240

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.17.190.73
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.10
Source: unknown	TCP traffic detected without corresponding DNS query: 192.229.211.108
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 25 Feb 2025 21:18:24 GMTContent-Type: application/javascriptContent-Length: 12204Connection: keep-aliveaccess-control-allow-origin: *access-control-allow-credentials: trueaccess-control-allow-methods: GET, PUT, POST, DELETE, OPTIONScontent-encoding: gzipvary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=70zq9LLjgt2w9QpmpKg%2FTt97HdwiQ443bhb7mLTVX2eT0Hb3O2zCR624bm6ugyyYPT5v9QLVeHJBZQ0Q6LsEgFKEsC3UL4RZo5KUUyi0HSbfg4fOWRvNG2n7fmoc58t1B3X46MEAifiykFXhd4oBNw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917aba434b0c42e1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1642&min_rtt=1642&rtt_var=821&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=347&delivery_rate=0&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 1f 8b 08 00 9f 33 be 67 02 ff cd 7d 8b 7f a2 56 b7 f6 bf 62 3d ef 69 93 33 b9 20 ea 5c 92 a6 3d 46 8c 21 23 38 26 a8 03 6d bf a9 22 41 40 d4 a3 18 85 79 f3 bf 9f 67 ad 8d 8a b9 cc 4c 7a 39 fd 7e 6d 46 11 d8 97 75 79 d6 b3 d6 de ca de de fe d9 4f 9f f3 8b b9 93 9b 47 33 cf 8e f2 a7 77 bd 59 ee d3 a7 a5 d3 9f f6 ec e0 53 38 19 2c 46 ce fc d3 a7 b3 cf ef 5e cb 27 b7 8b b1 1d 79 93 f1 de fe 67 71 9d 3d ea cd e7 1f 66 de 5d 2f 72 2e 3c 67 34 a8 3b d1 59 34 f4 e6 df 7f 4f ff 1e 3d 7d c5 bf ff bd 69 28 3a 70 0e c6 07 de fe 67 ef 76 2f df cb 9f 9d 9d 8d bf ff fe 3b 6f 3f 1a ce 26 cb dc d8 59 e6 8c 78 ea d4 66 b3 c9 6c 2f 9f 36 93 eb d9 b6 33 9f 4f 66 b9 65 6f 9e 1b 38 b7 de d8 19 e4 96 5e 34 9c 2c a2 5c 2f e7 3a 51 e4 cc f2 fb a7 d4 e6 ba 27 34 1d a1 a5 c9 6d ce f9 39 fa ee ec cc f9 Data Ascii: 3g}Vb=i3 \=F!#8&m"A@ygLz9~mFuyOG3wYS8,F^'ygq=f]/r.<g4;Y4O=}i(:pgv/;o?&Yxfl/63Ofeo8^4,\/:Q'4m9
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 25 Feb 2025 21:18:25 GMTContent-Type: application/javascriptContent-Length: 12256Connection: keep-aliveaccess-control-allow-origin: *access-control-allow-credentials: trueaccess-control-allow-methods: GET, PUT, POST, DELETE, OPTIONScontent-encoding: gzipvary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iMk1dTWvocVmTDgGJ6NzKbL4LW4ufdA2GzOQ5fmpQwBRx2okOmBNLcgfh9cm5Zw8tlTNmwnoTsUyedtTHSwTGqVx7LllVh1yh7kTrJA4lhbK2GeeJR5EN3Fl7hv0t4hL%2FV3l7QoSOyvsCAabImbJ7A%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917aba4c3ebe7ce4-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1932&min_rtt=1932&rtt_var=966&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=333&delivery_rate=0&cwnd=215&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 