Windows
Analysis Report
phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.eml
Overview
General Information
Detection
Score: | 1 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 60% |
Signatures
Classification
- System is w10x64
- OUTLOOK.EXE (PID: 7528 cmdline:
"C:\Progra m Files (x 86)\Micros oft Office \Root\Offi ce16\OUTLO OK.EXE" /e ml "C:\Use rs\user\De sktop\phis h_alert_sp 2_2.0.0.0 - 2024-10- 02T103210. 959.eml" MD5: 91A5292942864110ED734005B7E005C0) - ai.exe (PID: 7880 cmdline:
"C:\Progra m Files (x 86)\Micros oft Office \root\vfs\ ProgramFil esCommonX6 4\Microsof t Shared\O ffice16\ai .exe" "5F8 3E289-E183 -4AC6-A1BF -9EC97AD59 C71" "A4CD D259-2D47- 4082-8BBA- 59DA513136 F7" "7528" "C:\Progr am Files ( x86)\Micro soft Offic e\Root\Off ice16\OUTL OOK.EXE" " WordCombin edFloatieL reOnline.o nnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
- cleanup
Source: | Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): |
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | DNS traffic detected: |
Source: | UDP traffic detected without corresponding DNS query: |
Source: | DNS traffic detected: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Classification label: |
Source: | File created: | Jump to behavior |
Source: | File created: | Jump to behavior |
Source: | Process created: | |||
Source: | Process created: | |||
Source: | Process created: | Jump to behavior |
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior | ||
Source: | Section loaded: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Source: | Window found: | Jump to behavior |
Source: | Window detected: |
Source: | Key opened: | Jump to behavior |
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior | ||
Source: | Process information set: | Jump to behavior |
Source: | File Volume queried: | Jump to behavior |
Source: | Process information queried: | Jump to behavior |
Source: | Queries volume information: | Jump to behavior |
Source: | Key value queried: | Jump to behavior |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Masquerading | OS Credential Dumping | 1 Process Discovery | Remote Services | Data from Local System | 1 Non-Application Layer Protocol | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 Process Injection | LSASS Memory | 13 System Information Discovery | Remote Desktop Protocol | Data from Removable Media | 1 Application Layer Protocol | Exfiltration Over Bluetooth | Network Denial of Service |
Email Addresses | DNS Server | Domain Accounts | At | Logon Script (Windows) | Logon Script (Windows) | 1 DLL Side-Loading | Security Account Manager | Query Registry | SMB/Windows Admin Shares | Data from Network Shared Drive | Steganography | Automated Exfiltration | Data Encrypted for Impact |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Name | IP | Active | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|---|
241.42.69.40.in-addr.arpa | unknown | unknown | false | unknown |
Name | Source | Malicious | Antivirus Detection | Reputation |
---|---|---|---|---|
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown | |||
false | unknown |
Joe Sandbox version: | 41.0.0 Charoite |
Analysis ID: | 1524346 |
Start date and time: | 2024-10-02 17:41:51 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 4m 35s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | default.jbs |
Analysis system description: | Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01 |
Number of analysed new started processes analysed: | 5 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.eml |
Detection: | CLEAN |
Classification: | clean1.winEML@3/10@1/0 |
EGA Information: | Failed |
HCA Information: |
|
Cookbook Comments: |
|
- Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
- Excluded IPs from analysis (whitelisted): 52.113.194.132, 20.42.73.26
- Excluded domains from analysis (whitelisted): ecs.office.com, slscr.update.microsoft.com, s-0005.s-msedge.net, onedscolprdeus09.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, ecs.office.trafficmanager.net, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, mobile.events.data.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net
- Report size getting too big, too many NtQueryAttributesFile calls found.
- Report size getting too big, too many NtQueryValueKey calls found.
- Report size getting too big, too many NtReadVirtualMemory calls found.
