Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
phish_alert_sp2_2.0.0.0.eml

Overview

General Information

Sample name:phish_alert_sp2_2.0.0.0.eml
Analysis ID:1635291
MD5:6ff82d676f0e9d0a2d9ce1421ff64339
SHA1:99c0ddb5d06f98ac27bb9843579a46ecc06d01aa
SHA256:458cbc1b9700c069b6721be6cb7c28a1ac1ca40556a9eb376b0b275df75216a7
Infos:

Detection

Score:48
Range:0 - 100
Confidence:100%

Signatures

AI detected suspicious elements in Email content
AI detected suspicious elements in Email header
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Stores large binary data to the registry

Classification

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 7000 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 6276 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "CA534960-B19E-4C54-BA16-C6FE3DA4476C" "CEB40F16-D597-45A9-9D8E-5A3A9FED42CF" "7000" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7000, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
AI detected suspicious elements in Email content
Source: EmailJoe Sandbox AI: Detected potential phishing email: Suspicious sender domain 'sorabada38.com' doesn't match the claimed identity. Directing recipient to a suspicious personal website for resume download. Generic/vague job application with minimal details, typical phishing pattern
AI detected suspicious elements in Email header
Source: EmailJoe Sandbox AI: Detected suspicious elements in Email header: Suspicious return-path domain 'sorabada38.com' appears to be non-standard and potentially malicious. Content-type boundary contains unusual characters and formatting, which is often seen in malicious emails. Message claims to be from Microsoft/Outlook infrastructure but routing doesn't match typical Microsoft patterns. Despite clean spam scores, the combination of suspicious domain and unusual boundary formatting suggests potential malicious intent. Unknown sender score of 20 in Proofpoint details indicates sender reputation issues. The email uses legitimate-looking Microsoft headers but shows signs of header spoofing
Source: EmailClassification: Lure-Based Attack
Source: OUTLOOK_16_0_16827_20130-20250311T1010350301-7000.etl.0.drString found in binary or memory: https://login.windows.localR
Source: OUTLOOK_16_0_16827_20130-20250311T1010350301-7000.etl.0.drString found in binary or memory: https://login.windows.localnull
Source: classification engineClassification label: mal48.winEML@3/3@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250311T1010350301-7000.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "CA534960-B19E-4C54-BA16-C6FE3DA4476C" "CEB40F16-D597-45A9-9D8E-5A3A9FED42CF" "7000" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "CA534960-B19E-4C54-BA16-C6FE3DA4476C" "CEB40F16-D597-45A9-9D8E-5A3A9FED42CF" "7000" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation11
Browser Extensions		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Modify Registry		LSASS Memory12
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://login.windows.localnull0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
s-0005.dual-s-dc-msedge.net
52.123.131.14
truefalse
    		high

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://login.windows.localnullOUTLOOK_16_0_16827_20130-20250311T1010350301-7000.etl.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://login.windows.localROUTLOOK_16_0_16827_20130-20250311T1010350301-7000.etl.0.drfalse
      		high

      World Map of Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox version:42.0.0 Malachite
      Analysis ID:1635291
      Start date and time:2025-03-11 15:10:09 +01:00
      Joe Sandbox product:CloudBasic
      Overall analysis duration:0h 3m 31s
      Hypervisor based Inspection enabled:false
      Report type:full
      Cookbook file name:defaultwindowsinteractivecookbook.jbs
      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
      Number of analysed new started processes analysed:14
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Sample name:phish_alert_sp2_2.0.0.0.eml
      Detection:MAL
      Classification:mal48.winEML@3/3@0/0
      EGA Information:Failed
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Found application associated with file extension: .eml

      Warnings

      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe
      • Excluded IPs from analysis (whitelisted): 52.109.68.129, 2.22.242.104, 2.22.242.105, 2.22.242.81, 52.111.243.42, 52.111.243.43, 52.111.243.40, 52.111.243.41, 20.42.73.26, 52.123.131.14, 40.126.32.136, 23.60.203.209, 172.202.163.200, 2.19.122.46
      • Excluded domains from analysis (whitelisted): www.bing.com, ecs.office.com, omex.cdn.office.net, self-events-data.trafficmanager.net, fs.microsoft.com, slscr.update.microsoft.com, self.events.data.microsoft.com, osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com, prod.roaming1.live.com.akadns.net, eur.roaming1.live.com.akadns.net, fe3cr.delivery.mp.microsoft.com, roaming.officeapps.live.com, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, dual-s-0005-office.config.skype.com, nleditor.osi.office.net, prod-eu-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, login.live.com, onedscolprdeus09.eastus.cloudapp.azure.com, frc-azsc-000.roaming.officeapps.live.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akamaized.net, a1864.dscd.akamai.net
      • Not all processes where analyzed, report is missing behavior information
      • Report size getting too big, too many NtQueryAttributesFile calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
      s-0005.dual-s-dc-msedge.netphish_alert_sp2_2.0.0.0.emlGet hashmaliciousKnowBe4Browse
      • 52.123.130.14
      phish_alert_sp2_2.0.0.0 (2).emlGet hashmaliciousUnknownBrowse
      • 52.123.131.14
      Quote 09052022_1.xlsxGet hashmaliciousUnknownBrowse
      • 52.123.130.14
      Denise Salvano shared _Kerry Ingredients Flooring Standards_ with you.emlGet hashmaliciousUnknownBrowse
      • 52.123.131.14
      https://xegan4.site/nD4M/dW5.xlsGet hashmaliciousPureLog StealerBrowse
      • 52.123.130.14
      VirusShare_661c60ba6e4e5e7864714aed6cda9d55.zipGet hashmaliciousUnknownBrowse
      • 52.123.130.14
      PO202503S.xlsmGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
      • 52.123.130.14
      Ref PO24777.xlsGet hashmaliciousUnknownBrowse
      • 52.123.130.14
      phish_alert_sp2_2.0.0.0(9).emlGet hashmaliciousUnknownBrowse
      • 52.123.131.14
      R.D. Bitzer Co. Inc.xlsmGet hashmaliciousUnknownBrowse
      • 52.123.131.14

