Edit tour

Windows Analysis Report
phish_alert_sp2_2.0.0.0 (13).eml

Overview

General Information

Sample name:	phish_alert_sp2_2.0.0.0 (13).eml
Analysis ID:	1531116
MD5:	d7f52aeb8f88e6aae33568f0525ebe29
SHA1:	34fe6187c24dcb85f8370f53d0f08626f1c72a6f
SHA256:	5a7d3b8181f1e69ebf5c29327f089cbd87b67b1825b541ad92d3f01a7823abc5
Infos:

Detection

Score:	2
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sigma detected: Office Autorun Keys Modification

Stores large binary data to the registry

Classification

Process Tree

System is w10x64

OUTLOOK.EXE (PID: 4132 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0 (13).eml" MD5: 91A5292942864110ED734005B7E005C0)

ai.exe (PID: 5648 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "275573E4-4E3A-44CF-9503-868017FC0EFD" "DC9DDA95-057A-40A5-91CF-1110D1B5CBAE" "4132" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)

HxOutlook.exe (PID: 6232 cmdline: "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe" -ServerName:microsoft.windowslive.mail.AppXfbjsbkxvprcgqg6q4c9jfr0pn3kv9x5s.mca MD5: 6F8EAC2C377C8F16D91CB5AC8B8DBF5F)

HxAccounts.exe (PID: 7416 cmdline: "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe" -ServerName:microsoft.windowslive.manageaccounts.AppXdbf3yp5apt3t7q877db3gnz5zqpf71zj.mca MD5: 6FEB00C9A2C3FF66230658B3012BAB6A)