- VT rate limit hit for: phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.eml
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 231348 |
Entropy (8bit): | 4.386114041653736 |
Encrypted: | false |
SSDEEP: | 3072:brgWOvgamiGu24qoQDart0FvjWDgrv7Sml:bkPmi2l2grv7S8 |
MD5: | CC28915C5EF48BD4506F22A4258641E2 |
SHA1: | BE96719BD9DCF65CC3B9AB50CD239F9B3C53A31F |
SHA-256: | CF46D490948695D6DC1936051D5B594CA50DE9DA9C6DAA40E5DE0F3F8E1991EF |
SHA-512: | F49F1125CA5646AD56A043029046A5750A1CC33B06EF8F09F65BCF7D490E1534B3E3EB299A7506D53CD702179D83556A222888AD32E3E3A82CBC73905B88393E |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 32768 |
Entropy (8bit): | 0.04562918148302959 |
Encrypted: | false |
SSDEEP: | 3:GtlxtjlJ+pn9WMm4XuBoylxtjlJ+pn9WMm4XuBoXljR9//8l1lvlll1lllwlvll7:Gtwnv+5wnv++lt9X01PH4l942wU |
MD5: | 8F6985C564C0813285534B61BD392C62 |
SHA1: | 7A0F55DF7061AAD1C4A37EB0CBF19456A276B546 |
SHA-256: | 47F5AC9E26E8C5C3C3B57DC5714B6E120A428FF889FCE1C20206586F000033E1 |
SHA-512: | 17861843FEE1E5C85522B0CAF7CD918D3C5FDD8AC0E82C18E4B35F078DB9034C1E445E3CF5AB5D09A2C7DBC35F6E85DF8EFF749E6419947251062146F504C3E5 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | modified |
Size (bytes): | 49472 |
Entropy (8bit): | 0.48345211011299183 |
Encrypted: | false |
SSDEEP: | 48:R7JJNlQ18Ull7DYM88zO8VFDYMqBO8VFDYML:BJS9ll4FkjVGHjVGC |
MD5: | 7E1099076D321B2D72099C7FBC8044BB |
SHA1: | 1B9A7612F3762CB0827E8187A18AC9E84A6C3F35 |
SHA-256: | 436E6799867AA91AC1FEB572CA1991F46AF353FB91CF4D65ADC7CA8CFABDE668 |
SHA-512: | 4EA75A727B98B974A25BB25FFA62757E05505A67E37EADB6082F7F73AB84118BE950A5A23676ABFAFE64D11C7F88BD4EE6C37B335F916DB4A96521882DD85BE3 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{301D1048-16D3-4357-A6C6-A0368F7E8B60}.tmp
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 9692 |
Entropy (8bit): | 3.561334349567171 |
Encrypted: | false |
SSDEEP: | 192:BYYnhc/rurururur+DyiB6kOzZzk6kDrC0ck:BYYnu4444aFcklXh |
MD5: | D9CC078FE4FC633152611E59785B0653 |
SHA1: | 166EE637B0F0867CBED92D2FF0015C8B507A76AC |
SHA-256: | 916C4CED999B6BCE0FC5E076463118C402DF9695087D8E1A47D111EDD33A46C5 |
SHA-512: | C9644CE159F0ADCE804881A374A8EAFD640A2310800271D4F0A3805566D94C517B1D369107537EAC6C9512B1DF4CC37CD4A76E7D953C00DB9195A649B5DF8215 |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1727883781386768900_AC7D0C7C-B3C9-4A1B-9691-0874332E608D.log
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 20971520 |