      ASNs

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250311T1010350301-7000.etl

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:data
      Category:dropped
      Size (bytes):118784
      Entropy (8bit):4.607914604310286
      Encrypted:false
      SSDEEP:768:lmhSvMKdiRyamtz/h4Vd9IuJu5MJZ9kvbbCK6PjniYX7wGHn497:zvMKc04FIugK39kTXijVX7pk
      MD5:4A622476EF02F376CCFDCF44A3344707
      SHA1:2EB63688BD828C6F2ECAA437A48537353AE36CB4
      SHA-256:4EF5F28AEB58681D8AAE2B87261ACAD05587D6E1BBF28AD2E3FA97E4072FD141
      SHA-512:3EF4FBD974965F596BFC353E6F9B5B6835922BF075E450F4D2C2F6ECB82C21BB99D2F12989DA42F7B5EC708661226BE8C8F0EFD01AFF2F083035AE7301F75552
      Malicious:false
      Reputation:low
      Preview:............................................................................`...\...X......[....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1...............................................................1..............[............v.2._.O.U.T.L.O.O.K.:.1.b.5.8.:.f.d.d.4.9.8.9.6.7.0.4.b.4.b.0.b.9.d.1.2.c.e.4.b.4.a.5.9.f.e.d.9...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.3.1.1.T.1.0.1.0.3.5.0.3.0.1.-.7.0.0.0...e.t.l.......P.P.\...X......[............................................................................................................................................................................................................................................................................................................

      C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:Microsoft Outlook email folder (>=2003)
      Category:dropped
      Size (bytes):271360
      Entropy (8bit):2.813960120122311
      Encrypted:false
      SSDEEP:1536:acmRkIaCt5a5QJExB55GcskmZixeRPoRr7Ef+EW53jEpEHPVQ10BAwrLDzLfPW5B:RHQ5a5QDZDJ+Gpj6vxpj
      MD5:B219E2479067A20C5E95B4D666D8521F
      SHA1:79ECBC8F604713096BB525D6624413FA952C92C4
      SHA-256:77114F43C7C5072BB5F10E63C82DE9EF6871D468C21D411F0F23ECA9AA95368C
      SHA-512:3D8E64E435EBA3059EEB7CBDB6DA53B31BE6201ABF15C80D0B52EBB059B0F39E95EDF512D7CC7327D6A123C6974C5EAE429701C9D5911A77277192ABD8DB2FD3
      Malicious:true
      Reputation:low
      Preview:!BDN(.A2SM......\........M......I.......b................@...........@...@...................................@...........................................................................$.......D.......,..............E...............H...................................................................................................................................................................................................................................................................................................<.[........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

      C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

      Download File
      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
      File Type:data
      Category:dropped
      Size (bytes):131072
      Entropy (8bit):3.444341813066032
      Encrypted:false
      SSDEEP:1536:5kRLf3cYjm5a5QnW53jEpEHPVQ10BAwrcdI1/LEflz:ydg5a5QppjM8l
      MD5:2AFB6190D1EA12651A45E45495B31091
      SHA1:242C51BEA26D6F6BA3D22FA9666B40EEFA36AD62
      SHA-256:E1B1E61DD045A64C943F81A80AFF999F0C3BBBB055B13859AEC3F3588F48BB9F
      SHA-512:124F86078872478A6018356AA0F77C98D973EBDEF3C2B17C63DBEE51094A5D8239B103AD8F818B92E3CDF9AF9B055F4C00FB686B6EF1C11DF673A1EDD50F5065
      Malicious:true
      Reputation:low
      Preview:^.h.0...q.......X....u.[.........D............#......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................1`D.D........ac0...r.......X....u.[.........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

