Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
original (1).eml

Overview

General Information

Sample name:original (1).eml
Analysis ID:1640929
MD5:1c3ac788edac4e64a89c7582edf64298
SHA1:a13bc124cb8dc60ce7cee7f049e74bef29507e0b
SHA256:b4bc6c53056b1dc0a02afaf4e0e60c25fd04f69797f732b096b16e41d11695f2
Infos:

Detection

Score:48
Range:0 - 100
Confidence:100%

Signatures

AI detected suspicious Javascript
AI detected suspicious elements in Email content
Creates files inside the system directory
Deletes files inside the Windows folder
Detected suspicious crossdomain redirect
Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Stores large binary data to the registry

Classification

Process Tree

  • System is w10x64_ra
  • OUTLOOK.EXE (PID: 6880 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\original (1).eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7016 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "91DBD980-9BAB-4C40-A5E6-FD06DCC4861C" "5694988E-8920-4367-8047-D3B1FB836D93" "6880" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
    • OUTLOOK.EXE (PID: 448 cmdline: "C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\RV7RZ7S9\phish_alert_sp2_2.0.0.0.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • chrome.exe (PID: 6452 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.google.com/url?hl=en&q=https://cdn.ampproject.org/c/s/comvj1qlei.u%25c2%25aDz%25c2%25aDh%25c2%25ADe%25c2%25aDt%25C2%25ADx%25C2%25ADm%25C2%25aDm%25C2%25ADb%25c2%25Ads%25c2%25aDp%25c2%25aDz%25C2%25ADb%25c2%25ado%25C2%25Adr%25c2%25aDqm.t%25e2%2580%258Bop%25e2%2580%258b%25e2%2580%258b%25e2%2580%258b%25E2%2580%258b%25E2%2580%258b%25e2%2580%258B%25E2%2580%258b/SYtuZHqzv&source=gmail&ust=1742307987600000&usg=AOvVaw1IiqrvdhzcAs1sObWgzCWL&PMCVSP=sArrslubEyvVASA&tirJArBCfzaxY=yqLdjtBSZCRV&ulTkdPr=HWIlPbnz&fBRitU=GrFJTlERiLmc&RIItJLWYB=xMXQWTYZLKyTY&woWbLnaOr=mKewHbQFyro&RelaXdIgoHbta=RiNEOwnGJepRoNM&ZYUNUjfzl=RsPNkQAaLKy&SDFvJUNuBQA=nFQYewmTCwqR&xSGvLMHvkUhY=demmDkMkykwR&TcRoHAasvcu=ObwHvrLQH&apdadiRvHY=yyGrvWf&fGvGcV=owVyOXS&WFmkckoWktyex=https://TsSwsGGp&tzJytaJDVyz=ClZGoUoNJrR&WKZgKhKRAfmxp=EengnMxr&NeRATgD=PELcSoLEH&CbXDiB=KfDSBUoZexuvdHZ&JvsBPtfN=eWiaHqxWqC&dBNqSJK=ItiNeIGALeKMPc&IKWPGihQznj=rTJSvENKTQ&yMHQaVpMrWGqL=FWOwAfDkV&zhPuaGLebXm=UhgkWbwqL MD5: E81F54E6C1129887AEA47E7D092680BF)
      • chrome.exe (PID: 3772 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1976,i,10987979171311680556,14611860430967735333,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)
  • cleanup

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 6880, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Phishing