Entropy (8bit): | 0.16133448613434223 |
Encrypted: | false |
SSDEEP: | 1536:bIhzB0nvTXqx4KWdLYxwLpoK1OzsPZj39zC0S+rN9SxmBn:E0v+x4ZiOhZ |
MD5: | 2BFCACB77AB334A6D4134F95289AA125 |
SHA1: | 24275A296BC35978453BA1534401B560C9B834F1 |
SHA-256: | 1D8429CAEC52FC98217A9F3DE650BBDE5695358176829E0C047CF0B227486751 |
SHA-512: | D5D04544423478105127336E7CF842A268C988082CB7276935D409F536191D96D65D04EDEF0F527B9B353354F7865D5435906312C579A8BBDF2AEE22A7E7753A |
Malicious: | false |
Reputation: | low |
Preview: |
C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1727883781393102400_AC7D0C7C-B3C9-4A1B-9691-0874332E608D.log
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 20971520 |
Entropy (8bit): | 0.0 |
Encrypted: | false |
SSDEEP: | 3:: |
MD5: | 8F4E33F3DC3E414FF94E5FB6905CBA8C |
SHA1: | 9674344C90C2F0646F0B78026E127C9B86E3AD77 |
SHA-256: | CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC |
SHA-512: | 7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB |
Malicious: | false |
Reputation: | high, very likely benign file |
Preview: |
C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241002T1143000935-7528.etl
Download File
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 106496 |
Entropy (8bit): | 4.497294678956681 |
Encrypted: | false |
SSDEEP: | 768:5fgsjQeD6tZsVXPRXW4Hwa9lybxMvq6XVx3VCo8WlWwzWQWulkY07:PY4Qa9lybivHXVx3VRle |
MD5: | B13F3B5AC93DEB38B4738AD6A27C7DAF |
SHA1: | B0DB516852F46DF72BE26A3882D09E5C21D08788 |
SHA-256: | 78FCD85C1B14A755715598DB9C2CA30FD937ED756AFF4AE3E970C7253E168CCD |
SHA-512: | D808ADA547DC0048786A559CD07F5F326F89076A29E5C455F5E0D6E453794EAB92FC7CA196183FCC110BE04D4334C2DD14D4FA6B30A4793A25BD9C68F5276102 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 30 |
Entropy (8bit): | 1.2389205950315936 |
Encrypted: | false |
SSDEEP: | 3:aMh/lt:aMr |
MD5: | 984182C48F4875788DC295EB5A6A62F6 |
SHA1: | 7094A70DDF6C91BA45B2BC9E5100964E5BF9CFA5 |
SHA-256: | 727AFA0BFB844F5E5E92CCCCC809B7D66A99057BF955ACFBB7DCB968E38022B9 |
SHA-512: | 91349174B37F8240F055D0ACA6B8E7FB1E45ED69B3A4C5B45F75338F9A5DA9DD2036591BC49D75F51996B7474A0DC012C8D8FFBFBDC2F059123366E08999E06B |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 271360 |
Entropy (8bit): | 2.79413208210293 |
Encrypted: | false |
SSDEEP: | 1536:HFa7TZPtwxLyX6QHDo42DX3p9p7R31HRRPvqQQCmVKm9V9WImuqcIbVVQZ+hnoTU:83ZW+aXbP3aqcIbVVQWjYp9RIfMp9 |
MD5: | 87B05DC64FB7DC0FA04D3A0ADFFB7D81 |
SHA1: | EC62D27468E8C5CABBF8C5ED0B13F63BF0F922BA |