1f 8b 08 00 a0 33 be 67 02 ff c5 7d 8d 7f a2 d6 b6 f6 bf 62 bd e7 9e 26 67 f2 01 a8 d3 49 a6 69 af 51 63 48 03 8e 09 6a b0 ed 3b 45 24 08 8a 78 15 a3 30 27 ff fb fb ac b5 51 31 5f 93 4c db 7b 7e 6d 46 91 cd de 6b af 8f 67 7d ec 0d ec ec ec 9e fc f4 25 3f 9f 39 b9 59 34 f5 ec 28 ff f1 ce 9a e6 3e 7f 5e 38 bd 89 65 0f 3f 07 61 7f 3e 72 66 9f 3f 9f 7c 39 7a af 1c df ce c7 76 e4 85 e3 9d dd 2f a2 9d 3d b2 66 b3 4f 53 ef ce 8a 9c 33 cf 19 f5 eb 4e 74 12 0d bc d9 3f ff 49 ff 1e 3c dd e2 df ff 5e 77 14 ed 39 7b e3 3d 6f f7 8b 77 bb 93 b7 f2 27 27 27 e3 7f fe f3 3b 6f 37 1a 4c c3 45 6e ec 2c 72 46 3c 71 6a d3 69 38 dd c9 a7 dd e4 2c db 76 66 b3 70 9a 5b 58 b3 5c df b9 f5 c6 4e 3f b7 f0 a2 41 38 8f 72 56 ce 75 a2 c8 99 e6 77 3f 52 9f ab 91 d0 75 84 9e c2 db 9c f3 73 f4 dd c9 89 f3 ef Data Ascii: 3g}b&gIiQcHj;E$x0'Q1_L{~mFkg}%?9Y4(>^8e?a>rf?\|9zv/=fOS3Nt?I<^w9{=ow''';o7LEn,rF<qji8,vfp[X\N?A8rVuw?Rus
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 25 Feb 2025 21:18:39 GMTContent-Type: application/javascriptContent-Length: 16502Connection: keep-aliveaccess-control-allow-origin: access-control-allow-credentials: trueaccess-control-allow-methods: GET, PUT, POST, DELETE, OPTIONScontent-encoding: gzipvary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aOQffnq5yxKJlxydofMhsLbzfURt0KYqY5p2b7l1%2F7oahkLHIYEUr4Nbb%2FLEAEC03H7KjLZRGZjAQbFIv%2FDqVxdmFH%2F1%2BsORC6wBr1vTQnBxd2blxbEBUdhhvVVFQatdplP85a1341eFiY2Y8xVy6Q%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917abaa7ad0a42e1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1692&min_rtt=1642&rtt_var=717&sent=12&recv=5&lost=0&retrans=0&sent_bytes=13178&recv_bytes=648&delivery_rate=7132388&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 1f 8b 08 00 af 33 be 67 02 ff bd 7d d9 76 db 38 d3 e0 fd ff 14 32 d3 7f 9a 8c 29 99 a4 24 db 92 c2 f8 78 b7 d3 b6 e3 b6 bc 45 8a da 3f 44 42 12 63 2e 6a 2e b2 e5 d8 f3 0a 73 3f 17 33 67 ae e7 05 e6 79 e6 05 66 1e 61 aa 00 70 d1 62 77 ba bf 39 93 e3 50 24 d6 42 a1 50 a8 2a 14 80 b5 0f 1f fe ad f4 a1 74 e0 f8 43 1a 8e 43 c7 8f 3f b7 4b 93 5a a5 5a d1 4a e5 d2 6e 30 9e 86 ce 70 14 97 64 4b 99 4d a4 96 8e 7d 4b 2d 19 9a 51 2b c9 a3 38 1e 47 cd b5 b5 41 9e a2 62 05 9e 02 45 63 e9 27 8e 45 fd 88 da a5 c4 b7 69 58 da 49 22 c7 a7 51 54 6a 07 49 68 d1 34 ba a4 57 f4 52 5a 92 47 42 87 d8 7d 2c 65 ad 1f b9 ba be 96 17 14 84 cd 25 b0 54 66 6a ba 09 c2 fb b9 54 a5 7e 18 3c 44 50 7f 01 4a 78 2b b9 4e 3f 24 e1 14 b3 6f db b6 13 3b 81 Data Ascii: 3g}v82)$xE?DBc.j.s?3gyfapbw9P$BPtCC?KZZJn0pdKM}K-Q+8GAbEc'EiXI"QTjIh4WRZGB},e%TfjT~<DPJx+N?$o;