barindex
AI detected suspicious Javascript
Source: 0.0..script.csvJoe Sandbox AI: Detected suspicious JavaScript with source url: https://bhu6pdc3q3peasjx3wz2ivrla7qhafbefvozaaklb7... This script demonstrates high-risk behavior by using obfuscated code to execute a redirect to an unknown domain, which is a common tactic for phishing or malware distribution. The use of `location.replace()` to redirect the user without their consent, combined with the heavily encoded URL, indicates a strong likelihood of malicious intent.
AI detected suspicious elements in Email content
Source: EmailJoe Sandbox AI: Detected potential phishing email: Contains suspicious long, obfuscated URLs with random characters and multiple redirects. Uses deceptive urgency and 'free offer' tactics to encourage clicking links. Claims to be from FirstOntario but uses suspicious external domains (ei23.com, ucjudgra12423.com)
Source: EmailClassification: Credential Stealer
Source: unknownHTTPS traffic detected: 142.250.186.164:443 -> 192.168.2.16:49703 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.186.164:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.16:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.16:49720 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.27.77:443 -> 192.168.2.16:49727 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.27.77:443 -> 192.168.2.16:49726 version: TLS 1.2
Source: chrome.exeMemory has grown: Private usage: 0MB later: 38MB
Source: C:\Program Files\Google\Chrome\Application\chrome.exeHTTP traffic: Redirect from: www.google.com to https://cdn.ampproject.org/c/s/comvj1qlei.u%c2%adz%c2%adh%c2%ade%c2%adt%c2%adx%c2%adm%c2%adm%c2%adb%c2%ads%c2%adp%c2%adz%c2%adb%c2%ado%c2%adr%c2%adqm.t%e2%80%8bop%e2%80%8b%e2%80%8b%e2%80%8b%e2%80%8b%e2%80%8b%e2%80%8b%e2%80%8b/sytuzhqzv
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknownTCP traffic detected without corresponding DNS query: 52.182.143.211
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.163
Source: unknownTCP traffic detected without corresponding DNS query: 142.250.185.163
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /url?hl=en&q=https://cdn.ampproject.org/c/s/comvj1qlei.u%25c2%25aDz%25c2%25aDh%25c2%25ADe%25c2%25aDt%25C2%25ADx%25C2%25ADm%25C2%25aDm%25C2%25ADb%25c2%25Ads%25c2%25aDp%25c2%25aDz%25C2%25ADb%25c2%25ado%25C2%25Adr%25c2%25aDqm.t%25e2%2580%258Bop%25e2%2580%258b%25e2%2580%258b%25e2%2580%258b%25E2%2580%258b%25E2%2580%258b%25e2%2580%258B%25E2%2580%258b/SYtuZHqzv&source=gmail&ust=1742307987600000&usg=AOvVaw1IiqrvdhzcAs1sObWgzCWL&PMCVSP=sArrslubEyvVASA&tirJArBCfzaxY=yqLdjtBSZCRV&ulTkdPr=HWIlPbnz&fBRitU=GrFJTlERiLmc&RIItJLWYB=xMXQWTYZLKyTY&woWbLnaOr=mKewHbQFyro&RelaXdIgoHbta=RiNEOwnGJepRoNM&ZYUNUjfzl=RsPNkQAaLKy&SDFvJUNuBQA=nFQYewmTCwqR&xSGvLMHvkUhY=demmDkMkykwR&TcRoHAasvcu=ObwHvrLQH&apdadiRvHY=yyGrvWf&fGvGcV=owVyOXS&WFmkckoWktyex=https://TsSwsGGp&tzJytaJDVyz=ClZGoUoNJrR&WKZgKhKRAfmxp=EengnMxr&NeRATgD=PELcSoLEH&CbXDiB=KfDSBUoZexuvdHZ&JvsBPtfN=eWiaHqxWqC&dBNqSJK=ItiNeIGALeKMPc&IKWPGihQznj=rTJSvENKTQ&yMHQaVpMrWGqL=FWOwAfDkV&zhPuaGLebXm=UhgkWbwqL HTTP/1.1Host: www.google.comConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Browser-Channel: stableX-Browser-Year: 2025X-Browser-Validation: wTKGXmLo+sPWz1JKKbFzUyHly1Q=X-Browser-Copyright: Copyright 2025 Google LLC. All rights reserved.X-Client-Data: CLbgygE=Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /c/s/comvj1qlei.u%c2%aDz%c2%aDh%c2%ADe%c2%aDt%C2%ADx%C2%ADm%C2%aDm%C2%ADb%c2%Ads%c2%aDp%c2%aDz%C2%ADb%c2%ado%C2%Adr%c2%aDqm.t%e2%80%8Bop%e2%80%8b%e2%80%8b%e2%80%8b%E2%80%8b%E2%80%8b%e2%80%8B%E2%80%8b/SYtuZHqzv HTTP/1.1Host: cdn.ampproject.orgConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Browser-Channel: stableX-Browser-Year: 2025X-Browser-Validation: wTKGXmLo+sPWz1JKKbFzUyHly1Q=X-Browser-Copyright: Copyright 2025 Google LLC. All rights reserved.Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /c/s/comvj1qlei.u%C2%ADz%C2%ADh%C2%ADe%C2%ADt%C2%ADx%C2%ADm%C2%ADm%C2%ADb%C2%ADs%C2%ADp%C2%ADz%C2%ADb%C2%ADo%C2%ADr%C2%ADqm.t%E2%80%8Bop%E2%80%8B%E2%80%8B%E2%80%8B%E2%80%8B%E2%80%8B%E2%80%8B%E2%80%8B/SYtuZHqzv HTTP/1.1Host: bhu6pdc3q3peasjx3wz2ivrla7qhafbefvozaaklb7skbhyi2k3a.cdn.ampproject.orgConnection: keep-aliveUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7X-Browser-Channel: stableX-Browser-Year: 2025X-Browser-Validation: wTKGXmLo+sPWz1JKKbFzUyHly1Q=X-Browser-Copyright: Copyright 2025 Google LLC. All rights reserved.Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentsec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global trafficHTTP traffic detected: GET /SYtuZHqzv HTTP/1.1Host: comvj1qlei.uzhetxmmbspzborqm.topConnection: keep-alivesec-ch-ua: "Chromium";v="134", "Not:A-Brand";v="24", "Google Chrome";v="134"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/134.0.0.0 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: cross-siteSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: https://bhu6pdc3q3peasjx3wz2ivrla7qhafbefvozaaklb7skbhyi2k3a.cdn.ampproject.org/Accept-Encoding: gzip, deflate, br, zstdAccept-Language: en-US,en;q=0.9
Source: global trafficDNS traffic detected: DNS query: www.google.com
Source: global trafficDNS traffic detected: DNS query: cdn.ampproject.org
Source: global trafficDNS traffic detected: DNS query: bhu6pdc3q3peasjx3wz2ivrla7qhafbefvozaaklb7skbhyi2k3a.cdn.ampproject.org
Source: global trafficDNS traffic detected: DNS query: comvj1qlei.uzhetxmmbspzborqm.top
Source: global trafficDNS traffic detected: DNS query: 8ybk.3cr8i4jcqyoqebw6j.com
Source: global trafficDNS traffic detected: DNS query: google.com
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49679 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49671 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
Source: unknownHTTPS traffic detected: 142.250.186.164:443 -> 192.168.2.16:49703 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.186.164:443 -> 192.168.2.16:49712 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.181.225:443 -> 192.168.2.16:49717 version: TLS 1.2
Source: unknownHTTPS traffic detected: 142.250.185.129:443 -> 192.168.2.16:49720 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.27.77:443 -> 192.168.2.16:49727 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.21.27.77:443 -> 192.168.2.16:49726 version: TLS 1.2
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Windows\SystemTemp\scoped_dir6452_201835690
Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile deleted: C:\Windows\SystemTemp\scoped_dir6452_201835690
Source: classification engineClassification label: mal48.winEML@31/2@25/184
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250317T1635320878-6880.etl
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile read: C:\Users\desktop.ini
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\original (1).eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "91DBD980-9BAB-4C40-A5E6-FD06DCC4861C" "5694988E-8920-4367-8047-D3B1FB836D93" "6880" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\RV7RZ7S9\phish_alert_sp2_2.0.0.0.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "91DBD980-9BAB-4C40-A5E6-FD06DCC4861C" "5694988E-8920-4367-8047-D3B1FB836D93" "6880" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.google.com/url?hl=en&q=https://cdn.ampproject.org/c/s/comvj1qlei.u%25c2%25aDz%25c2%25aDh%25c2%25ADe%25c2%25aDt%25C2%25ADx%25C2%25ADm%25C2%25aDm%25C2%25ADb%25c2%25Ads%25c2%25aDp%25c2%25aDz%25C2%25ADb%25c2%25ado%25C2%25Adr%25c2%25aDqm.t%25e2%2580%258Bop%25e2%2580%258b%25e2%2580%258b%25e2%2580%258b%25E2%2580%258b%25E2%2580%258b%25e2%2580%258B%25E2%2580%258b/SYtuZHqzv&source=gmail&ust=1742307987600000&usg=AOvVaw1IiqrvdhzcAs1sObWgzCWL&PMCVSP=sArrslubEyvVASA&tirJArBCfzaxY=yqLdjtBSZCRV&ulTkdPr=HWIlPbnz&fBRitU=GrFJTlERiLmc&RIItJLWYB=xMXQWTYZLKyTY&woWbLnaOr=mKewHbQFyro&RelaXdIgoHbta=RiNEOwnGJepRoNM&ZYUNUjfzl=RsPNkQAaLKy&SDFvJUNuBQA=nFQYewmTCwqR&xSGvLMHvkUhY=demmDkMkykwR&TcRoHAasvcu=ObwHvrLQH&apdadiRvHY=yyGrvWf&fGvGcV=owVyOXS&WFmkckoWktyex=https://TsSwsGGp&tzJytaJDVyz=ClZGoUoNJrR&WKZgKhKRAfmxp=EengnMxr&NeRATgD=PELcSoLEH&CbXDiB=KfDSBUoZexuvdHZ&JvsBPtfN=eWiaHqxWqC&dBNqSJK=ItiNeIGALeKMPc&IKWPGihQznj=rTJSvENKTQ&yMHQaVpMrWGqL=FWOwAfDkV&zhPuaGLebXm=UhgkWbwqL