SHA-256: | E979A4FDD8527C9175840C1ED9309D2CB1E43A71D1C5EDD61FE3FCFD8371792B |
SHA-512: | D477DF12F139FC75CB222AE78320376CDB86622BC459D3567F25554825DCA5B3E11DA66AD51CA0A4649533847126ED0E570CCADEE401357D21120A8FB9831F75 |
Malicious: | false |
Reputation: | low |
Preview: |
Process: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
File Type: | |
Category: | dropped |
Size (bytes): | 131072 |
Entropy (8bit): | 3.695955882752752 |
Encrypted: | false |
SSDEEP: | 1536:JeOSRp7R3eHRRPvqQQCmVKm9V9WHmlqcIbVVQI6R+h0W53jEpEHP4qQ10PAwrUTF:NSRP3ZqcIbVVQhp9Qu9H |
MD5: | A4CCBFEE2F35B7EB2E897AD506310B88 |
SHA1: | A84519BFCE5AD6E7BE292E999F547E773926646E |
SHA-256: | 609DF6376876A6837536D18A3FCA851E395F9392176ABDC861FCD24638FAD7F9 |
SHA-512: | F37661E33B8AFD60559D097E12D36E4AE65A13A3CDB53F66318384518A4E896E0ADBBDF530C0E3FCE0D005F3C4874B7B74DEF2FE01ABD06F2857005E01E62E5F |
Malicious: | false |
Preview: |
File type: | |
Entropy (8bit): | 5.9596446881993 |
TrID: |
|
File name: | phish_alert_sp2_2.0.0.0 - 2024-10-02T103210.959.eml |
File size: | 21'637 bytes |
MD5: | cbc29359632670fdb52f4fabbac46e8b |
SHA1: | 9355cc00597778efc10b73afe5c6430bd7291639 |
SHA256: | b64389fd6fbf45aa015af1921cf9759f4dab650c7d5fe11c7e6da4d19131ac76 |
SHA512: | 5f9d419321884cc83689f0f818a84ff8e5ba2d739586b0675d0b4b4d69a440d1657aaac78015ae50100c97520360b9b7edb8ca0ee9e29c783e929cea36bc66ef |
SSDEEP: | 384:4h/71IU5wwTQa9x4iC9RBDqJWDO2ACH+/3h2+vifRK7OdJwvP8zgjmwyC78:471IqwwTri9R4JkAq/g7OjEgzC78 |
TLSH: | CAA24915E2861186EEF010D56602BDC5A2A2FD4D63B345B03D6AE078BD8D437AB1C6DF |
File Content Preview: | Received: from SA3PR19MB7418.namprd19.prod.outlook.com.. (2603:10b6:806:304::11) by PH0PR19MB5410.namprd19.prod.outlook.com with.. HTTPS; Tue, 1 Oct 2024 19:11:32 +0000..Received: from PH7P220CA0136.NAMP220.PROD.OUTLOOK.COM.. (2603:10b6:510:327::8) by SA3 |
Subject: | [EXTERNAL Email] ShareFile Login Information |
From: | Jonas Rice <mail@sf-notifications.com> |
To: | Kathi Rabun <KRabun@highlandsmortgage.com> |
Cc: | |
BCC: | |
Date: | Tue, 01 Oct 2024 19:09:48 +0000 |
Communications: |
|
Attachments: |
Key | Value |
---|---|
Received | from IP-AC102889 ([127.0.0.1]) by IP-AC102889.sf-notifications.com with Microsoft SMTPSVC(8.5.9600.16384); Tue, 1 Oct 2024 15:09:44 -0400 |