cleanup

Sigma Signatures

Sigma detected: Office Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 4132, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: olk6C0A.tmp.0.dr	String found in binary or memory: http://pki-crl.symauth.com/ca_7a5c3a0c73117406add19312bc1bc23f/LatestCRL.crl07
Source: olk6C0A.tmp.0.dr	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: HxAccounts.exe, 0000000B.00000002.3585636692.000001B589851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://test-exp-s2s.msedge.net/ab/
Source: HxAccounts.exe, 0000000B.00000002.3585636692.000001B589851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://test-exp-s2s.msedge.net/ab/c780dddc8-18a1-5781-895a-a690464fa89cp
Source: HxAccounts.exe, 0000000B.00000002.3585636692.000001B589851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://test-exp-s2s.msedge.net/ab/http://test-exp-s2s.msedge.net/ab/http://test-exp-s2s.msedge.net/a
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://api.aadrm.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://api.aadrm.com/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://api.addins.store.office.com/app/query
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://api.cortana.ai
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://api.diagnostics.office.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://api.microsoftstream.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://api.microsoftstream.com/api/
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://api.office.net
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://api.onedrive.com
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr	String found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://api.scheduler.
Source: HxAccounts.exe, 0000000B.00000002.3585589019.000001B58982B000.00000004.00000020.00020000.00000000.sdmp, 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://apis.live.net/v5.0/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://app.powerbi.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://augloop.office.com
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://augloop.office.com/v2
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: HxAccounts.exe, 0000000B.00000002.3585481715.000001B589800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az804205.vo.msecnd.net/
Source: HxAccounts.exe, 0000000B.00000002.3585481715.000001B589800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az804205.vo.msecnd.net/f
Source: HxAccounts.exe, 0000000B.00000002.3585481715.000001B589800000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://az815563.vo.msecnd.net/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://canary.designerapp.
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://cdn.entity.
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://clients.config.office.net
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://clients.config.office.net/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: HxAccounts.exe, 0000000B.00000002.3585636692.000001B589851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v1/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: HxAccounts.exe, 0000000B.00000002.3585636692.000001B589851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.com/config/v1/https://config.edge.skype.com/config/v1/780dddc8-18a1-5781-8
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: HxAccounts.exe, 0000000B.00000002.3585636692.000001B589851000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://config.edge.skype.net/config/v1/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://cortana.ai
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://cortana.ai/api
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://cr.office.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://d.docs.live.net
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://dataservice.o365filtering.com
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://dataservice.o365filtering.com/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://designerapp.azurewebsites.net
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://designerappservice.officeapps.live.com
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://dev.cortana.ai
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://devnull.onenote.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://directory.services.
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://ecs.office.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://edge.skype.com/registrar/prod
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://edge.skype.com/rps
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://enrichment.osi.office.net/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr	String found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://graph.ppe.windows.net
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://graph.ppe.windows.net/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://graph.windows.net
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://graph.windows.net/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://ic3.teams.office.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://incidents.diagnostics.office.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://invites.office.com/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://lifecycle.office.com
Source: HxAccounts.exe, 0000000B.00000002.3589021555.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.3217980483.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.3014714983.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.2626277091.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: HxAccounts.exe, 0000000B.00000002.3589021555.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.3217980483.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.3014714983.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.2626277091.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://login.microsoftonline.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://login.microsoftonline.com/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://login.microsoftonline.com/organizations
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: HxAccounts.exe, 0000000B.00000002.3589021555.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.3217980483.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.3014714983.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.2626277091.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://login.windows.local
Source: HxAccounts.exe, 0000000B.00000002.3589021555.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.3217980483.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.3014714983.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.2626277091.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.local/
Source: OUTLOOK_16_0_16827_20130-20241010T1530110586-4132.etl.0.dr	String found in binary or memory: https://login.windows.localR
Source: OUTLOOK_16_0_16827_20130-20241010T1530110586-4132.etl.0.dr	String found in binary or memory: https://login.windows.localnullD
Source: OUTLOOK_16_0_16827_20130-20241010T1530110586-4132.etl.0.dr	String found in binary or memory: https://login.windows.localnullros
Source: OUTLOOK_16_0_16827_20130-20241010T1530110586-4132.etl.0.dr	String found in binary or memory: https://login.windows.localtloR
Source: HxAccounts.exe, 0000000B.00000002.3589021555.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.3217980483.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.3014714983.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.2626277091.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, App1728588612068758900_867B4047-AB37-4B0B-A391-40CA9AEDCC2D.log.0.dr	String found in binary or memory: https://login.windows.net
Source: HxAccounts.exe, 0000000B.00000002.3589021555.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.3217980483.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.3014714983.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.2626277091.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.net/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://make.powerautomate.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://management.azure.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://management.azure.com/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://messaging.action.office.com/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://messaging.engagement.office.com/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://messaging.lifecycle.office.com/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://messaging.office.com/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://mss.office.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://ncus.contentsync.
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://ncus.pagecontentsync.
Source: HxAccounts.exe, 0000000B.00000002.3585525319.000001B589813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nexus.officeapps.live.com0
Source: HxAccounts.exe, 0000000B.00000002.3585525319.000001B589813000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://nexusrules.officeapps.live.com07
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://officeapps.live.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://officepyservice.office.net/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://onedrive.live.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://onedrive.live.com/embed?
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://otelrules.azureedge.net
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://otelrules.svc.static.microsoft
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://outlook.office.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://outlook.office.com/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://outlook.office365.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://outlook.office365.com/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://outlook.office365.com/connectors
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://pages.store.office.com/review/query
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://powerlift.acompli.net
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://pushchannel.1drv.ms
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://res.cdn.office.net
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://service.powerapps.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://settings.outlook.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://shell.suite.office.com:1443
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://skyapi.live.net/Activity/
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://staging.cortana.ai
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://store.office.cn/addinstemplate
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://store.office.de/addinstemplate
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://substrate.office.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://tasks.office.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://templatesmetadata.office.net/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://web.microsoftstream.com/video/
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://webshell.suite.office.com
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://wus2.contentsync.
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://wus2.pagecontentsync.
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://www.odwebp.svc.ms
Source: 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	String found in binary or memory: https://www.yammer.com
Source: HxAccounts.exe, 0000000B.00000003.2626277091.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xsts.auth.xboxlive.com
Source: HxAccounts.exe, 0000000B.00000002.3589021555.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.3217980483.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.3014714983.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.2626277091.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xsts.auth.xboxlive.com/
Source: HxAccounts.exe, 0000000B.00000002.3589072504.000001B590CF4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://xsts.auth.xboxlive.com5