      Static File Info

      General

      File type:RFC 822 mail, ASCII text, with very long lines (2265), with CRLF line terminators
      Entropy (8bit):6.108833980941206
      TrID:
      • E-Mail message (Var. 5) (54515/1) 100.00%
      File name:phish_alert_sp2_2.0.0.0.eml
      File size:18'858 bytes
      MD5:6ff82d676f0e9d0a2d9ce1421ff64339
      SHA1:99c0ddb5d06f98ac27bb9843579a46ecc06d01aa
      SHA256:458cbc1b9700c069b6721be6cb7c28a1ac1ca40556a9eb376b0b275df75216a7
      SHA512:b7fa622bf7a244a905676b682a99ac1dc5feec323a61e5d0277daaeb5d02577b2bd182a9d5da282d5c926b6a18dfd61f81c7f2c0d62af5236c26817c83c5340a
      SSDEEP:384:8imSlhLZwvN9vVDRnXH9haftVIRktsN5DG1oOQ2C8GHbow:8iBnq19vVDRX3qtVIRjvq1HQ2T9w
      TLSH:88826D217D4D3C165EE1A2C49211BD1293A130C281F2E4D43BAF86E936CF56EF75BA4E
      File Content Preview:Received: from SJ0PR07MB8709.namprd07.prod.outlook.com.. (2603:10b6:a03:376::14) by CH0PR07MB9869.namprd07.prod.outlook.com with.. HTTPS; Tue, 11 Mar 2025 11:53:49 +0000..Received: from DB3PR08CA0005.eurprd08.prod.outlook.com (2603:10a6:8::18) by.. SJ0PR0

      Static Mail

      General

      Subject:Field Service Technician
      From:Jessica Suggs <jessica@sorabada38.com>
      To:Denis Keegan <denis.keegan@vontas.com>
      Cc:
      BCC:
      Date:Tue, 11 Mar 2025 11:52:56 +0000
      Communications:
      • EXTERNAL: Do not click links or open attachments if you do not recognize the sender.Dear Denis. Im interested in applying for the Field Service Technician role in San Jose, CA. My resume is on jessicasuggs. com. Please let me know if you need more details. Best regardsJessica Suggs <!-- @font-face {font-family:"Cambria Math"} @font-face {font-family:Calibri} p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0in; font-size:11.0pt; font-family:"Calibri",sans-serif} span.EmailStyle17 {font-family:"Calibri",sans-serif; color:windowtext} .MsoChpDefault {font-family:"Calibri",sans-serif} @page WordSection1 {margin:1.0in 1.0in 1.0in 1.0in} div.WordSection1 {} --> EXTERNAL: Do not click links or open attachments if you do not recognize the sender.Dear Denis. Im interested in applying for the Field Service Technician role in San Jose, CA. My resume is on jessicasuggs. com. Please let me know if you need more details. Best regardsJessica Suggs EXTERNAL: Do not click links or open attachments if you do not recognize the sender. EXTERNAL: Do not click links or open attachments if you do not recognize the sender. EXTERNAL: Do not click links or open attachments if you do not recognize the sender. Dear Denis. Im interested in applying for the Field Service Technician role in San Jose, CA. My resume is on jessicasuggs. com. Please let me know if you need more details. Best regardsJessica Suggs Dear Denis. Im interested in applying for the Field Service Technician role in San Jose, CA. My resume is on jessicasuggs. com. Please let me know if you need more details. Best regardsJessica Suggs Dear Denis. Im interested in applying for the Field Service Technician role in San Jose, CA. My resume is on jessicasuggs. com. Please let me know if you need more details. Best regards Jessica Suggs
      Attachments:

        Headers

        Key Value
        Receivedfrom YQXPR01MB3015.CANPRD01.PROD.OUTLOOK.COM ([fe80::e192:ebb2:b0df:6f47]) by YQXPR01MB3015.CANPRD01.PROD.OUTLOOK.COM ([fe80::e192:ebb2:b0df:6f47%4]) with mapi id 15.20.8511.025; Tue, 11 Mar 2025 11:53:40 +0000
        Arc-Seali=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=MJvxOwVv5KLfzRi90gAJz5fq+A6u2zMPk9q+EK3X8c+IGz4Zn8g+/oxrokXdJngThv0KgNe6TGXPT74jMA/HUjhYF56RdV+UZw7QaSAdPMjhcLsYsi7nNmIerQyOTpDRbz6X0D285H4C3qnLp0mOl9PyACHGrQsRfGnFHlP2s1FU6+Goad+yqSzM6vk1ENKHVlm9McD76mg+DApxtpWexbBMZf6iumkRI6r/Dxz8oe7XZmhiXlgEzhL37E/B1uNsz83jjjDkaMHgL7YJlb8DBWxLmwgpuh/0EUoA0gl1d9bIrNuVBzKX5K7p4jyZBmwQBww/d5/1QdOjNiF9X4N7ww==
        Arc-Message-Signaturei=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Us0JRRHIhvKen2WAgUSbFwziWD7qIcNPxJytlUOxmNg=; b=IOnYsszqQyB450wI7QHQaNzleneXqlR5FY7zmdSth6qQdueGJKfzPq4H9qXLtIuJqFC5uVqOtZgy5vT4OguDqElVG7RlBLWE//ntw8pj9eDGeG8Ek+Ol9mbs+V5YJPZTNdGrKB5jyZEz8RCr4T5Vzo6UbxVpOiWxeUpgDc7t4UBBQ70/9LjZiOvpWWpuYvgG34TfDHGZB4cPoAR5Y7vL0NIorG4tcbO/gkgkkEhxrL41geOozeM0NhiYil0/NE2/yihkVWrXrZf/VqFgICv/DIatRauX8fCvAaBqMNdVeGXTMekPfSyvEE91040ivTodZORXoP1r27OBdBEbi1P+2Q==
        Arc-Authentication-Resultsi=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=sorabada38.com; dmarc=pass action=none header.from=sorabada38.com; dkim=pass header.d=sorabada38.com; arc=none
        Authentication-Resultsspf=fail (sender IP is 67.231.151.23) smtp.mailfrom=sorabada38.com; dkim=pass (signature was verified) header.d=sorabada38.com;dmarc=bestguesspass action=none header.from=sorabada38.com;compauth=pass reason=109
        Received-SpfFail (protection.outlook.com: domain of sorabada38.com does not designate 67.231.151.23 as permitted sender) receiver=protection.outlook.com; client-ip=67.231.151.23; helo=mx0d-001a4c01.pphosted.com;
        Authentication-Results-Originalppops.net; dkim=pass header.s=selector1 header.d=sorabada38.com; spf=pass smtp.mailfrom=jessica@sorabada38.com; dmarc=none
        Dkim-Signaturev=1; a=rsa-sha256; c=relaxed/relaxed; d=sorabada38.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Us0JRRHIhvKen2WAgUSbFwziWD7qIcNPxJytlUOxmNg=; b=aUnHlIAsSuH2cpui8BIsEhTC2Ei4a8EQTS32ZjiQLvsuli/NpmGBidgDtluGIVPL4SRd676VAV9jQP0c6RXqD+LgmW/dSYGOHZACrDGGbSurhnX83KwcohELHR3yszaMMALeJN0EavoQX1U/lH+0yt6yidnYJyvm8v26MqknR9ooHar0U75BALcXaMhCwSZ8zw5Xhxaq3dgMdV8TasC1/Qby4wpzd1iNGhz/4KEn+BIWoV8cNgMhjUQJbxG9rvYv21yOEB+7ynPJWzk+xo4MKO+xJTFaIr4u1kuAS/H+DTJxU99PvFauZsqr5c2kHQcShkMXaKmyWmwjUpPJBe/dDA==
        FromJessica Suggs <jessica@sorabada38.com>
        ToDenis Keegan <denis.keegan@vontas.com>
        SubjectField Service Technician
        Thread-TopicField Service Technician
        Thread-IndexAduSe+oxPBfbbt/eQKaezEqrDf1Wbg==
        DateTue, 11 Mar 2025 11:52:56 +0000
        Message-Id <YQXPR01MB3015298D953AD2B01C86E776D3D12@YQXPR01MB3015.CANPRD01.PROD.OUTLOOK.COM>
        Accept-Languageen-US
        Content-Languageen-US
        X-Ms-Traffictypediagnostic YQXPR01MB3015:EE_|YT2PR01MB5983:EE_|DU6PEPF0000A7E0:EE_|DB4P191MB2341:EE_|SJ0PR07MB8709:EE_|CH0PR07MB9869:EE_
        X-Ms-Office365-Filtering-Correlation-Id 65d9d853-d840-49c6-5ccf-08dd60935fd2
        X-Ms-Exchange-Senderadcheck1
        X-Ms-Exchange-Antispam-Relay0