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 25 Feb 2025 21:18:39 GMTContent-Type: application/javascriptContent-Length: 16502Connection: keep-aliveaccess-control-allow-origin: access-control-allow-credentials: trueaccess-control-allow-methods: GET, PUT, POST, DELETE, OPTIONScontent-encoding: gzipvary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=wtWB4H8bcPGbmUmDa8L2RzBcM9FSkooB6vo4iXyarW138CGeJxxRMfiCZm59xje1gYwND3ez1ZhCGSDOyOT%2FOIn4hlmTNhgReuTQWotk9Ar5S%2Bl2yjawUilBg0yDOwGQ%2FzWg45LhMGh5vi%2FCAH1J1g%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917abaa9faab7ce4-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1973&min_rtt=1932&rtt_var=616&sent=12&recv=6&lost=0&retrans=0&sent_bytes=13230&recv_bytes=620&delivery_rate=6909607&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 1f 8b 08 00 af 33 be 67 02 ff bd 7d d9 76 db 38 d3 e0 fd ff 14 32 d3 7f 9a 8c 29 99 a4 24 db 92 c2 f8 78 b7 d3 b6 e3 b6 bc 45 8a da 3f 44 42 12 63 2e 6a 2e b2 e5 d8 f3 0a 73 3f 17 33 67 ae e7 05 e6 79 e6 05 66 1e 61 aa 00 70 d1 62 77 ba bf 39 93 e3 50 24 d6 42 a1 50 a8 2a 14 80 b5 0f 1f fe ad f4 a1 74 e0 f8 43 1a 8e 43 c7 8f 3f b7 4b 93 5a a5 5a d1 4a e5 d2 6e 30 9e 86 ce 70 14 97 64 4b 99 4d a4 96 8e 7d 4b 2d 19 9a 51 2b c9 a3 38 1e 47 cd b5 b5 41 9e a2 62 05 9e 02 45 63 e9 27 8e 45 fd 88 da a5 c4 b7 69 58 da 49 22 c7 a7 51 54 6a 07 49 68 d1 34 ba a4 57 f4 52 5a 92 47 42 87 d8 7d 2c 65 ad 1f b9 ba be 96 17 14 84 cd 25 b0 54 66 6a ba 09 c2 fb b9 54 a5 7e 18 3c 44 50 7f 01 4a 78 2b b9 4e 3f 24 e1 14 b3 6f db b6 13 3b 81 4f dc Data Ascii: 3g}v82)$xE?DBc.j.s?3gyfapbw9P$BPtCC?KZZJn0pdKM}K-Q+8GAbEc'EiXI"QTjIh4WRZGB},e%TfjT~<DPJx+N?$o;O
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 25 Feb 2025 21:19:28 GMTContent-Type: application/javascriptContent-Length: 12036Connection: keep-aliveaccess-control-allow-origin: access-control-allow-credentials: trueaccess-control-allow-methods: GET, PUT, POST, DELETE, OPTIONScontent-encoding: gzipvary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B8x%2FLipyWivwRgrnOb8b%2FaAlFKkjVlmAmh97ReHFtD9s73Hsq%2FXfRfh6dnWxwHjRol3veeKajW7pc5QuDhTJFEFSwo2o1%2BNA4ZW4AitVkcIdWH1tv5lwfKTD2qDtdZlklW8yY7PesjO2Yt9mE5Z8Vg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917abbd5dbaa42e1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1778&min_rtt=1642&rtt_var=176&sent=73&recv=18&lost=0&retrans=0&sent_bytes=92194&recv_bytes=1846&delivery_rate=10746582&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 1f 8b 08 00 df 33 be 67 02 ff c5 7d 0b 7b da c6 b6 f6 5f a1 9c 7d 76 ed 1d 5f 84 80 34 76 ea f6 60 c0 58 8e 25 8a 2d 4c a4 b6 5f 2a 84 2c 24 24 c4 01 61 90 b2 fd df bf 77 ad 11 20 7c 49 ed 34 3d fb 69 1d 10 33 9a 59 b3 2e ef ba cc 80 76 76 76 4f 7e fa 5c 9c cf 9c c2 2c 9e 7a 76 5c 7c 7f 67 4d 0b 9f 3e 2d 9c fe c4 b2 47 9f c2 68 30 0f 9c d9 a7 4f 27 9f 8f de ca c7 b7 f3 b1 1d 7b