Arc-Seal | i=1; s=201903; d=dkim.mimecast.com; t=1727809888; a=rsa-sha256; cv=none; b=VoIjVC1YeXyTptdbJHRPlirym0w87vGC6q6hL8MWnih0LQzERVSKQ+bp0te1Kmt/QIZgjf NVQXr9lsm4UnTvHcWRYyx3ElPROW1X6DTK8Etk1K7+uaoAQgnIA00BZFCW6GzhnQ9g7hDG 4eyr1FuNVyWr/0N8Jyk8D1/d/WCsAwzyOD+W6hLO9objFCnCYzyLOhHM6MZWYWaiJ+OlA7 rCdGOVCBIiiLIqhCQLXrwbJmPa58gvH6GgAlwPblN6gsGYjGyRLDoJG16PlUBBjX6HWogY W77XmQPpm5/K8Xc+14IEg4Ol8cHhHPfApcpV5tsuK3i7Yrfma1CrJSFXbo8tJw== |
Arc-Message-Signature | i=1; a=rsa-sha256; c=relaxed/relaxed; d=dkim.mimecast.com; s=201903; t=1727809888; h=from:from:sender:sender:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:dkim-signature; bh=BTLqGC60f0Z///l61Z+Y5WAQPnRj4ghX86WHsTZUyU8=; b=lmo/wmZGc5iIlA2kY20i9ZhByPBWtWmzm3R2kn/gcMc5bKscq4HK75rILBeYsbZMIlXoDp BD18Vrb2H5bY9hDTDj1L8d3tUWuCt6KJeuAkarlguc9wl3DV9itErQiEwOGvuCdiRHKm18 LLhfFrIi6ALzNoq2vKcefiUYvhFbb17a1jnQ0efLqwe7GqnB82lNYUyAaIGQq0LplXEBe1 BbE55BADpL/FoLqtrmjTh1zx1Rndfde1WZhD1F1IDmqlAYjOFfO84W2OovdcryJRtDqJZX cPFdWLfKZGOilS5NKFeI3nSZ2a/HKpR7qYAhvqxQobfysPG02J1d85UOBFPepA== |
Arc-Authentication-Results | i=1; relay.mimecast.com; dkim=pass header.d=sf-notifications.com header.s=s1 header.b=jch3qdC0; dmarc=pass (policy=quarantine) header.from=sf-notifications.com; spf=pass (relay.mimecast.com: domain of "bounces+552310-9387-krabun=highlandsmortgage.com@em6701.sf-notifications.com" designates 167.89.16.232 as permitted sender) smtp.mailfrom="bounces+552310-9387-krabun=highlandsmortgage.com@em6701.sf-notifications.com" |
Authentication-Results | spf=fail (sender IP is 205.139.110.120) smtp.mailfrom=em6701.sf-notifications.com; dkim=fail (signature did not verify) header.d=sf-notifications.com;dmarc=fail action=pctquarantine header.from=sf-notifications.com;compauth=none reason=451 |
Received-Spf | Fail (protection.outlook.com: domain of em6701.sf-notifications.com does not designate 205.139.110.120 as permitted sender) receiver=protection.outlook.com; client-ip=205.139.110.120; helo=us-smtp-inbound-delivery-1.mimecast.com |
Authentication-Results-Original | relay.mimecast.com; dkim=pass header.d=sf-notifications.com header.s=s1 header.b=jch3qdC0; dmarc=pass (policy=quarantine) header.from=sf-notifications.com; spf=pass (relay.mimecast.com: domain of "bounces+552310-9387-krabun=highlandsmortgage.com@em6701.sf-notifications.com" designates 167.89.16.232 as permitted sender) smtp.mailfrom="bounces+552310-9387-krabun=highlandsmortgage.com@em6701.sf-notifications.com" |
X-Mc-Unique | VcECnzLUPTKWGxKova-uzQ-1 |