        X-Microsoft-Antispam-Untrusted BCL:0;ARA:13230040|376014|34036016|586017|41320700013|366016|1800799024|8096899003|38070700018;
        X-Microsoft-Antispam-Message-Info-Original 6ZJPahXonI/IILjvvAvzp/v+t07opwV/qzbedDFyvY95OX6kruYjdQ8pJuOLvmRtzbK8hF/a+iknX2otjLpLfRoMTL3YHNuXS3bASEuTVgOqMCUtGSdonld95f7FjxRmmmooZn8TOfn/Myew3v3ojhu36XF7hzb3w73MjdH0nbVVQKGODQoydNwEAcOmdRUCI4MN9ptzM35XGbAn7HXyzjPAQTJ/Sa9hK+VZca1BVjeFCprUZ7Bhrcl3wMvw70NkRKdYbVTdMyU1kF/+dotWOzZqM6pDCqWtVkC1yiXSpXiBFSLnCtJHLKT2pxLge7CsH4vhFiQNHp9YfoWGr0GSKsz5/D+iTyZvKjZqawEuSZO1VXwqPJfOd3wvBnNMeBa1YAQ9DV7W3+oaV4KxqA/XSULnCAWyBHHzha8xXg0zAeAMRRxNp3KG79rO7Ur58uIYBvLZCBv2aXFNKwhRJw2g6HDvRhO6fUC/pUxqaoumf/dDcOVdL2M8ksSB4PjhkSatbvBNhyPZ+hKp0tmp63NDXZy8gptKWCjClTNJwFkF+i17AVHvly4q+Q46QWIDqZCdk5Ei8wAT1UbGWEoXWju3crcBh2HxMl+ybk4PRnssVxPfnQPlXVIWXsxEJ5XO9x/rGeDyM//Tlo/8MrdhauGgnsccN5wNxyjnVGzg/7f6kAinEl4q86E8taPwwZvxFjZerlhLrEc4ZQl9ID0ICmfmNvWlvYn44f7jr0CjzLbgP7zvwyaSwchpL9oYUXS01CLFWxYkt8nGMDEZRGNJkq4hDGiBdGY4Ww5UWJUBvnYeFwcDafaj2yTtNuAP2Ib8YwL/JuL2Hhz6jF4qNjXppvMxJ6LYNoQXpyv8DoQFDC4vKXlHTSk6tE7KuT9Pqs/4lQmajjQmW0Rn8TJrXKbNoKq6oDKGYbGfNLF1Yp8OZcxxiOJV9jnQze7NjmyJWv3BZvpQXNMFNqxG5scxlsU4XI1OAeoIKfteDbhmhW9i8BuA23lkCF/KkkfDO5AMDTNgU2WvKZ8qM17Vown34PO/kRpuQobrJs7qPBAuxueQFim1TSMFCOOwJY/1F13x0g0rZFqOKQ3E+HTpuFsVlu9z/fo41GW5e+lIZbax1OJ33lOldupe4NPJo2qmC2rhgJTSDfvq9kWaMz7aOREQzrjcBVbVYBeSPb+KFiWtBONxWIdntP0lAogIJUMTWg/r533fLUnvrZAiNhdkVF9/+b7m+zOmoGMBoKIYppCAPWFNuQhURFDK/HFfADnTfzjlUBKtrDZmO1Y/mDr7ZH++36uMuh6ZiKpiAVy/gEWwvqPtddhbJFdM5y8ClauiBM17qwsxGA8/D5X8ZffmjU5DAarbtqCuCT/9E/kg6+yGK4/sWT0bfpcgDMQfZkI3ZfLsMze7kEy4daUJPwfcpgKFpoulhjG7bsukf6ylh9g656t9bgvCx8AE1tyJD0aNJYBJ6yIC+r5B
        X-Forefront-Antispam-Report-Untrusted CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:YQXPR01MB3015.CANPRD01.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(34036016)(586017)(41320700013)(366016)(1800799024)(8096899003)(38070700018);DIR:OUT;SFP:1102;
        X-Ms-Exchange-Antispam-Messagedata-Original-Chunkcount1
        X-Ms-Exchange-Antispam-Messagedata-Original-0 DLQpSsUfo9AieIfqzocPR2eHEmf6iwj4scQ+NYBqS/88STdfS1Ukk7ZChlxWq7zcmmWq+ts9sNlkbrbqcPcKvBlwO4q823Ye77CKfByPuDGC1Wczx074XIm1uhxlPXpBP+6wwnIz8b8B2uq0gZWNVGLnr66bF2X0Yjqk6X4DGrDaSzI3jterUAiDtRONIKA+PfJQ7JGUwiHJQdLMsOPJriVZw6nW1AgFwSbDjGuSiQey04T4gLuxx+EWOqwm1EjRiHxDPKP9R3cofmASU+YyTxn/4XgDl8cG0sP/cgRZVq5l4FlUdePmrdobij2LTE56ysX5P3Xv3dnmZ4LtktuImSfC6BaHKrzUdFkVUWMvdF9KNeYlqa2eGEzdh4q+7JDKGaPziDjJTJIkJQ8UUDbsRKzF9Qgmnxf4kUUHS7KBN6twveadRPqjtnaHNokAsTpX0EWvU8g5z8fvWaRrvZgaODqRGIuZ1JGXVpKGskWIvQm4KfJMHWsUR+0pjj8M9qSp0xGaK/qJ13VL6tUoRD/yMd94NQPuynmvAE1rdQpKLGM73dN/YTNVDD7pIEc2ToFN6kk+iGJBDfFu5TgWNo22lBK8sZhEim9VqyvfiABO2WPvC4JIUSETh9mTHycRwFY9ye90xuVto8AsNdJ3XaZp7473z30dHKWXyqqRNqPmnJ8WWo/RPidtEI/iLjNrxmz0m4tca78hN+NX7d93iwnv518ZgkzgLU5MJ96Gy5Q8hbMX5cnwLeThdrH7km9G+XJKDutVw9AQe4R8OjyD8cdanGEmyuVXEbrnaPEAmdFYOa7YZei3k4zqJI//MKZrRfiyd+SjxjCZGvKx8vIyQgkoUAWex7m6sbbFeubcvuQhB4NLNdCVvAxYoSNBqIMiJCZPKgEP8s6gI/dc3Iu1XMaZKxgPzIRv+SvvqZsz7MMZy4kl4f4ipfD+C5hXMnuPCx5KDgLb/DeLQ9pB8b6Gs9erUCkjtH9Zeud4xMgyQs3V8xwPAR9KzOQMYGpKor21Pg/yqGdfhZ35J1NoLFAxTFxRCpXcWuRWeTap2DW5qYCrvCoHJWrwajSXMjCOK8g9bby2XSzr1Hqe9xH7ywNnhgSNE2XyRs0r+UoxnwFjh3xOHHV9LcTSd7xvkIP1YJ7Xz8B8zTUYgSVK/KJmam9WJjhLMzmwOITYcMxl9SKSo/hDJpknYGuXgZkXxPbs+6wIGF1E5UvlLWgsBHh9yNhH7cwzFY3PltqkZhK5IpeYaNKFnoocRMC0Rm2fstpHEhNJEXUg/uAzw6XBhoRptvM6sfjwaC6P+5wRdnF4YZJVgf50tzAlP0cR7gw9q0o/KS4r80LbCWFPXKPmot23diNa0jMBpCtoVZBc1fRA3pg6b6MV3U6DeUDlF4Jyw8mq4hp+qm/xsWI7YndHI31FYT7uw2wWe7kbYYpJgO8XOCy7GtELbhFrEZc5iwi1Nfdajaw5gDAWfDhAJ/J872493qal4pbWZULcn6J1fGS1MsX3202ah65Qkyf2RocB3CrJbkLEIf4hk0s1sUZEQlWne8PxDUFFtFl8obD4m8noRoBwkAPoWoD2DNUndnFGGS5NF4NmRMxT