d1 78 67 f7 b3 e8 67 07 d6 6c f6 cb d4 bb b3 62 e7 cc 73 82 41 cb 89 4f e2 a1 37 fb e7 3f e9 df 83 a7 7b fc fb df eb 81 e2 3d 67 6f bc e7 ed 7e f6 6e 77 8a 56 f1 e4 e4 64 fc cf 7f 7e e7 ed c6 c3 69 b4 28 8c 9d 45 41 4f 26 4e 73 3a 8d a6 3b c5 6c 98 82 65 db ce 6c 16 4d 0b 0b 6b 56 18 38 b7 de d8 19 14 16 5e 3c 8c e6 71 c1 2a b8 4e 1c 3b Data Ascii: 3g}{_}v_4v`X%-L_,$$aw \|I4=i3Y.vvvO~\,zv\\|gM>-Gh0O'{xgglbsAO7?{=go~nwVd~i(EAO&Ns:;lelMkV8^<q*N;
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 25 Feb 2025 21:19:28 GMTContent-Type: application/javascriptContent-Length: 12218Connection: keep-aliveaccess-control-allow-origin: *access-control-allow-credentials: trueaccess-control-allow-methods: GET, PUT, POST, DELETE, OPTIONScontent-encoding: gzipvary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=GUfzjqNrjQuAss2Z77vkvC%2F4PqzEaSnoJ6YoLmUn%2Fx84LZqARV6dM26Of3iOn923ouMcp5wwV58HK8082oSVAzSF5l5cLM6CMT%2FBvcqegWsjQwWyvP7XYGwlp4urN6GH6yupNFjRtGJwyOgKUKoJPA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917abbd9cbc07ce4-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3989&min_rtt=1932&rtt_var=4092&sent=28&recv=14&lost=0&retrans=0&sent_bytes=31590&recv_bytes=1311&delivery_rate=6909607&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 1f 8b 08 00 e0 33 be 67 02 ff c5 7d 0b 7b da c6 b6 f6 5f a1 9c 7d 5a 7b c7 17 21 20 8d 9d ba 3d 18 30 96 83 44 b0 85 b1 d4 f6 4b 41 c8 42 42 42 1c 10 06 29 db ff fd 7b d7 1a 01 c2 97 c4 49 93 d3 a7 75 40 d2 68 66 cd ba bc eb 32 23 b4 b3 b3 7b f2 eb c7 fc 7c 66 e7 66 d1 d4 b5 a2 fc db bb de 34 f7 e1 c3 c2 ee 4f 7a d6 e8 43 10 0e e6 be 3d fb f0 e1 e4 e3 d1 6b f9 f8 76 3e b6 22 37 1c ef ec 7e 14 ed 2c bf 37 9b bd 9f ba 77 bd c8 3e 73 6d 7f d0 b0 a3 93 68 e8 ce 7e fc 91 fe 3d 78 ba c5 7f fe b3 ee 28 da b3 f7 c6 7b ee ee 47 f7 76 27 df cb 9f 9c 9c 8c 7f fc f1 07 77 37 1a 4e c3 45 6e 6c 2f 72 7a 3c b1 eb d3 69 38 dd c9 a7 dd e4 7a 96 65 cf 66 e1 34 b7 e8 cd 72 03 fb d6 1d db 83 dc c2 8d 86 e1 3c ca f5 72 8e 1d 45 f6 34 bf fb 96 Data Ascii: 3g}{_}Z{! =0DKABBB){Iu@hf2#{\|ff4OzC=kv>"7~,7w>smh~=x({Gv'w7NEnl/rz<i8zef4r<rE4
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 25 Feb 2025 21:19:43 GMTContent-Type: application/javascriptContent-Length: 16502Connection: keep-aliveaccess-control-allow-origin: access-control-allow-credentials: trueaccess-control-allow-methods: GET, PUT, POST, DELETE, OPTIONScontent-encoding: gzipvary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PEtVHKN5yd3avML0HPjf0%2Bo2Dtz82lQK8wwKRi2k6FZf7bJq87BhX9Ax66zjWkJdT2rfhr8vm0HL0eWud5CuUjl1PzpMMtbE7U%2F%2Bb5Soh5uBkKvbmBQrr8dSTn1giXmrKCEb%2B8I%2B6U3hWeW57Q5egA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917abc385aee42e1-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1782&min_rtt=1642&rtt_var=126&sent=83&recv=21&lost=0&retrans=0&sent_bytes=105226&recv_bytes=2148&delivery_rate=10746582&cwnd=236&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 