Source: classification engine

Classification label: clean2.winEML@5/22@0/0

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241010T1530110586-4132.etl

Jump to behavior

Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0 (13).eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "275573E4-4E3A-44CF-9503-868017FC0EFD" "DC9DDA95-057A-40A5-91CF-1110D1B5CBAE" "4132" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: unknown	Process created: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe" -ServerName:microsoft.windowslive.mail.AppXfbjsbkxvprcgqg6q4c9jfr0pn3kv9x5s.mca
Source: unknown	Process created: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe" -ServerName:microsoft.windowslive.manageaccounts.AppXdbf3yp5apt3t7q877db3gnz5zqpf71zj.mca
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "275573E4-4E3A-44CF-9503-868017FC0EFD" "DC9DDA95-057A-40A5-91CF-1110D1B5CBAE" "4132" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: c2r64.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: microsoft.applications.telemetry.windows.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msoimm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mso40uiimm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mso30imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mso20imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: office.ui.xaml.core.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: office.ui.xaml.word.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mso98imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mso50imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mso20imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mso20imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mso98imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: hxoutlook.model.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.storage.applicationdata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: hxcomm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.networking.hostname.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.energy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: rometadata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.system.diagnostics.telemetry.platformtelemetryclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: hxoutlook.view.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: office.ui.xaml.hxshared.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: hxoutlook.viewmodel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: clipc.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: hxoutlook.resources.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.ui.xaml.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: uiamanager.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: office.ui.xaml.hx.mail.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: threadpoolwinrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.graphics.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: office.ui.xaml.hxcalendar.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.ui.xaml.controls.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.system.remotedesktop.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.system.profile.systemid.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.system.profile.retailinfo.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: winrttracing.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: photometadatahandler.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: ploptin.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: webservices.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: userdataaccountapis.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: windows.accountscontrol.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: accountsrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: hxoutlook.model.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: microsoft.applications.telemetry.windows.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: mso20imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: mso30imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: mso20imm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vccorlib140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vcruntime140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: msvcp140_app.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.ui.xaml.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windowmanagementapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: office.ui.xaml.hxaccounts.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.storage.applicationdata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: hxcomm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.applicationmodel.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.globalization.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.networking.hostname.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.energy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: rometadata.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.system.diagnostics.telemetry.platformtelemetryclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.staterepositoryclient.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: uiamanager.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.ui.core.textinput.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.ui.immersive.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.accountscontrol.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.security.authentication.web.core.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.ui.xaml.controls.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: directmanipulation.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: profext.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: winrttracing.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: hxoutlook.resources.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: globinputhost.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: windows.graphics.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: wuceffects.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: threadpoolwinrt.dll	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Section loaded: uiautomationcore.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe

File opened: C:\Windows\SYSTEM32\msftedit.dll

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: phish_alert_sp2_2.0.0.0 (13).eml

Static file information: File size 1865992 > 1048576

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ExperimentConfigs\Ecs\outlook\ConfigContextData 1

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Window / User API: threadDelayed 2329			Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Window / User API: threadDelayed 414			Jump to behavior

Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe TID: 6316	Thread sleep count: 2329 > 30			Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe TID: 6316	Thread sleep count: 414 > 30			Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

File Volume queried: C:\Windows\SysWOW64 FullSizeInformation

Jump to behavior

Source: phish_alert_sp2_2.0.0.0 (13).eml	Binary or memory string: CmcoAYn+RKIeSME8plZPly02FuFYBoHGFSw8OUpbqg1if5Spq1HCRKjIFNnJcH8kxI8lOX2M64kY
Source: phish_alert_sp2_2.0.0.0 (13).eml	Binary or memory string: 53xJVExmQwHgfSjTKIo1ihoFqKGqDuOIkpAuT59rbvOZtpmYz0QT0F9qirPc5J1cTss7sGr3FuMU
Source: settings.dat.5.dr	Binary or memory string: VMware, Inc. VMware20,1
Source: phish_alert_sp2_2.0.0.0 (13).eml	Binary or memory string: E7bsFP+OmE47SAKgjRl7RBbJ8JRBWs/qpS53WSKD5pkyPFaa4bEg2uQEmUipJ+bzcsc1ILxir/CH
Source: phish_alert_sp2_2.0.0.0 (13).eml	Binary or memory string: qJ1qL1AJuyF84yvu+LUhYbbiOmxcAap7I2dxKzqPlCgtqEMupWyqIFPp9Sa+n2wqEozxDY2GwGjV