        Content-Typemultipart/mixed; boundary="----sinikael-?=_1-17416961161420.058884388928882814"
        MIME-Version1.0
        X-Ms-Exchange-Transport-CrosstenantheadersstampedDB4P191MB2341
        X-Proofpoint-Orig-GuidkMJjjsfgUehFfa3_SAZ3MMmWwMeXaRM4
        X-Clx-ShadesMLX
        X-Proofpoint-GuidkMJjjsfgUehFfa3_SAZ3MMmWwMeXaRM4
        X-Clx-Response 1TFkXGx4RCkx6FxoRCllEF2VIclJ9ZHx6c3AFEQpYWBdkZUdkBWtmZW98RxE KeE4XY2cZfHtLbUdCRkERCnlMF2hAaU9fX0ZpXkJYEQpDSBcHGxgRCkNZFwcYHxIRCkNJFxoEGh oaEQpZTRdnZnIRCl9ZFx0eEQpfTRdnZnIRCllJFwcZGnEbBgccGncGGxoeBhoGGgYbGhoGGnEaE Bp3BhoGBxsaGgYaBhoGGgYacRoQGncGGhEKWV4XbGx5EQpJRhdcRUZLWENZdUJFWV5PThEKSUcX eE9NEQpDThdBZ2BAQFlMTX9PQmxMSxl1eWtwGWdnR31dZ09yS3hnHhEKWFwXHwQaBBkTHgUbGgQ bGxoEGxkeBBkZEBseGh8aEQpeWRdMaElAQhEKTVwXGR4YEQpMWhdsQ2tvaxEKTEYXb29rY2trax EKQk8Xb29tbl1CSE9LXm0RCkNaFx8YBBsaGwQbExsEGxkbEQpCXhcbEQpCXBcbEQpeThcbEQpCS xdjZxl8e0ttR0JGQREKQkkXY2cZfHtLbUdCRkERCkJFF2BDHWd8E1t6EkJhEQpCThdjZxl8e0tt R0JGQREKQkwXZGVHZAVrZmVvfEcRCkJsF2VoGxltcEkTaE17EQpCQBdoTWBeX3JCe2ZPThEKQlg XaW1SQWZFHGRYGU0RCk1eFwcbEQpaWBcbEQp5QxdveU8ZZmtzTmFCexEKWUsXGxseGhEKcGgXek NYHVxeZVxfHEcQBxkaEQpwaBdmUnxdRUAcSFh4YBAHGRoRCnBoF25/f1hHGGRkYXBvEAcZGhEKc GgXbH0ZQ38BYV0aExsQBx4SEQpwaBdsUhgeT2VzRkV6RxAHGRoRCnBsF2tBZktLUHgcWBtCEAce EhEKcEwXa1BQYUljb0lFTUUQBxkaEQptfhcHGxEKWE0XSxEg
        X-ProofpointheaderYes
        X-Proofpoint-Virus-Versionvendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1093,Hydra:6.0.680,FMLib:17.12.68.34 definitions=2025-03-11_01,2025-03-11_02,2024-11-22_01
        X-Proofpoint-Spam-Detailsrule=inbound_notspam policy=inbound score=0 lowpriorityscore=0 phishscore=0 unknownsenderscore=20 bulkscore=0 mlxlogscore=567 priorityscore=0 adultscore=0 mlxscore=0 clxscore=14 impostorscore=0 suspectscore=0 malwarescore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.21.0-2502100000 definitions=main-2503110078 domainage_hfrom=1140
        Return-Pathjessica@sorabada38.com
        X-Ms-Exchange-Organization-Expirationstarttime11 Mar 2025 11:53:44.0559 (UTC)
        X-Ms-Exchange-Organization-ExpirationstarttimereasonOriginalSubmit
        X-Ms-Exchange-Organization-Expirationinterval1:00:00:00.0000000
        X-Ms-Exchange-Organization-ExpirationintervalreasonOriginalSubmit
        X-Ms-Exchange-Organization-Network-Message-Id 65d9d853-d840-49c6-5ccf-08dd60935fd2
        X-Eopattributedmessage0
        X-Eoptenantattributedmessage75c696ec-5bfb-4892-9a0c-9187a9061cd6:0
        X-Ms-Exchange-Organization-MessagedirectionalityIncoming
        X-Ms-Exchange-Transport-Crosstenantheadersstripped DU6PEPF0000A7E0.eurprd02.prod.outlook.com
        X-Ms-PublictraffictypeEmail
        X-Ms-Office365-Filtering-Correlation-Id-Prvs f8558ac4-d0bb-4a93-73aa-08dd60935dd0
        X-Ms-Exchange-Organization-Scl-1
        X-Microsoft-Antispam BCL:0;ARA:13230040|35042699022|82310400026|8096899003;
        X-Forefront-Antispam-Report CIP:67.231.151.23;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:NSPM;H:mx0d-001a4c01.pphosted.com;PTR:mx0d-001a4c01.pphosted.com;CAT:NONE;SFS:(13230040)(35042699022)(82310400026)(8096899003);DIR:INB;