1f 8b 08 00 ef 33 be 67 02 ff bd 7d d9 76 db 38 d3 e0 fd ff 14 32 d3 7f 9a 8c 29 99 a4 24 db 92 c2 f8 78 b7 d3 b6 e3 b6 bc 45 8a da 3f 44 42 12 63 2e 6a 2e b2 e5 d8 f3 0a 73 3f 17 33 67 ae e7 05 e6 79 e6 05 66 1e 61 aa 00 70 d1 62 77 ba bf 39 93 e3 50 24 d6 42 a1 50 a8 2a 14 80 b5 0f 1f fe ad f4 a1 74 e0 f8 43 1a 8e 43 c7 8f 3f b7 4b 93 5a a5 5a d1 4a e5 d2 6e 30 9e 86 ce 70 14 97 64 4b 99 4d a4 96 8e 7d 4b 2d 19 9a 51 2b c9 a3 38 1e 47 cd b5 b5 41 9e a2 62 05 9e 02 45 63 e9 27 8e 45 fd 88 da a5 c4 b7 69 58 da 49 22 c7 a7 51 54 6a 07 49 68 d1 34 ba a4 57 f4 52 5a 92 47 42 87 d8 7d 2c 65 ad 1f b9 ba be 96 17 14 84 cd 25 b0 54 66 6a ba 09 c2 fb b9 54 a5 7e 18 3c 44 50 7f 01 4a 78 2b b9 4e 3f 24 e1 14 b3 6f db Data Ascii: 3g}v82)$xE?DBc.j.s?3gyfapbw9P$BPtCC?KZZJn0pdKM}K-Q+8GAbEc'EiXI"QTjIh4WRZGB},e%TfjT~<DPJx+N?$o
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 25 Feb 2025 21:19:43 GMTContent-Type: application/javascriptContent-Length: 16502Connection: keep-aliveaccess-control-allow-origin: access-control-allow-credentials: trueaccess-control-allow-methods: GET, PUT, POST, DELETE, OPTIONScontent-encoding: gzipvary: Accept-Encodingcf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=vt9kFYt%2FqecnIYbH74C5BnKITM2PQ24V8RjG73jS%2BpFzRpUhKu1QJhlcRi%2BK7RryeDROHSYHRuuaxn%2Fm%2BdS0MWk8RvgdLjOgQjT%2BFe5qLeZ76BTzvsfRuWhGFHVRXaHDJ3Wj4ya1VxDcT3azPpMDRw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 917abc3a7a9e7ce4-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=3749&min_rtt=1932&rtt_var=3549&sent=39&recv=16&lost=0&retrans=0&sent_bytes=44800&recv_bytes=1599&delivery_rate=7063376&cwnd=222&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 1f 8b 08 00 ef 33 be 67 02 ff bd 7d d9 76 db 38 d3 e0 fd ff 14 32 d3 7f 9a 8c 29 99 a4 24 db 92 c2 f8 78 b7 d3 b6 e3 b6 bc 45 8a da 3f 44 42 12 63 2e 6a 2e b2 e5 d8 f3 0a 73 3f 17 33 67 ae e7 05 e6 79 e6 05 66 1e 61 aa 00 70 d1 62 77 ba bf 39 93 e3 50 24 d6 42 a1 50 a8 2a 14 80 b5 0f 1f fe ad f4 a1 74 e0 f8 43 1a 8e 43 c7 8f 3f b7 4b 93 5a a5 5a d1 4a e5 d2 6e 30 9e 86 ce 70 14 97 64 4b 99 4d a4 96 8e 7d 4b 2d 19 9a 51 2b c9 a3 38 1e 47 cd b5 b5 41 9e a2 62 05 9e 02 45 63 e9 27 8e 45 fd 88 da a5 c4 b7 69 58 da 49 22 c7 a7 51 54 6a 07 49 68 d1 34 ba a4 57 f4 52 5a 92 47 42 87 d8 7d 2c 65 ad 1f b9 ba be 96 17 14 84 cd 25 b0 54 66 6a ba 09 c2 fb b9 54 a5 7e 18 3c 44 50 7f 01 4a 78 2b b9 4e 3f 24 e1 14 b3 6f Data Ascii: 3g}v82)$xE?DBc.j.s?3gyfapbw9P$BPtCC?KZZJn0pdKM}K-Q+8GAbEc'EiXI"QTjIh4WRZGB},e%TfjT~<DPJx+N?$o