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Modify Registry	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	14 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://api.diagnosticssdf.office.com	0%	URL Reputation	safe
https://login.microsoftonline.com/	0%	URL Reputation	safe
https://shell.suite.office.com:1443	0%	URL Reputation	safe
https://designerapp.azurewebsites.net	0%	URL Reputation	safe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/	0%	URL Reputation	safe
https://useraudit.o365auditrealtimeingestion.manage.office.com	0%	URL Reputation	safe
https://outlook.office365.com/connectors	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	0%	URL Reputation	safe
https://cdn.entity.	0%	URL Reputation	safe
https://api.addins.omex.office.net/appinfo/query	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/tenantassociationkey	0%	URL Reputation	safe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	0%	URL Reputation	safe
https://powerlift.acompli.net	0%	URL Reputation	safe
https://rpsticket.partnerservices.getmicrosoftkey.com	0%	URL Reputation	safe
https://lookup.onenote.com/lookup/geolocation/v1	0%	URL Reputation	safe
https://cortana.ai	0%	URL Reputation	safe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/imports	0%	URL Reputation	safe
https://cloudfiles.onenote.com/upload.aspx	0%	URL Reputation	safe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	0%	URL Reputation	safe
https://entitlement.diagnosticssdf.office.com	0%	URL Reputation	safe
https://api.aadrm.com/	0%	URL Reputation	safe
https://ofcrecsvcapi-int.azurewebsites.net/	0%	URL Reputation	safe
https://canary.designerapp.	0%	URL Reputation	safe
https://ic3.teams.office.com	0%	URL Reputation	safe
https://www.yammer.com	0%	URL Reputation	safe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	0%	URL Reputation	safe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	0%	URL Reputation	safe
https://cr.office.com	0%	URL Reputation	safe
https://messagebroker.mobile.m365.svc.cloud.microsoft	0%	URL Reputation	safe
https://portal.office.com/account/?ref=ClientMeControl	0%	URL Reputation	safe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	0%	URL Reputation	safe
https://edge.skype.com/registrar/prod	0%	URL Reputation	safe
https://graph.ppe.windows.net	0%	URL Reputation	safe
https://res.getmicrosoftkey.com/api/redemptionevents	0%	URL Reputation	safe
https://powerlift-frontdesk.acompli.net	0%	URL Reputation	safe
https://tasks.office.com	0%	URL Reputation	safe
https://officeci.azurewebsites.net/api/	0%	URL Reputation	safe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	0%	URL Reputation	safe
https://api.scheduler.	0%	URL Reputation	safe
https://store.office.cn/addinstemplate	0%	URL Reputation	safe
https://api.aadrm.com	0%	URL Reputation	safe
https://edge.skype.com/rps	0%	URL Reputation	safe
https://globaldisco.crm.dynamics.com	0%	URL Reputation	safe
https://messaging.engagement.office.com/	0%	URL Reputation	safe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://dev0-api.acompli.net/autodetect	0%	URL Reputation	safe
https://www.odwebp.svc.ms	0%	URL Reputation	safe
https://api.diagnosticssdf.office.com/v2/feedback	0%	URL Reputation	safe
https://api.powerbi.com/v1.0/myorg/groups	0%	URL Reputation	safe
https://web.microsoftstream.com/video/	0%	URL Reputation	safe
https://api.addins.store.officeppe.com/addinstemplate	0%	URL Reputation	safe
https://graph.windows.net	0%	URL Reputation	safe
https://dataservice.o365filtering.com/	0%	URL Reputation	safe
https://officesetup.getmicrosoftkey.com	0%	URL Reputation	safe
https://analysis.windows.net/powerbi/api	0%	URL Reputation	safe
https://prod-global-autodetect.acompli.net/autodetect	0%	URL Reputation	safe
https://substrate.office.com	0%	URL Reputation	safe
https://outlook.office365.com/autodiscover/autodiscover.json	0%	URL Reputation	safe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	0%	URL Reputation	safe
https://consent.config.office.com/consentcheckin/v1.0/consents	0%	URL Reputation	safe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0%	URL Reputation	safe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	0%	URL Reputation	safe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	0%	URL Reputation	safe
https://safelinks.protection.outlook.com/api/GetPolicy	0%	URL Reputation	safe
https://ncus.contentsync.	0%	URL Reputation	safe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	0%	URL Reputation	safe
http://weather.service.msn.com/data.aspx	0%	URL Reputation	safe
https://apis.live.net/v5.0/	0%	URL Reputation	safe
https://officepyservice.office.net/service.functionality	0%	URL Reputation	safe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	0%	URL Reputation	safe
https://templatesmetadata.office.net/	0%	URL Reputation	safe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	0%	URL Reputation	safe
https://messaging.lifecycle.office.com/	0%	URL Reputation	safe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	0%	URL Reputation	safe
https://mss.office.com	0%	URL Reputation	safe
https://pushchannel.1drv.ms	0%	URL Reputation	safe
https://management.azure.com	0%	URL Reputation	safe
https://outlook.office365.com	0%	URL Reputation	safe
https://login.windows.net	0%	URL Reputation	safe
https://wus2.contentsync.	0%	URL Reputation	safe
https://incidents.diagnostics.office.com	0%	URL Reputation	safe
https://clients.config.office.net/user/v1.0/ios	0%	URL Reputation	safe
https://make.powerautomate.com	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.diagnosticssdf.office.com	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://login.microsoftonline.com/	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://shell.suite.office.com:1443	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://designerapp.azurewebsites.net	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com/connectors	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://cdn.entity.	5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://api.addins.omex.office.net/appinfo/query	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey	5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://powerlift.acompli.net	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://rpsticket.partnerservices.getmicrosoftkey.com	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://lookup.onenote.com/lookup/geolocation/v1	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://cortana.ai	5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/imports	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr	false	URL Reputation: safe	unknown
https://cloudfiles.onenote.com/upload.aspx	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://entitlement.diagnosticssdf.office.com	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com/	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://ofcrecsvcapi-int.azurewebsites.net/	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://canary.designerapp.	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://ic3.teams.office.com	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://config.edge.skype.net/config/v1/	HxAccounts.exe, 0000000B.00000002.3585636692.000001B589851000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.yammer.com	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://api.microsoftstream.com/api/	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false		unknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://cr.office.com	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false		unknown
https://messagebroker.mobile.m365.svc.cloud.microsoft	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://otelrules.svc.static.microsoft	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false		unknown
https://portal.office.com/account/?ref=ClientMeControl	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/registrar/prod	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://graph.ppe.windows.net	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://res.getmicrosoftkey.com/api/redemptionevents	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://powerlift-frontdesk.acompli.net	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://tasks.office.com	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://login.windows.localR	OUTLOOK_16_0_16827_20130-20241010T1530110586-4132.etl.0.dr	false		unknown
https://officeci.azurewebsites.net/api/	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
http://pki-crl.symauth.com/ca_7a5c3a0c73117406add19312bc1bc23f/LatestCRL.crl07	olk6C0A.tmp.0.dr	false		unknown
https://sr.outlook.office.net/ws/speech/recognize/assistant/work	5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://xsts.auth.xboxlive.com5	HxAccounts.exe, 0000000B.00000002.3589072504.000001B590CF4000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://login.windows.localtloR	OUTLOOK_16_0_16827_20130-20241010T1530110586-4132.etl.0.dr	false		unknown
https://api.scheduler.	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://my.microsoftpersonalcontent.com	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false		unknown
https://store.office.cn/addinstemplate	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://api.aadrm.com	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://edge.skype.com/rps	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://outlook.office.com/autosuggest/api/v1/init?cvid=	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false		unknown
https://globaldisco.crm.dynamics.com	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://messaging.engagement.office.com/	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://dev0-api.acompli.net/autodetect	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://www.odwebp.svc.ms	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://api.diagnosticssdf.office.com/v2/feedback	5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://api.powerbi.com/v1.0/myorg/groups	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://web.microsoftstream.com/video/	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://api.addins.store.officeppe.com/addinstemplate	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://graph.windows.net	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://dataservice.o365filtering.com/	5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://login.windows.localnullD	OUTLOOK_16_0_16827_20130-20241010T1530110586-4132.etl.0.dr	false		unknown
https://officesetup.getmicrosoftkey.com	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://analysis.windows.net/powerbi/api	5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://prod-global-autodetect.acompli.net/autodetect	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://substrate.office.com	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://login.windows.net/	HxAccounts.exe, 0000000B.00000002.3589021555.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.3217980483.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.3014714983.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.2626277091.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://outlook.office365.com/autodiscover/autodiscover.json	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://consent.config.office.com/consentcheckin/v1.0/consents	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://d.docs.live.net	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false		unknown
https://safelinks.protection.outlook.com/api/GetPolicy	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://ncus.contentsync.	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false		unknown
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
http://weather.service.msn.com/data.aspx	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://apis.live.net/v5.0/	HxAccounts.exe, 0000000B.00000002.3585589019.000001B58982B000.00000004.00000020.00020000.00000000.sdmp, 0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://officepyservice.office.net/service.functionality	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://templatesmetadata.office.net/	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://messaging.lifecycle.office.com/	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://mss.office.com	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://pushchannel.1drv.ms	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://xsts.auth.xboxlive.com/	HxAccounts.exe, 0000000B.00000002.3589021555.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.3217980483.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.3014714983.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.2626277091.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://management.azure.com	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://outlook.office365.com	5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://login.windows.net	HxAccounts.exe, 0000000B.00000002.3589021555.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.3217980483.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.3014714983.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, HxAccounts.exe, 0000000B.00000003.2626277091.000001B590CBC000.00000004.00000020.00020000.00000000.sdmp, App1728588612068758900_867B4047-AB37-4B0B-A391-40CA9AEDCC2D.log.0.dr	false	URL Reputation: safe	unknown
https://wus2.contentsync.	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://incidents.diagnostics.office.com	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://clients.config.office.net/user/v1.0/ios	5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown
https://make.powerautomate.com	0C854535-0377-48C9-AB5E-1A7356CF1588.0.dr, 5F09DA67-81DC-49E0-8AB9-284A0013D796.5.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1531116
Start date and time:	2024-10-10 21:29:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	phish_alert_sp2_2.0.0.0 (13).eml
Detection:	CLEAN
Classification:	clean2.winEML@5/22@0/0
Cookbook Comments:	Found application associated with file extension: .eml