        X-Ms-Exchange-Crosstenant-Originalarrivaltime11 Mar 2025 11:53:43.6809 (UTC)
        X-Ms-Exchange-Crosstenant-Network-Message-Id 65d9d853-d840-49c6-5ccf-08dd60935fd2
        X-Ms-Exchange-Crosstenant-Id75c696ec-5bfb-4892-9a0c-9187a9061cd6
        X-Ms-Exchange-Crosstenant-Authsource DU6PEPF0000A7E0.eurprd02.prod.outlook.com
        X-Ms-Exchange-Crosstenant-AuthasAnonymous
        X-Ms-Exchange-Crosstenant-FromentityheaderInternet
        X-Ms-Exchange-Organization-Authsource DU6PEPF0000A7E0.eurprd02.prod.outlook.com
        X-Ms-Exchange-Organization-AuthasAnonymous
        X-Ms-Exchange-Transport-Endtoendlatency00:00:05.4729541
        X-Ms-Exchange-Processed-By-Bccfoldering15.20.8511.025
        X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910005)(944506478)(944626604)(4710137)(4712020)(920097)(930097)(140003);
        X-Microsoft-Antispam-Message-Info d/LXTFGtFw1nL4t+w04iL4kTS7OtcOiXexAVuiZqdQ0BMgI6ezh0Syh3X1t7/bl9kHJ/JH6t+RyAzmbNRIIvWJeTrHNAiQw3dcZBv+xsmtQhLBWsJ5RCOTD/X02uu4RL3Sdi0UK6dn4BSiWcyQNePMCoi8WG+adKRNCrDzJ4v7uKqEltfX5L1MRakBrjThs0yzlIq9zD3UBJdsYBDm3Oi9C7+P1NNfwKTlYGY1XsDfkQ9+S+2rIcIPiIMm93rdFxkRpYBS+zeJGwY0WLbRLXthrKRmceBdiReQsbFdWYwcGflla2wvvehvvxqQsSzFdzqIU0NzMaRG+lrdpy+dpKh24H32bp7XVXF/mh8DJr5BVPVsmk9rCJi74ShhVOZ+ITRLEVfSyBF2GUJ6/EQQzKTl3JtaUOEMZv2Yv+m0ksJTpsy/s1oLEezkNZxt1C1SPENhedIqqR05ZIZBHjt5ZumaUL7O2HAimK8cx6dhjJFATCAd6yy60jsNcDCFHBhV72vgXvmJzRv6NSP13cNdcgdxQAEy3wb+6EtFsyEYKeIkr7CBoOVcz1FV6tulhgYsYKqepR5wYBRbvuaA/ESXr/FQTt7ij5msaG3C90sxY5+JqFuN69gGJXxw4sbwazkwue7ykSfAYkHGr8ypcPDQBFHf/14fzEi6DHLZw8laAnZwWKaOQCvokvFsBVradLitNYmWIi/afGXmluThVh6B7uQDSiSm0+PFgGKT9aogfM49lboF1l5SYpax44OVaRs81JBgQpHoo9TSBoV8kkzt+lNeZkuX8HA3C0eSAZYjVZP3xgtSkFFbmUT1fZsTB98JwXsDQFQuJcH2kwthcQ5fHGJsplJpk5DeGE0pfEnzgV0s47Pk7q/wjcUmsDoz77wiwgYtT0HIZykxc7zJAoTHCzU8EAnbaa+oj+/DDLK8c18GtEEg4iQ+gcOsm5OjclS2GBMvHfUisOPq22twNkqgot7hChr4pWm9qVucekiktunkqPfxKDZ+seUvsjGWi3YP2p4n+/4LmyCmyLU9wCuQbgT1aaJVWIJix8hTBluCpJoAhSruUo9A0Yq+NrOCFXBcUs6Vz27rL2TLzb7/51CgHK/0ipexonqnlhpw4x9xAvygo70gcmJF7vkdRhzu+gf8/ZfnzR2MyRPpz3tfzl79qm8Pgv+yFVLRGh69ZPgAUTwXhSIU5MTZp2pOe8Js/RyRuqFjk+LODMvJ/xCspg4/bXZG/k9R6P6AcmD/mHhOX0y6EMP1jTr1oLEiytU9eIRlWaQX4QWwtXAlLGzLY1HWDID+/D/1uLmFIOKW1JYfLiA3zCgPxzc6HctLwXk3qH/WMvevf/UBmCoYGgtHdaNA3WikE1IHYl32exEEKGj/+Dd9UdDd958QMMsDHXWQ9nbhjTZvlWdTe1ir4W9vKn565f/e1LnHEaObzGxWWNG3r6ikNlad/TMhgqCTqFXa2BuCUN5QfJdz7d+0kCsJqujnTCRG1XEghiyzOGzRS+f7gQwE2D9C062wdQx4IKukiXTm419o+8qGX+/sQfprPe9WM39phlEHgJI+gpu1IYs5XSUQMIARLfJrpLy779BwrQkPoEoXa4gpUV+zQxzQNQUgwAAWggYk6JRTAgIYViYTzwWiaRPnKe8w17/32lHjOINflDBd7ttL1kQ3qWu85994vpywAD1iKtnqggS68wqpy4hl1gIpWst8usqybjoCS9jvqlBu+TZeI+an47kkr/LnDY6pYlBAvNURM5bsPcawO5AunH7OEQxgg+k5tm6oTsn8EL3l0muwENehtn4ScM7EMTiWPjJNDEQf50w4Ku8ihC2/YJwQAOX5iFPwmpMQ1JN0vSo2j046FOqhbTxXms4bAqFFmTQet7y4wqCdfmdcuJoHfMs7HlHElRzduLVbKq9NYH6kfejUEvZdoKY9VfGRJmBABZKdljZWCjbEIZFgz8Db1X6/YXJIqu1TvjJAxd2F5WGqdpNOyUjbasrPTAJEg7xx/lWn8iTR4qmcY58gpj5B9W2PM87nXmBAtA5bqbRlZKr7CPzDDxy4k75ETyRZ+wTADyezAn2EEmSyVC7mm4SFTtvTYmqSrG0PQWrJX3f4VS1/nX/4mX4K5Xnnq3RvjtR+pVGz/OaNkcL4AwQG7ry/KWdK8WeJRedZUwtKLPDD6BbBR/bR0NeVwpB2NteMke5CgUxfbkBWxPkRcZcJTi8NMpuSThhP13rC7WvCFY5Il66OQ1pd/X0bRMHT0dMTVI3Q==
        Content-Transfer-Encoding7bit