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1976,i,10987979171311680556,14611860430967735333,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:3
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\RV7RZ7S9\phish_alert_sp2_2.0.0.0.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument https://www.google.com/url?hl=en&q=https://cdn.ampproject.org/c/s/comvj1qlei.u%25c2%25aDz%25c2%25aDh%25c2%25ADe%25c2%25aDt%25C2%25ADx%25C2%25ADm%25C2%25aDm%25C2%25ADb%25c2%25Ads%25c2%25aDp%25c2%25aDz%25C2%25ADb%25c2%25ado%25C2%25Adr%25c2%25aDqm.t%25e2%2580%258Bop%25e2%2580%258b%25e2%2580%258b%25e2%2580%258b%25E2%2580%258b%25E2%2580%258b%25e2%2580%258B%25E2%2580%258b/SYtuZHqzv&source=gmail&ust=1742307987600000&usg=AOvVaw1IiqrvdhzcAs1sObWgzCWL&PMCVSP=sArrslubEyvVASA&tirJArBCfzaxY=yqLdjtBSZCRV&ulTkdPr=HWIlPbnz&fBRitU=GrFJTlERiLmc&RIItJLWYB=xMXQWTYZLKyTY&woWbLnaOr=mKewHbQFyro&RelaXdIgoHbta=RiNEOwnGJepRoNM&ZYUNUjfzl=RsPNkQAaLKy&SDFvJUNuBQA=nFQYewmTCwqR&xSGvLMHvkUhY=demmDkMkykwR&TcRoHAasvcu=ObwHvrLQH&apdadiRvHY=yyGrvWf&fGvGcV=owVyOXS&WFmkckoWktyex=https://TsSwsGGp&tzJytaJDVyz=ClZGoUoNJrR&WKZgKhKRAfmxp=EengnMxr&NeRATgD=PELcSoLEH&CbXDiB=KfDSBUoZexuvdHZ&JvsBPtfN=eWiaHqxWqC&dBNqSJK=ItiNeIGALeKMPc&IKWPGihQznj=rTJSvENKTQ&yMHQaVpMrWGqL=FWOwAfDkV&zhPuaGLebXm=UhgkWbwqL
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1976,i,10987979171311680556,14611860430967735333,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dll
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dll
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{2B379600-B42B-4FE9-A59C-A312FB934935} DeviceTicket
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation21
Browser Extensions		1
Process Injection		11
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading		1
DLL Side-Loading		1
Modify Registry		LSASS Memory1
File and Directory Discovery		Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
Extra Window Memory Injection		1
Process Injection		Security Account Manager13
System Information Discovery		SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture3
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
File Deletion		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
Extra Window Memory Injection		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://comvj1qlei.uzhetxmmbspzborqm.top/SYtuZHqzv0%Avira URL Cloudsafe
https://cdn.ampproject.org/c/s/comvj1qlei.u%c2%aDz%c2%aDh%c2%ADe%c2%aDt%C2%ADx%C2%ADm%C2%aDm%C2%ADb%c2%Ads%c2%aDp%c2%aDz%C2%ADb%c2%ado%C2%Adr%c2%aDqm.t%e2%80%8Bop%e2%80%8b%e2%80%8b%e2%80%8b%E2%80%8b%E2%80%8b%e2%80%8B%E2%80%8b/SYtuZHqzv0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
bg.microsoft.map.fastly.net
199.232.210.172
truefalse
    		high
    google.com
    		142.251.36.78
    		truefalse
      		high
      comvj1qlei.uzhetxmmbspzborqm.top
      		104.21.27.77
      		truefalse
        		unknown
        www.google.com
        		142.250.186.164
        		truefalse
          		high
          s-0005.dual-s-msedge.net
          		52.123.129.14
          		truefalse
            		high
            cdn-content.ampproject.org
            		142.250.181.225
            		truefalse
              		high
              8ybk.3cr8i4jcqyoqebw6j.com
              		unknown
              		unknownfalse
                		high
                bhu6pdc3q3peasjx3wz2ivrla7qhafbefvozaaklb7skbhyi2k3a.cdn.ampproject.org
                		unknown
                		unknowntrue
                  		unknown
                  cdn.ampproject.org
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    https://cdn.ampproject.org/c/s/comvj1qlei.u%c2%aDz%c2%aDh%c2%ADe%c2%aDt%C2%ADx%C2%ADm%C2%aDm%C2%ADb%c2%Ads%c2%aDp%c2%aDz%C2%ADb%c2%ado%C2%Adr%c2%aDqm.t%e2%80%8Bop%e2%80%8b%e2%80%8b%e2%80%8b%E2%80%8b%E2%80%8b%e2%80%8B%E2%80%8b/SYtuZHqzvfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://bhu6pdc3q3peasjx3wz2ivrla7qhafbefvozaaklb7skbhyi2k3a.cdn.ampproject.org/c/s/comvj1qlei.u%C2%ADz%C2%ADh%C2%ADe%C2%ADt%C2%ADx%C2%ADm%C2%ADm%C2%ADb%C2%ADs%C2%ADp%C2%ADz%C2%ADb%C2%ADo%C2%ADr%C2%ADqm.t%E2%80%8Bop%E2%80%8B%E2%80%8B%E2%80%8B%E2%80%8B%E2%80%8B%E2%80%8B%E2%80%8B/SYtuZHqzvfalse
                      		unknown
                      https://comvj1qlei.uzhetxmmbspzborqm.top/SYtuZHqzvfalse
                      • Avira URL Cloud: safe
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      142.250.110.84
                      		unknownUnited States
                      		15169GOOGLEUSfalse
                      142.250.185.67
                      		unknownUnited States
                      		15169GOOGLEUSfalse
                      142.250.185.78
                      		unknownUnited States
                      		15169GOOGLEUSfalse
                      142.250.185.129
                      		unknownUnited States
                      		15169GOOGLEUSfalse
                      1.1.1.1
                      		unknownAustralia
                      		13335CLOUDFLARENETUSfalse
                      2.22.242.226
                      		unknownEuropean Union
                      		20940AKAMAI-ASN1EUfalse
                      172.217.16.206
                      		unknownUnited States
                      		15169GOOGLEUSfalse
                      52.123.129.14
                      		s-0005.dual-s-msedge.netUnited States
                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                      104.21.27.77
                      		comvj1qlei.uzhetxmmbspzborqm.topUnited States
                      		13335CLOUDFLARENETUSfalse
                      216.58.206.35
                      		unknownUnited States
                      		15169GOOGLEUSfalse
                      8.8.8.8
                      		unknownUnited States
                      		15169GOOGLEUSfalse
                      52.109.32.38
                      		unknownUnited States
                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                      142.250.181.225
                      		cdn-content.ampproject.orgUnited States
                      		15169GOOGLEUSfalse
                      52.109.32.97
                      		unknownUnited States
                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                      142.250.185.195
                      		unknownUnited States
                      		15169GOOGLEUSfalse
                      142.250.186.164
                      		www.google.comUnited States
                      		15169GOOGLEUSfalse
                      20.42.73.26
                      		unknownUnited States
                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                      172.217.18.110
                      		unknownUnited States
                      		15169GOOGLEUSfalse
                      199.232.210.172
                      		bg.microsoft.map.fastly.netUnited States
                      		54113FASTLYUSfalse
                      52.109.76.243
                      		unknownUnited States
                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                      52.109.76.144
                      		unknownUnited States
                      		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                      Private