Source: global traffic	HTTP traffic detected: GET /system/resources/thumbnails/007/341/229/small_2x/social-networks-and-dating-apps-linear-seamless-pattern-with-message-icons-emoticons-and-hearts-vector.jpg HTTP/1.1Host: static.vecteezy.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /data/icons/email-117/128/200210-03-512.png HTTP/1.1Host: cdn2.iconfinder.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /wikipedia/commons/thumb/8/85/Microsoft_365_logo.png/1200px-Microsoft_365_logo.png HTTP/1.1Host: upload.wikimedia.orgConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: image/avif,image/webp,image/apng,image/svg+xml,image/,/*;q=0.8Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: imageAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /data/icons/email-117/128/200210-03-512.png HTTP/1.1Host: cdn2.iconfinder.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /system/resources/thumbnails/007/341/229/small_2x/social-networks-and-dating-apps-linear-seamless-pattern-with-message-icons-emoticons-and-hearts-vector.jpg HTTP/1.1Host: static.vecteezy.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: __cf_bm=97g1kmL97jWCxMB0MlZlHxlMAMH9LD35TFWE3qh9Lbs-1740518304-1.0.1.1-Ovx7G1kEVA8kwCkLsfYrv36x2R6I0j6A2Df8CLmRE4IVEIoyLgSMVMiZmUZ3NJ3SU_6PLSeuXnxB9LQKC0T4ag
Source: global traffic	HTTP traffic detected: GET /wikipedia/commons/thumb/8/85/Microsoft_365_logo.png/1200px-Microsoft_365_logo.png HTTP/1.1Host: upload.wikimedia.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /jquery-3.1.1.min.js HTTP/1.1Host: code.jquery.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Intervention: <https://www.chromestatus.com/feature/5718547946799104>; level="warning"sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /ajax/libs/font-awesome/4.7.0/css/font-awesome.css HTTP/1.1Host: cdnjs.cloudflare.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"Origin: nullsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: text/css,/;q=0.1Sec-Fetch-Site: cross-siteSec-Fetch-Mode: corsSec-Fetch-Dest: styleAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /jquery-3.1.1.min.js HTTP/1.1Host: code.jquery.comConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Sec-Fetch-Site: noneSec-Fetch-Mode: corsSec-Fetch-Dest: emptyAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /s/bea9e3006?ca28c539a052=johng@edcodistributing.com HTTP/1.1Host: ce60771026585.oakdiiocese.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Origin: nullAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /s/bea9e3006?ca28c539a052=johng@edcodistributing.com HTTP/1.1Host: ce60771026585.oakdiiocese.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Origin: nullAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /s/bea9e3006?ca28c539a052=johng@edcodistributing.com HTTP/1.1Host: ce60771026585.oakdiiocese.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /s/5?0 HTTP/1.1Host: ce60771026585.oakdiiocese.orgConnection: keep-aliveOrigin: nullUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /s/5?0 HTTP/1.1Host: ce60771026585.oakdiiocese.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /r/5?session=49c865d93bd19e8e377c8ce3bc982e8511ab0c2303b06acd6e55c8a2e3c58105 HTTP/1.1Host: ce60771026585.oakdiiocese.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /p/174?session=49c865d93bd19e8e377c8ce3bc982e8511ab0c2303b06acd6e55c8a2e3c58105 HTTP/1.1Host: ce60771026585.oakdiiocese.orgConnection: UpgradePragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Upgrade: websocketOrigin: nullSec-WebSocket-Version: 13Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Sec-WebSocket-Key: D5w5MTLTuGFOnvg9t2AyKw==Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits
Source: global traffic	HTTP traffic detected: GET /s/bea9e3006?ca28c539a052=johng@edcodistributing.com HTTP/1.1Host: ce60771026585.oakdiiocese.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Origin: nullAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /s/bea9e3006?ca28c539a052=johng@edcodistributing.com HTTP/1.1Host: ce60771026585.oakdiiocese.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /s/74?0 HTTP/1.1Host: ce60771026585.oakdiiocese.orgConnection: keep-aliveOrigin: nullUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /s/74?0 HTTP/1.1Host: ce60771026585.oakdiiocese.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /r/74?session=770558a25b5d1fcbb8d81f113631d430f5b8d022cdc6d97cf6b16a412a3be9e6 HTTP/1.1Host: ce60771026585.oakdiiocese.orgConnection: keep-aliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept: /Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /p/298?session=770558a25b5d1fcbb8d81f113631d430f5b8d022cdc6d97cf6b16a412a3be9e6 HTTP/1.1Host: ce60771026585.oakdiiocese.orgConnection: UpgradePragma: no-cacheCache-Control: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Upgrade: websocketOrigin: nullSec-WebSocket-Version: 13Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Sec-WebSocket-Key: 8iFunXv0UihAsPSlM50XsQ==Sec-WebSocket-Extensions: permessage-deflate; client_max_window_bits