        File Icon

        Icon Hash:46070c0a8e0c67d6

        Network Behavior

        DNS Answers

        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Mar 11, 2025 15:10:36.702198029 CET1.1.1.1192.168.2.160xdaffNo error (0)ecs-office.s-0005.dual-s-msedge.netshed.s-0005.dual-s-dc-msedge.netCNAME (Canonical name)IN (0x0001)false
        Mar 11, 2025 15:10:36.702198029 CET1.1.1.1192.168.2.160xdaffNo error (0)shed.s-0005.dual-s-dc-msedge.nets-0005.dual-s-dc-msedge.netCNAME (Canonical name)IN (0x0001)false
        Mar 11, 2025 15:10:36.702198029 CET1.1.1.1192.168.2.160xdaffNo error (0)s-0005.dual-s-dc-msedge.net52.123.131.14A (IP address)IN (0x0001)false
        Mar 11, 2025 15:10:36.702198029 CET1.1.1.1192.168.2.160xdaffNo error (0)s-0005.dual-s-dc-msedge.net52.123.130.14A (IP address)IN (0x0001)false

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:10:10:35
        Start date:11/03/2025
        Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
        Wow64 process (32bit):true
        Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0.eml"
        Imagebase:0x30000
        File size:34'446'744 bytes
        MD5 hash:91A5292942864110ED734005B7E005C0
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        General

        Target ID:1
        Start time:10:10:36
        Start date:11/03/2025
        Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
        Wow64 process (32bit):false
        Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "CA534960-B19E-4C54-BA16-C6FE3DA4476C" "CEB40F16-D597-45A9-9D8E-5A3A9FED42CF" "7000" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
        Imagebase:0x7ff7f6750000
        File size:710'048 bytes
        MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:false

        Disassembly

        No disassembly