                      IP
                      192.168.2.16
                      192.168.2.4
                      192.168.2.25

                      General Information

                      Joe Sandbox version:42.0.0 Malachite
                      Analysis ID:1640929
                      Start date and time:2025-03-17 21:35:04 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:defaultwindowsinteractivecookbook.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:19
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • EGA enabled
                      Analysis Mode:stream
                      Analysis stop reason:Timeout
                      Sample name:original (1).eml
                      Detection:MAL
                      Classification:mal48.winEML@31/2@25/184
                      Cookbook Comments:
                      • Found application associated with file extension: .eml

                      Warnings

                      • Exclude process from analysis (whitelisted): svchost.exe
                      • Excluded IPs from analysis (whitelisted): 52.109.32.97, 52.109.76.243, 2.22.242.226, 2.22.242.90, 199.232.210.172, 52.109.32.38, 52.109.32.47, 52.109.32.46, 52.109.32.39, 52.123.129.14, 40.126.31.0
                      • Excluded domains from analysis (whitelisted): ecs.office.com, omex.cdn.office.net, ctldl.windowsupdate.com.delivery.microsoft.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, eur.roaming1.live.com.akadns.net, neu-azsc-000.roaming.officeapps.live.com, roaming.officeapps.live.com, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, dual-s-0005-office.config.skype.com, nleditor.osi.office.net, prod-eu-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, login.live.com, config.officeapps.live.com, osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, ukw-azsc-config.officeapps.live.com, c.pki.goog, omex.cdn.office.net.akamaized.net, wu-b-net.trafficmanager.net, europe.configsvc1.live.com.akadns.net, a1864.dscd.akamai.net
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtOpenFile calls found.
                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                      • Report size getting too big, too many NtSetValueKey calls found.
                      • VT rate limit hit for: comvj1qlei.uzhetxmmbspzborqm.top

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20250317T1635440925-448.etl

                      Download File
                      Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):16384
                      Entropy (8bit):3.565664275090036
                      Encrypted:false
                      SSDEEP:
                      MD5:CEEDDFDE948444012CD60750A3ED66F3
                      SHA1:7924245E7DC9184C94D4A589D1B183C399DAD61C
                      SHA-256:D061BD8DC5874FE38541703CCE9E842C8DD3EAA2061499068416E9D8FD88C57A
                      SHA-512:3D3D404C906B58D27CC358C0AE1D73352080FD689336F62BA876AAC852E06D29B31709D111BD86E1F9016A051CA970D85200FFDFDBF7C5A709070AE987FD6D59
                      Malicious:false
                      Reputation:unknown
                      Preview:............................................................................\...........sR.(|...................eJ........(|...Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1.............................................................(.6...........sR.(|...........v.2._.O.U.T.L.O.O.K.:.1.c.0.:.7.a.2.8.7.e.c.3.a.9.3.e.4.a.f.4.a.b.0.e.d.7.9.1.c.a.4.c.1.0.b.d...C.:.\.U.s.e.r.s.\.c.a.l.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.5.0.3.1.7.T.1.6.3.5.4.4.0.9.2.5.-.4.4.8...e.t.l...........P.P.........sR.(|...........................................................................................................................................................................................................................................................................................................