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 52.113.194.132, 52.109.76.243, 2.19.126.160, 2.19.126.151, 40.74.98.195, 13.107.42.16
Excluded domains from analysis (whitelisted): omex.cdn.office.net, config.edge.skype.com.trafficmanager.net, slscr.update.microsoft.com, eur.roaming1.live.com.akadns.net, neu-azsc-000.roaming.officeapps.live.com, ecs-office.s-0005.s-msedge.net, roaming.officeapps.live.com, login.live.com, config-edge-skype.l-0007.l-msedge.net, officeclient.microsoft.com, l-0007.l-msedge.net, config.edge.skype.com, a1864.dscd.akamai.net, ecs.office.com, self-events-data.trafficmanager.net, client.wns.windows.com, otelrules.azureedge.net, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, s-0005-office.config.skype.com, fe3cr.delivery.mp.microsoft.com, onedscolprdjpw03.japanwest.cloudapp.azure.com, outlookmobile-office365-tas.msedge.net, s-0005.s-msedge.net, l-0007.config.skype.com, config.officeapps.live.com, osiprod-neu-buff-azsc-000.northeurope.cloudapp.azure.com, settings.data.microsoft.com, ecs.office.trafficmanager.net, omex.cdn.office.net.akama
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: phish_alert_sp2_2.0.0.0 (13).eml