Source: global traffic	DNS traffic detected: DNS query: ce60771026585.oakdiiocese.org
Source: global traffic	DNS traffic detected: DNS query: upload.wikimedia.org
Source: global traffic	DNS traffic detected: DNS query: cdn2.iconfinder.com
Source: global traffic	DNS traffic detected: DNS query: static.vecteezy.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: cdnjs.cloudflare.com
Source: global traffic	DNS traffic detected: DNS query: code.jquery.com

Source: unknown

HTTP traffic detected: POST /r/5?session=49c865d93bd19e8e377c8ce3bc982e8511ab0c2303b06acd6e55c8a2e3c58105 HTTP/1.1Host: ce60771026585.oakdiiocese.orgConnection: keep-aliveContent-Length: 373User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryRByDKjPc2ptD5JIWAccept: */*Origin: nullAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9

Source: chromecache_80.12.dr	String found in binary or memory: http://fontawesome.io
Source: chromecache_80.12.dr	String found in binary or memory: http://fontawesome.io/license

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49826 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49816
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49816 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49732
Source: unknown	Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49732 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49826
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725

Source: classification engine

Classification label: mal72.phis.winEML@17/46@24/14

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Program Files\Google\Chrome\Application\Dictionaries

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250225T1618090326-988.etl

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\368c6e62-b031-5b65-fd43-e7a610184138.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "67D385A1-27FE-4E07-86B9-94810C333F87" "D861C0DB-62BC-4630-8072-A1D53B1A21DE" "988" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\EPW41G58\.html
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1944,i,14744373880368174439,710685261765140174,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "67D385A1-27FE-4E07-86B9-94810C333F87" "D861C0DB-62BC-4630-8072-A1D53B1A21DE" "988" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\EPW41G58\.html	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2044 --field-trial-handle=1944,i,14744373880368174439,710685261765140174,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: Google Drive.lnk.11.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.11.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.11.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.11.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.11.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.11.dr	LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

Directory created: C:\Program Files\Google\Chrome\Application\Dictionaries

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} DeviceTicket

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File Volume queried: C:\Windows\SysWOW64 FullSizeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	31 Browser Extensions	1 Process Injection	3 Masquerading	OS Credential Dumping	1 Process Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Registry Run Keys / Startup Folder	1 Modify Registry	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	1 Process Injection	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	4 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	5 Application Layer Protocol	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
368c6e62-b031-5b65-fd43-e7a610184138.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

HTML

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 368c6e62-b031-5b65-fd43-e7a610184138.eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

HTML

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Phishing

Compliance

Networking

System Summary

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
368c6e62-b031-5b65-fd43-e7a610184138.eml