                      Chrome Cache Entry: 71

                      Download File
                      Process:C:\Program Files\Google\Chrome\Application\chrome.exe
                      File Type:HTML document, ASCII text, with CRLF, LF line terminators
                      Category:downloaded
                      Size (bytes):661
                      Entropy (8bit):5.061033302340709
                      Encrypted:false
                      SSDEEP:
                      MD5:436A74FBA9498C6A7D4895EB06EE4B23
                      SHA1:D4A81CFFF312762DBB6BE55D90B109868AB6F3C9
                      SHA-256:D2C9A7B676FDBBFE3E869C0BD0ABF741DDF62E8628CB53503760B87FACBB3275
                      SHA-512:5593BEA2504CDA813EEDC5E71600EFD8B4ED59CA2B7EB9B99328278DDA48FFD8DB5EA163301FE7F450EF755E4117B77FD6035FC581A4FE559B41168FBCAE0CEA
                      Malicious:false
                      Reputation:unknown
                      URL:https://bhu6pdc3q3peasjx3wz2ivrla7qhafbefvozaaklb7skbhyi2k3a.cdn.ampproject.org/c/s/comvj1qlei.u%C2%ADz%C2%ADh%C2%ADe%C2%ADt%C2%ADx%C2%ADm%C2%ADm%C2%ADb%C2%ADs%C2%ADp%C2%ADz%C2%ADb%C2%ADo%C2%ADr%C2%ADqm.t%E2%80%8Bop%E2%80%8B%E2%80%8B%E2%80%8B%E2%80%8B%E2%80%8B%E2%80%8B%E2%80%8B/SYtuZHqzv
                      Preview:<HTML><HEAD>.<meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>Redirecting</TITLE>.<META HTTP-EQUIV="refresh" content="0; url=https://comvj1qlei.u%C2%ADz%C2%ADh%C2%ADe%C2%ADt%C2%ADx%C2%ADm%C2%ADm%C2%ADb%C2%ADs%C2%ADp%C2%ADz%C2%ADb%C2%ADo%C2%ADr%C2%ADqm.t%E2%80%8Bop%E2%80%8B%E2%80%8B%E2%80%8B%E2%80%8B%E2%80%8B%E2%80%8B%E2%80%8B/SYtuZHqzv">.</HEAD>.<BODY onLoad="location.replace('https://comvj1qlei.u%C2%ADz%C2%ADh%C2%ADe%C2%ADt%C2%ADx%C2%ADm%C2%ADm%C2%ADb%C2%ADs%C2%ADp%C2%ADz%C2%ADb%C2%ADo%C2%ADr%C2%ADqm.t%E2%80%8Bop%E2%80%8B%E2%80%8B%E2%80%8B%E2%80%8B%E2%80%8B%E2%80%8B%E2%80%8B/SYtuZHqzv'+document.location.hash)">.</BODY></HTML>..

                      Static File Info

                      General

                      File type:SMTP mail, ASCII text, with very long lines (459), with CRLF line terminators
                      Entropy (8bit):5.868043828630628
                      TrID:
                      • E-Mail message (Var. 1) (20512/2) 100.00%
                      File name:original (1).eml
                      File size:175'171 bytes
                      MD5:1c3ac788edac4e64a89c7582edf64298
                      SHA1:a13bc124cb8dc60ce7cee7f049e74bef29507e0b
                      SHA256:b4bc6c53056b1dc0a02afaf4e0e60c25fd04f69797f732b096b16e41d11695f2
                      SHA512:1018a156a14b1a48bd5ffa391fcd583589a50a3ef9a9d47b4f2ffbd55e258f1d6e065421ebe2bf5dd0df1dae6a6eb5834ece4ba535387d68217b4349deffe7c8
                      SSDEEP:3072:4gYpBvn46K55gSNAcJBUXmoat8vruRFz1rQeUQP3t5v5ZdACCOC9HlNWj3k0YVUK:4FrTe5gkAcJBU2oA8vqlDB5COCllNW9s
                      TLSH:8304C0A55FC82AC9B364FB5FE01DB90DD3F21B41D87352CC7A86B84F6A5EC18181E909
                      File Content Preview:Return-Path: <cody.furlong@firstontario.com>..Received: from smtp.defend.email (smtp.defend.email [54.183.28.246]).. by inbound-smtp.us-east-1.amazonaws.com with SMTP id pr0u16aa50l4k7fhagklmj5agtjcvp4bvtesvs81.. for d7e8457b-1c59-44ac-b5fe-ee555e2d0dc3@p