Input	Output
URL: PDF document Model: jbxai	{ "brands":["Skillsoft"], "text":"INVOICE Client No: 20-1169 For Professional and Consulting Services Rendered In Connection With the Following: DESCRIPTION QTY RATE AMOUNT Data entry, Data Analytics, Document Verifications, Financial reports management, Verification services. Consulting fees for additional services incurred due to IRS requirement to report partner capital accounts on tax basis. Time includes recalculation of partner capital accounts and proper basis tracking. Innovation, transformation, and leadership deliver strategy and implementation from a business and technology view to help you lead in the markets where you compete. Additional fees for time incurred to update From 1065 after new trial balance was received. SUBTOTAL TAX TOTAL BALANCE DUE $8, 600.95", "contains_trigger_text":false, "trigger_text":"", "prominent_button_name":"unknown", "text_input_field_labels":"unknown", "pdf_icon_visible":false, "has_visible_captcha":false, "has_urgent_text":false, "has_visible_qrcode":false}

URL: PDF document Model: jbxai

{
"brands":["Skillsoft"],
"text":"INVOICE Client No: 20-1169 For Professional and Consulting Services Rendered In Connection With the Following: DESCRIPTION QTY RATE AMOUNT Data entry,
 Data Analytics,
 Document Verifications,
 Financial reports management,
 Verification services. Consulting fees for additional services incurred due to IRS requirement to report partner capital accounts on tax basis. Time includes recalculation of partner capital accounts and proper basis tracking. Innovation,
 transformation,
 and leadership deliver strategy and implementation from a business and technology view to help you lead in the markets where you compete. Additional fees for time incurred to update From 1065 after new trial balance was received. SUBTOTAL TAX TOTAL BALANCE DUE $8,
600.95",
"contains_trigger_text":false,
"trigger_text":"",
"prominent_button_name":"unknown",
"text_input_field_labels":"unknown",
"pdf_icon_visible":false,
"has_visible_captcha":false,
"has_urgent_text":false,
"has_visible_qrcode":false}