Dkim-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=sf-notifications.com; h=mime-version:content-type:sender:from:subject:reply-to:to:cc: content-type:from:subject:to; s=s1; bh=nbBu7B8e3G65+hlIkShLmxUKtDGR35zvgRVgNM9Ot5Y=; b=jch3qdC0JM/ep//Q3g5elNNrEyc4xTQvCygqkMV5/6fy/4QZdD8f3TdXlVN2Y1u3rtwb XaNSP+vDpWoeXs5mOtv7ydg2+y5D7O0B+Yh6+H04+DFnyAI62liIIKfW0YTcmN9g1G4hEn jZfb6lwD0/50//mx+fDbyvU4bVzphDIGZpLrA/RjoiBzG3CuneLlXYSDleQ3WJF3kOiZK2 4NcTSKWXdNrY9ySrNdh2si2yX91u7gd7zytWxI1r/bCorX6Ce4RSlMcG7OeBlcumRdXGda lcThja2SKb1lmYldyP1y+B/FQnkm8Uf0plkXbAx3h//gdjLnuuniic1xMbgI2VUA== |
Date | Tue, 01 Oct 2024 19:09:48 +0000 |
Message-Id | <B8699E91DB553C0E37822E1C7A2AB478CAC964DD@IP0AC102889> |
Sender | mail@sf-notifications.com |
From | Jonas Rice <mail@sf-notifications.com> |
Subject | [EXTERNAL Email] ShareFile Login Information |
Return-Path | bounces+552310-9387-krabun=highlandsmortgage.com@em6701.sf-notifications.com |
X-Originalarrivaltime | 01 Oct 2024 19:09:44.0321 (UTC) FILETIME=[79954710:01DB1435] |
Reply-To | jonas@labakerlaw.com |
X-Sg-Eid | u001.95PbW2L/KmzCvqTiMn9tE6Y+R7OvrZywS5XpDn6TCNfX74gRav7HAJCZbD0OPIxhi5CsF4mRxwc4tlbttoTBefUtUE7mrJ4L2gZI05EPcVtdPSyBF0mv5HUrusHAHqDISyvj1FTSC8T9IFoNRs/IE3x5x46T/BJgCQ0QiWSNvGH2kd3f9w1O7sAYccHbWPi6VsSYhaGC9udNxw6A6EViHuVTKjZPklj+4gDQ69E6lAWGXAqL3Qv7X3LosYzYb6vf |
X-Sg-Id | u001.SdBcvi+Evd/bQef8eZF3BpTL9BgbK5wfSJMJGMsmprBdiDR+bQ7bMIKuEiWng/gpkUa1tev2F6kno+cTnqNWsI4u8lSxVViA6zPszNJJilxrbWLqNj4F1yZQMtLlfVGj |
To | Kathi Rabun <KRabun@highlandsmortgage.com> |
X-Entity-Id | u001.+3KkpFIqx/zwVtrqWuPUFg== |
X-Mimecast-Spam-Score | 1 |
X-Ms-Exchange-Organization-Expirationstarttime | 01 Oct 2024 19:11:28.6600 (UTC) |
X-Ms-Exchange-Organization-Expirationstarttimereason | OriginalSubmit |
X-Ms-Exchange-Organization-Expirationinterval | 1:00:00:00.0000000 |
X-Ms-Exchange-Organization-Expirationintervalreason | OriginalSubmit |
X-Ms-Exchange-Organization-Network-Message-Id | 00d108e0-a950-4458-280e-08dce24cda3d |
X-Eopattributedmessage | 0 |
X-Eoptenantattributedmessage | 615a646c-2d45-4a1b-b3c6-5970189da9c4:0 |
X-Ms-Exchange-Organization-Messagedirectionality | Incoming |
X-Ms-Publictraffictype | |
X-Ms-Traffictypediagnostic | BL6PEPF0001AB73:EE_|SA3PR19MB7418:EE_|PH0PR19MB5410:EE_ |
X-Ms-Exchange-Organization-Authsource | BL6PEPF0001AB73.namprd02.prod.outlook.com |
X-Ms-Exchange-Organization-Authas | Anonymous |
X-Ms-Office365-Filtering-Correlation-Id | 00d108e0-a950-4458-280e-08dce24cda3d |
X-Ms-Exchange-Organization-Scl | -1 |
X-Microsoft-Antispam | BCL:0;ARA:13230040|12012899012|13012899012|13102899012|3072899012|1032899013|4092899012|5062899012|3092899012|2092899012|31092699021|29132699027|5082899009|69100299015 |