                      Static Mail

                      General

                      Subject:[Phish Alert] .Firstontariocu's shared ''f_irstontariocu_pdf_883140893'' on Monday, 17th March 2025
                      From:"Furlong, Cody" <Cody.Furlong@firstontario.com>
                      To:"d7e8457b-1c59-44ac-b5fe-ee555e2d0dc3@phisher.knowbe4.com" <d7e8457b-1c59-44ac-b5fe-ee555e2d0dc3@phisher.knowbe4.com>
                      Cc:
                      BCC:
                      Date:Mon, 17 Mar 2025 15:06:27 +0000
                      Communications:
                      • The following information was sent by the user who reported this email. ________________________________ Reporter: Furlong, Cody <Cody.Furlong@firstontario.com> Disposition: Phish User Comments: ________________________________ CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the source and know the content is safe. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- __________________________________________________ [cid:FOSXgJ] [cid:mZIeoI] [cid:JvQAbt] [cid:KgTNiGqCQ] <https://www.google.com/url?hl=en&q=https://cdn.ampproject.org/c/s/comvj1qlei.u%25c2%25aDz%25c2%25aDh%25c2%25ADe%25c2%25aDt%25C2%25ADx%25C2%25ADm%25C2%25aDm%25C2%25ADb%25c2%25Ads%25c2%25aDp%25c2%25aDz%25C2%25ADb%25c2%25ado%25C2%25Adr%25c2%25aDqm.t%25e2%2580%258Bop%25e2%2580%258b%25e2%2580%258b%25e2%2580%258b%25E2%2580%258b%25E2%2580%258b%25e2%2580%258B%25E2%2580%258b/SYtuZHqzv&source=gmail&ust=1742307987600000&usg=AOvVaw1IiqrvdhzcAs1sObWgzCWL&PMCVSP=sArrslubEyvVASA&tirJArBCfzaxY=yqLdjtBSZCRV&ulTkdPr=HWIlPbnz&fBRitU=GrFJTlERiLmc&RIItJLWYB=xMXQWTYZLKyTY&woWbLnaOr=mKewHbQFyro&RelaXdIgoHbta=RiNEOwnGJepRoNM&ZYUNUjfzl=RsPNkQAaLKy&SDFvJUNuBQA=nFQYewmTCwqR&xSGvLMHvkUhY=demmDkMkykwR&TcRoHAasvcu=ObwHvrLQH&apdadiRvHY=yyGrvWf&fGvGcV=owVyOXS&WFmkckoWktyex=https://TsSwsGGp&tzJytaJDVyz=ClZGoUoNJrR&WKZgKhKRAfmxp=EengnMxr&NeRATgD=PELcSoLEH&CbXDiB=KfDSBUoZexuvdHZ&JvsBPtfN=eWiaHqxWqC&dBNqSJK=ItiNeIGALeKMPc&IKWPGihQznj=rTJSvENKTQ&yMHQaVpMrWGqL=FWOwAfDkV&zhPuaGLebXm=UhgkWbwqL> [cid:SOULTkKXsgIccfgwyVYp] [cid:vYSZKg] Thank you for your interest in ei23.com! You will now be provided with exciting news and exclusive content and it's for free! You only have to confirm your email address, click on the link: https://mailer.ei23.com/?p=confirm&uid=1ba05c658117309d9286c2870ad7e598<https://ucjudgra12423.com/276576> To send you the newsletter, we have to save your email address. You can find out more about our data protection at https://ei23.com/legal/<https://wtcfewgj12424.com/582065> If you do not agree, then simply delete this email. FirstOntario Credit Union Limited | 970 South Service Road, Suite 301, Stoney Creek, ON L8E 6A2 | FirstOntario.com You can unsubscribe from our promotional emails at any time by clicking https://portal.defend.email/unsubscribe/step-1?token=12158986:235b55884508af233daa4184ed21f17800c4b8ac994e955ed3888df2301573fe&243323&. These requests are handled within 10 days of receipt.
                      Attachments:
                      • phish_alert_sp2_2.0.0.0.eml
                      • KB4UserComments.json