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
File Type:	data
Category:	dropped
Size (bytes):	231348
Entropy (8bit):	4.384060124951261
Encrypted:	false
SSDEEP:	1536:WPYL+qgsY6fQO20BngsSWNcAz79ysQqt2NKfLqoQA7rcm0FvcJJyLjBoNJpH+dFO:TLgf/Sg2miGu2cqoQsrt0FvN5ug8EYb
MD5:	D959295194EAEDFA240A4D466BA00A2C
SHA1:	60B0312DBD1A75F5236BE4B16629C181A1DCAF55
SHA-256:	25DADCB263AC9BBA89C8C3716CE999E48D620D1A0214BD5DBEFF4C2B83E936A6
SHA-512:	10918A5275438F4CAB801A75AFF9D33D91DECCD46549031B5642D21A97851DB50A7A78807FF3FD566EA60E2B416EBB7E0D8941CCF937BE1D16C202356CD8AA0A
Malicious:	false
Reputation:	low
Preview:	TH02...... ....J.......SM01X...,.......J...........IPM.Activity...........h...............h............H..h..o......75....h............H..h\eng ...r\Ap...h.[..0.....o....ho12............h........_`.k...h.32.@...I.6w...h....H...8..k...0....T...............d.........2h...............kU.I...........!h.............. h.}......0.o...#h....8.........$h........8....."h.R.......M....'h..............1ho12.<.........0h....4.....k../h....h......kH..h0...p.....o...-h .......\.o...+h.12.......o................. ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe	Queries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsym.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsym.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsb.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsymsl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Windows\Fonts\segoeuil.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\offsym.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe	Queries volume information: C:\Windows\Fonts\segoeuisl.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation	Jump to behavior
Source: C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Queries volume information: C:\Windows\Fonts\segmdl2.ttf VolumeInformation	Jump to behavior

Process:	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	174570
Entropy (8bit):	5.290046308985573
Encrypted:	false
SSDEEP:	1536:ii2XPRAqIbz41gwErLe7HW8bM/hMdcAZl1p5ihs7gXXWEIJROdYvo:ZHe7HW8bM/FXTZWo
MD5:	50137F203E9C9161EDC28B8E62767C7D
SHA1:	BACD590DADE1FE3CF994C36113AAFC7638479295
SHA-256:	1AAB3195125E981E785E19B8EB666B17E5CE2D80104896041450D36EC64B6EFC
SHA-512:	92D1C56E7C1A44DF9BA745FB89D1E4DBD89B29206BDD1793AA8088B7F8A84C32D7E306C2AC2B9E24EE569FDA184485930F9681A7E0BD44F9E037067125EE32BD
Malicious:	false
Preview:	<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-10T19:30:43">.. Build: 16.0.18124.40132-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

File type:	RFC 822 mail, ASCII text, with very long lines (998), with CRLF line terminators
Entropy (8bit):	6.04899921367325
TrID:	E-Mail message (Var. 5) (54515/1) 100.00%
File name:	phish_alert_sp2_2.0.0.0 (13).eml
File size:	1'865'992 bytes
MD5:	d7f52aeb8f88e6aae33568f0525ebe29
SHA1:	34fe6187c24dcb85f8370f53d0f08626f1c72a6f
SHA256:	5a7d3b8181f1e69ebf5c29327f089cbd87b67b1825b541ad92d3f01a7823abc5
SHA512:	b5d4f96d8573a2dd47c4ad265be5cd8c56d732f6523ecc342a427c44400ff0715c7712f0cff36f13588d085d74c8f07807137c9cc2ccc48c66e0ea12ec61825b
SSDEEP:	24576:XgXuQJxyluQWGzaeke/3VSyO2rX6dsJ+8fMqJOo3jEsqr46FDqvepWNzbg2tUh4X:Xq5yoGbk67prX148EiOvMM4X
TLSH:	0285123ADD6521D63B74521FD71E2C4238AA3B4F0CC8A1E5735AC54A91ACB3B9121CBF
File Content Preview:	Received: from CH2PR08MB10633.namprd08.prod.outlook.com (::1) by.. PH0PR08MB6488.namprd08.prod.outlook.com with HTTPS; Thu, 10 Oct 2024.. 18:24:32 +0000..Received: from PH7PR02CA0012.namprd02.prod.outlook.com.. (2603:10b6:510:33d::12) by CH2PR08MB10633.na