X-Forefront-Antispam-Report | CIP:205.139.110.120;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:CAL;SFV:SKN;H:us-smtp-inbound-delivery-1.mimecast.com;PTR:us-smtp-delivery-1.mimecast.com;CAT:NONE;SFS:(13230040)(12012899012)(13012899012)(13102899012)(3072899012)(1032899013)(4092899012)(5062899012)(3092899012)(2092899012)(31092699021)(29132699027)(5082899009)(69100299015);DIR:INB |
X-Ms-Exchange-Crosstenant-Originalarrivaltime | 01 Oct 2024 19:11:28.5975 (UTC) |
X-Ms-Exchange-Crosstenant-Network-Message-Id | 00d108e0-a950-4458-280e-08dce24cda3d |
X-Ms-Exchange-Crosstenant-Id | 615a646c-2d45-4a1b-b3c6-5970189da9c4 |
X-Ms-Exchange-Crosstenant-Authsource | BL6PEPF0001AB73.namprd02.prod.outlook.com |
X-Ms-Exchange-Crosstenant-Authas | Anonymous |
X-Ms-Exchange-Crosstenant-Fromentityheader | Internet |
X-Ms-Exchange-Transport-Crosstenantheadersstamped | SA3PR19MB7418 |
X-Ms-Exchange-Transport-Endtoendlatency | 00:00:04.0355803 |
X-Ms-Exchange-Processed-By-Bccfoldering | 15.20.8026.016 |
X-Microsoft-Antispam-Mailbox-Delivery | ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003) |
X-Microsoft-Antispam-Message-Info | tw69jZKq/wwY/79xG7Him8oYVxSMgZerB++HeCjTPs5aCKcsctPLKjxDf/vUbmf8/PgLUI3LcHPV/7sB3F6VjavvOQ30uJzNvHvv8gvtW/Nv0uH/t19r1mDO6pJqqng1ASM7DBAAT1cuoo8X0y9YQJhyEFJj6oD4ZyT65MYlhPlyXPTuh3TZRamOpgbKMJYPnM8ylPQ9wYR3tV0C6ojvNdt175KbmPnDc8w/4j0bWnIzDLgJYNy1Cfz+CL9VZAkXQ9hK/QzxV7BA41Q9PcOtAwmtVqZpzVjhNJON32mNJezSW2zDnlif+svXDGaC2tJVT7R+/izZA+akriX1r9Z9DfUVJwPeGMnEMKmvBZf0+6eN04MaXVlCfRUtWwSnHnx+yJluseBo3nQAZmElkgxKn6sN/yzucSDq7r4rQPPhMvUGGGce4iIx8yUCoGln5Y7sjnb5RR+of//9i5qfujN8hI/rJoAITWZkUineHxcY43EHMfW08i1DctHsYg9lFQ/fzQNi6wtf54xHtxL8JY+0BBgYz7l118MKXBnSxU6GoI4LH7a7bgOZoJZVCXW1M1WoSXaO46Ly3d8y3RlTqhT8y6Ay6BFY1Sq20G//zjhBR+xi+gKbezYGRCKqP38Vafz15iiyTMNdCkdRhNxBndIYaInCfAMzbwRtDSCGgfWgvj1ozsqKCRbFgviVd3/kfYa7jaYLNsqznCNLQY1ZntN/xrxFJBB6YtT7JdoAPgecABULzX9IlffqWuZD8JuJDQfQcxaBWjmtbUdaiVm4rMU0EkmOtEqhdLmlg8KyLMzN17QG+wMXczmDlSPKLmAK4P2JQCZMyrp0OhdxlSh1eP/ihEHjgkQDSn5RdDF8JgR9iB5ZO+0sHcUkW8FYxX6RVEUoDIP8MZdkqLvRZHDJaZ7CcBNUTDOvCgm2MnndtJEnlrxfEiAiR6+Ynl1dC8jpo/PjH3nSRnvuE9cxxjBPljOz14oKaGXMddzDI66BiDHTd9jFYnTJUXs8LkVxaZ15W8+DpYFuQLCiIqcLbakwE04QTdiGkpcM8gHq4XpHVgPMztXcLTMIpmcHa0DIYZSyzQhB5WNhzCgQYmSBsJb3bN9/VcKI3G+qnqxbTwSoRy5JmtBVwMJeNMUIbz8GlylZ/jzG73cyn5NL4P3VkaCccn64ndr9q/F6qOxuO37cMdmLwFOjcL+0zUqtFPWZDUf9zL0l6j8V2OBv+WazJWqKiJip4EBLNPUOLaChSOvJZJ4nia/V/OiqBbyk8ZbzrNcRaBWgMjXtRUA8MQFrYLUStfB5Kl/BUMOzpfGbuq1ZO4UN96i7w8cLmhxUUKgnHa58VKxXeqEd8wFRlnHrYt/Eoezp/5sQAAeJXRqAZI/pyw8LuRkgQD/+ADPStpVw+z7X03LTTX99xgaLzrmB4rNnnIvOuOQVl1KOOichVtu0zzjwcwc8waZxTbhDbgK13ObF3Ro7UalS158+yycUf+5/LplX4/egLP8Fc+HRRTz3+8azvvdalyMRAfqmkQukk0bvYB/9GJZCtFVf45lFZNPeG0ysgV5DscBENeHWSXIX5jX9q5ggHupzqeqyAhSE44f7xvVHD2w5U4YQwNNYC3urzL/uny2GwQc738oH3pLEQi0sJtTVvqKDTdm4BGJVbAf7YZ7LdzUnCtVTiGmj7xIZfx1u0TIz3gPJTDviQI/aM3FCDbyHSqlJsgeR5t9KFoq0yMWcnqza8ykRONaKq7SimLoglT/sfvtQXkWUWpmYsdD5swasUlS2C03NRzK4bf9/zFv2O9cp5PAbjYgrfePzpZ6QftL2D3UTerk87pV7Oc+pgx3UTuuKIol0I/gamQZYyiLsOdBVLq65YeGfrsEPXM7zVgoXt5hmGpxUeGRNFoL83UfTKdlb85rUqi3fEFGajEm/Jos9iraw78mEA8F3a94mNg== |
Content-Type | multipart/mixed; boundary="----sinikael-?=_1-17278099636180.9908322910656406" |
MIME-Version | 1.0 |
X-Priority | 3 (Normal) |
Icon Hash: | 46070c0a8e0c67d6 |
Timestamp | Source Port | Dest Port | Source IP | Dest IP |
---|---|---|---|---|
Oct 2, 2024 17:43:28.241271973 CEST | 53 | 63357 | 162.159.36.2 | 192.168.2.5 |
Oct 2, 2024 17:43:28.724921942 CEST | 62762 | 53 | 192.168.2.5 | 1.1.1.1 |
Oct 2, 2024 17:43:28.732338905 CEST | 53 | 62762 | 1.1.1.1 | 192.168.2.5 |
Timestamp | Source IP | Dest IP | Trans ID | OP Code | Name | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|
Oct 2, 2024 17:43:28.724921942 CEST | 192.168.2.5 | 1.1.1.1 | 0x1d45 | Standard query (0) | PTR (Pointer record) | IN (0x0001) | false |
Timestamp | Source IP | Dest IP | Trans ID | Reply Code | Name | CName | Address | Type | Class | DNS over HTTPS |
---|---|---|---|---|---|---|---|---|---|---|
Oct 2, 2024 17:43:28.732338905 CEST | 1.1.1.1 | 192.168.2.5 | 0x1d45 | Name error (3) | none | none | PTR (Pointer record) | IN (0x0001) | false |
Click to jump to process
Click to jump to process
back
Click to dive into process behavior distribution
Click to jump to process
Target ID: | 0 |
Start time: | 11:42:57 |
Start date: | 02/10/2024 |
Path: | C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xfe0000 |
File size: | 34'446'744 bytes |
MD5 hash: | 91A5292942864110ED734005B7E005C0 |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |
Target ID: | 3 |
Start time: | 11:43:03 |
Start date: | 02/10/2024 |
Path: | C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff722120000 |
File size: | 710'048 bytes |
MD5 hash: | EC652BEDD90E089D9406AFED89A8A8BD |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | high |
Has exited: | false |