                      Headers

                      Key Value
                      Return-Path<cody.furlong@firstontario.com>
                      Receivedfrom CEM-filter (ip-172-31-10-144.ca-central-1.compute.internal [172.31.10.144]) by smtp.defend.email (Postfix) with ESMTP id 4ZGdbV5jkjz3qrB for <d7e8457b-1c59-44ac-b5fe-ee555e2d0dc3@phisher.knowbe4.com>; Mon, 17 Mar 2025 15:06:30 +0000 (UTC)
                      Received-SPFpass (spfCheck: domain of firstontario.com designates 54.183.28.246 as permitted sender) client-ip=54.183.28.246; envelope-from=cody.furlong@firstontario.com; helo=smtp.defend.email;
                      Authentication-Resultsamazonses.com; spf=pass (spfCheck: domain of firstontario.com designates 54.183.28.246 as permitted sender) client-ip=54.183.28.246; envelope-from=cody.furlong@firstontario.com; helo=smtp.defend.email; dkim=pass header.i=@defend.email; dmarc=pass header.from=firstontario.com;
                      X-SES-RECEIPTAEFBQUFBQUFBQUFFWGNJWDR0U3o2ejFsSnNXN0JkTDVvck5PTVBKTkFmZy8wTFdocWh1akJOekdncjZxZTlmSndHR1B4OEZnelVOVUhhR0Q0OGNIVlc4UzFJSVUrZm0weXNnVi9OdXUwSU8xQ3FRdGh6SVhMNE04bE85WTBhaXZLQkZucnpXVGt2YUF0alcxUU1DVzZZNUdYejBPUmVzVWVMTmd1K3dOMEsvSkcxM1lkeFJVSXg3VkJXeEt4bUlKY3VlQnJDTmxTSlhkMGtTQk92TXN4RWJLSUNFMWxwc0lZSTVZcXU0czVMTFdacHZxUCtiNU5iZGIzWEdRcW5HVEVCbWl2VU9QYnloQXQ1T0dPdlZxZCtKZ2ZoWmIwMS9mWThLMlJpZUJmTjZXMGgveDg1aHZJZUd6V2x3SGZzdzFRK3VQaEZYcWJpcmM9
                      X-SES-DKIM-SIGNATUREa=rsa-sha256; q=dns/txt; b=mCsbIJJL5jsazLnpxc4T1vR4fZ0c8duOop/EM8CeQP4Qatgity2gOaTOLKzUwbOsCK0mSTW9km3GD8dIqJbQLN+bmqGZBfa3m8OtFr2416euc76f28GErKnLLZOaAPmrT7QkYJvgRI5mDJYP2W5P3LqKKeht/r/tKyZ1qobqYoI=; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1742223992; v=1; bh=OC5tdJeG6NUzAdT/IORlg6XRGJnLiOE4bY5cy3YMxHY=; h=From:To:Cc:Bcc:Subject:Date:Message-ID:MIME-Version:Content-Type:X-SES-RECEIPT;
                      DKIM-FilterOpenDKIM Filter v2.11.0 smtp.defend.email 4ZGdbV5jkjz3qrB
                      DKIM-Signaturev=1; a=rsa-sha256; c=relaxed/simple; d=defend.email; s=raven; t=1742223991; bh=OC5tdJeG6NUzAdT/IORlg6XRGJnLiOE4bY5cy3YMxHY=; h=From:To:Subject:Date:From; b=dq40ofLupnktKvP98cxtE5ByuHubXyZlxR3KMXoMKQ2pyM21IunlNdxalGB5mqvVL 38MrroHcwPIjI4Vq/a/3nHQb7Qnm5zegk9SlbNYm1WNjNDvWutjFHNPivr+iIawy3n I8OLah1AQi59aOZ0rYK+TMgAwAPMZfsFiUIP2z/GtmSZNuhmpKgzHsbYcUVqCpWZGh 3gN6SCI976/gFmSoDh/dFrnAQ3GwLJkSY0ytyTTDptjLbDTzvJgyfdnIykYGwQ0Q8U CLdIr2Hs3EtcrpUfCcd0wN8fQIusgjbts6YOilC5MNnoBsRGFIx1dM934ujC/fgbY1 LNAQWjH0hKibA==
                      From"Furlong, Cody" <Cody.Furlong@firstontario.com>
                      To"d7e8457b-1c59-44ac-b5fe-ee555e2d0dc3@phisher.knowbe4.com" <d7e8457b-1c59-44ac-b5fe-ee555e2d0dc3@phisher.knowbe4.com>
                      Subject[Phish Alert] .Firstontariocu's shared ''f_irstontariocu_pdf_883140893'' on Monday, 17th March 2025
                      Thread-Topic[Phish Alert] .Firstontariocu's shared ''f_irstontariocu_pdf_883140893'' on Monday, 17th March 2025
                      Thread-IndexAQHbl04nX3bvebAPP0GYbSPoOY9F0w==
                      DateMon, 17 Mar 2025 15:06:27 +0000
                      Message-ID <YT2PR01MB968343A3C3C1743519887E5EFBDF2@YT2PR01MB9683.CANPRD01.PROD.OUTLOOK.COM>
                      Accept-Languageen-US
                      Content-Languageen-US
                      X-MS-Has-Attachyes
                      X-MS-TNEF-Correlator
                      authentication-resultsdkim=none (message not signed) header.d=none;dmarc=none action=none header.from=firstontario.com;
                      x-ms-publictraffictypeEmail
                      x-ms-traffictypediagnosticYT2PR01MB9683:EE_|YT2PR01MB8821:EE_
                      x-ms-office365-filtering-correlation-ida8cfcae5-4ee2-4d57-20b7-08dd65654a71
                      x-ms-exchange-senderadcheck1
                      x-ms-exchange-antispam-relay0
                      x-microsoft-antispam BCL:0;ARA:13230040|376014|366016|1800799024|8096899003|4053099003|38070700018;
                      x-microsoft-antispam-message-info xGiFosF0NjWF03q0wR9b5gZLg0TDLvPO9Ckg2LYCV7vUhSgvblDcME0oi+HK/wrFKOvYWIOTVbnA8KeSrGrTQ8N1uGh3ThDdXlxgbRlBiPltlE0vforCyYM2HcZPAldNbwUytdj7gXcLSICvvQUsYMX99RXOWTOL3sKjIQXrffNCCxMx/097QLT3Oxsy1a42+8abX0gf7um0Q3ZcVfhSrGFFwzPbCujjGFwA+cY1iaGKO7IcmLqIzhKkZ2oi93VtyLV6hGvT9wcfCXFA1Z6DqLq8cIPvizT7P2ypQ6/oScM4LPTR3geFmpwt8ZPOVSO3gZI0odDX92A7XpCMejhYFdccYieXj7UsEEkj6zmwx4VPiSXc8MW/VsaLOx3Gj68G0fpCemQnGLWJ5R/QkihZP3JeGnXvAj7S7yNF6XVxNF3MQK2JUsSaNBckNUG0Krd8sCWiadstlTMf2/4hvxvtqOKo894lFx8dDoQ1CNgHtiOjvruXGUyBCpNBPXmOOEg0KfNfU6L1WDB0XcOJski6AFPXL8LYClyYt2y3Ow8luvaU9ETdxUmcUuAoD9Tg6kg/DBzyGK9Au59ZUZ7kis2oHJ2Q/O0vpQ3AuVostjuKmtUQ/lJ4RyedK4MfDeJ2IBD65y6LTjVpI4hml0SG/7QcbHHcRJXdrjie9KqSAqKVG9+SDuA7ykRk4I9hC/bf2CyA2IewmpWo5Y4GjqCjyIw7d9Fnw2JTTHkiU844hNMxIdcn8aYENnGMfHnvxeKuNRf1mvFLsAbCDl1wjaUIxNLSfH06U+eQnlLJmGHFxuqqMnL8Za5sleoq/Y6IMWsEcGqFL173h6XHBm7O1x09zJcCRQPC9Pd9itv65cSn/+haO5S5NEQnP51UlNMEER1FieP5woqSC+1lsDzKLwbsNvh4dXe7Xglte3+RId6cpvQ6U4/tawQzzcpsfCtBg6pH+nFDoiYv+f2SugMiX7/CH9letbwbm5qB251WJPD3HbLV5Gvcc+595YxYMcWdwF5bSrsGgbF2kt4DbGfOXIkwN6sd6yF24F2gkjrso05BaRR99cmqbgW15eNGBG5gxVz2wBZiN7jbLdrnHfo22YcSNIUpaE419atiWd95jMYUVTlniE8VfqxVD/39v/YvUoWQXlZLQcozCBzJCvb9VhkQN/2ytCXujmxal5GexerTiJjVNZw7ZOwvMIqQXvpQWBTOvOdAVRl5QE6pvxFK1XN+/BzxD8k0QZGIVIf7Psdzb4FFRFbQ5yZzIoI1zUZJRL1f58J4gzaSAeAvdrm6CzURwUbuNqCRVRpW9uOoaiw37XvWrezll+vH9ZoNY5jYRU75Vkloiq2lAZ2j8ulU61x7Y88y0w==
                      x-forefront-antispam-report CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:YT2PR01MB9683.CANPRD01.PROD.OUTLOOK.COM;PTR:;CAT:NONE;SFS:(13230040)(376014)(366016)(1800799024)(8096899003)(4053099003)(38070700018);DIR:OUT;SFP:1102;
                      x-ms-exchange-antispam-messagedata-chunkcount1
                      x-ms-exchange-antispam-messagedata-0 jEoekoxxdYR//4U2HexEBfn8puNFuClGB8uSLDJIeKiGfSorfoNGiKh490B7WHGmrfls5dkfjOk+WmPekZpqVnX/WtfRMficvd6Mz27j97p0Yue+DviU9Zp/yQbTtOhC6aL7qWEDCWe4CwbPl/QTPYo1hfZb+AcMuvWYN7iQSJwfq68bdxD+arg7G5/Pyx08X3BIe8zZkUORanfmNsu07IAJlDvHEwO5LNNe1DYbcq4sKsryNShkPt2E91Rv/5gWGP1EKIEzhut4WLllVySvVdSrhJWVri0ODTt15L7EWvEJfVLKud4w+xTeWHyufzU4X89Ph+BjAf+ZpjNv6BSwdHIfOQW736Z/WCgA0Jrls1f5vTbubPDPRN9zy080w7ylTqSuHqkLhyQ3RYxr8pcmriQKk5thfyQnr+wWadzDiAX0h/688iXoiSKhbBTAJel4SgQr2Q9dmfLzNv0MwE1rqDr6VVg3hGZOhdFEQA8/OMyVa8lGTB8J+nu6y6haG3oAtyX9Vsif+wsLxgWSMsmO5f50dzuZbqxtdEsR+fbH9FWgk5sUc4a1fnBX2xPNA7TRMCmfqRcYyNWhsg9hpGOy8MtBY1FAHJSrH//qINSlhiryT2vR3G8ZTbtlVPCup272nNJvnuBPTBEd2N1zTH2L50U8aSSirXtt+krUlAi/mlJ9vSN5BfVp7wA1nMFzHrILh7nLd8k4oa5e1rZTEjRN6dUh8rpsoudEZ94cN0IeRdTYWRfHs1m09hrKmPOEDda2Q2Y2MkI80Lj1/kieAviZjicE1CCHlnMHCIe+pJYfRjN5nmHUuQbBZ30oYjO7HfsCQrcBuagGk90wJiQaLvQclhAMZNEv972SSzwqN1HB2ATHwDbfiahf/4xgmSROdJkmH9ESpH8aDutr30Dvp9ItwCn1TF66NxYLUFCiV/UH5pO0VEYszXp7j+QkXQ3Mj4bk4gzPtAp/BzWXFmUPrtzN6v1gCsrfRvggmGgUBlxBI7a0Yrp2g2APelkxBgFPb93Z5aznRGCxL0JRGLbhA3LxvlaalsIdv5UrA4krytACCeoiqr/lofRIhtIcF9aqOyty1GpZQI+b9xfldzrs3J4qwk/fIV2nGZONKohYVtyFB1AQPJ86aR5NUZI/r47CfmUINoYW1JFpDWoBmRPnqqkvILEPiEzzY7id/FJHPlR3aRzl3LKWj5g7qC8qau41XF89X+4fJgmcADcZbs79IIopFZnT9hLJ3+6hjXBZJUZaE75BR+KZfTRNtAkHROtXcHtWdFC2UzxZ0wel1mJdyhyt3ToQat44lib51rhTMrEpqtLlFtOpZmBzt3qjbb4w0QQ+1jx/9gBMRjzDdrr1R0HGc7wUqlfoc6cuLyW6p3lL4eoe2O+wLYZ83lSWIm6eLjtdp7TVKPOzNuC3ip1VIbyacTLVdRRZt2q7bU2EiFO/oCVfGTp2bCnk1IfGhe5lZO2D+/I4WjnbUiM9/DLy1GOaT1yjWun08Hs/XnwCnBMMgQ0mU3CzrQ6/cfXK7MMUuAJNDIvKW13XpbrbR2pI5jZFg74HDPqwlALOLL21eTwolJYSvMT9V6VvwF5DAyDGC8e6
                      Content-Typemultipart/mixed; boundary="_005_YT2PR01MB968343A3C3C1743519887E5EFBDF2YT2PR01MB9683CANP_"
                      MIME-Version1.0
                      X-OriginatorOrgfirstontario.com
                      X-MS-Exchange-CrossTenant-AuthAsInternal
                      X-MS-Exchange-CrossTenant-AuthSourceYT2PR01MB9683.CANPRD01.PROD.OUTLOOK.COM
                      X-MS-Exchange-CrossTenant-Network-Message-Ida8cfcae5-4ee2-4d57-20b7-08dd65654a71
                      X-MS-Exchange-CrossTenant-originalarrivaltime17 Mar 2025 15:06:27.1099 (UTC)
                      X-MS-Exchange-CrossTenant-fromentityheaderHosted
                      X-MS-Exchange-CrossTenant-id704f30be-15a6-482a-b249-cfe161841910
                      X-MS-Exchange-CrossTenant-mailboxtypeHOSTED
                      X-MS-Exchange-CrossTenant-userprincipalnameZuBWXCID4oCLDzj0I31fwJhpiIyIsWdfk4AkLDOXjddrOPnhJOnU4deLF0HK/nkkEVm77YdAtgO3gkLRz48xwhY+Ufs4AxMmtrD7PaxapCQ=
                      X-MS-Exchange-Transport-CrossTenantHeadersStampedYT2PR01MB8821

                      File Icon

                      Icon Hash:46070c0a8e0c67d6