Subject:	[EXTERNAL] Vendor Setup
From:	Skillsoft Coaching Business & Financial Services LLC <k.sword.m5@kzh.biglobe.ne.jp>
To:	Penny Shoffner <pshoffner@bellpartnersinc.com>
Cc:
BCC:
Date:	Thu, 10 Oct 2024 18:20:13 +0000
Communications:	CAUTION: EXTERNAL SENDER Do not click links or open attachments unless you trust the sender and know the content is safe. Hi Elizabeth, Thank you for your response. Per your instructions, I have added the Accounts Department to this email thread and forwarded the invoice for their attention. I would greatly appreciate a quick confirmation once the payment is processed. Thank you in advance for your cooperation. Regards, Mike Morris Billing Clerk Skillsoft Coaching Business & Financial Services LLC 7887 E Belleview Ave Ste 600, Greenwood Village, Colorado 80111 Email: billing@biz-skillsoft.com --- From: Elizabeth Bell <Elizabeth.Bell@bellpartnersinc.com> Date: October 4, 2024, 11:31 AM Subject: Re: Invoice 55701 To: Mike Morris <billing@biz-skillsoft.com> Cc: Lance Busch <payments@biz-skillsoft.com> Dear Mike, Thank you for reaching out. I appreciate your patience regarding the invoice. As I said, you will need to be set up as a new vendor on our side. Kindly forward the attached invoice to our Accounts Department for vendor setup and payment processing. You may include them directly in this conversation. If you havent reached out, please do. Let me know if you hear anything. Regards, Elizabeth Bell --- From: Mike Morris <billing@biz-skillsoft.com> Cc:Lance Busch <payments@biz-skillsoft.com> Date: October 3, 2024, 10:21 AM Subject: Invoice 55701 To: Elizabeth Bell <Elizabeth.Bell@bellpartnersinc.com> Hi Elizabeth Bell, Regarding our conversation about the outstanding invoice for the last sessions of services provided, kindly find attached the relevant invoice for immediate processing: Invoice 55701. The invoice was due on September 30, 2024. Please advise! Regards, Mike Morris Billing Clerk Skillsoft Coaching Business & Financial Services LLC 7887 E Belleview Ave Ste 600, Greenwood Village, Colorado 80111 Email: billing@biz-skillsoft.com
Attachments:	bellpartnersinc.pdf W9.pdf

Key	Value
Received	from mail.biglobe.ne.jp by mta-snd-w04.biglobe.ne.jp with ESMTP id <20241010182015656.FAUG.83843.mail.biglobe.ne.jp@biglobe.ne.jp> for <pshoffner@bellpartnersinc.com>; Fri, 11 Oct 2024 03:20:15 +0900
Arc-Seal	i=1; s=201903; d=dkim.mimecast.com; t=1728584664; a=rsa-sha256; cv=none; b=j3OZ9qY0AdPtl2oiRJXWJh0TCpnC6Ltv4Lp/GR8iFiJdNcGaO/tm54/kOs9dqpGKq6rZmT GkXG4AMSyEvS0ROsYPbLgVbCQWAqnYqUwehUdCLhfoP9uSn4TesO6awUM53d3f1QbXZnwr p55b5LoGbD3F7gVpyveb+f55AfrDheste9JBWyEoOUO8M3ZDkIF/+hsNprKIjbswp6eiaq wc3KQ+sYK1d5ZBcsSxTpuuBcbF0CFPoXkjkV0Kmf5WCbu9VDerLSkh6I22793TpWXeLJvf H0OkiiErHPgcZFbIYDJoZmq7F8+O6pkN7R2DmWnzlhMch2QvJqc7pz1BLlMGCw==
Arc-Message-Signature	i=1; a=rsa-sha256; c=relaxed/relaxed; d=dkim.mimecast.com; s=201903; t=1728584664; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:dkim-signature; bh=WQqFt/tI8b+XA5vH/Xfzp9SXYcwCsFzFwqzJbJfmHOo=; b=AIm7hEw8tlIhKxW4EPUxFIY7sZqhNCZYDV6nYM3rMzh+JyufOcfYrDj0DrhJg2EHRZ1/1T nChDWGJDtERRk6FUoctXVA7yhwDcZQWz/433KtJqn+f7h023cc9XpZrESQzWK5f39/Finh r9aOJ1jUFLDc2AqeAW43XfvYiBks2GDFA5n0EruoDJ5hNF3vtY7O0uIOXlR7eCywbjtehd 6Ze/Tzs1vjCW7qXxeeCeHjR8OHH2/QLFIdnIB8EQuMS+NrQSn+F9IU/YZZ+sgQ6YcvEbVI 9fonDjYDp3ASqkc0+B/hY4mX1VHI7w9vhQN9nLAMtIXDrOXSKBSP1J4E0kbaFw==
Arc-Authentication-Results	i=1; relay.mimecast.com; dkim=pass header.d=kzh.biglobe.ne.jp header.s=default-1th84yt82rvi header.b="R/B+/95I"; dmarc=pass (policy=none) header.from=biglobe.ne.jp; spf=pass (relay.mimecast.com: domain of k.sword.m5@kzh.biglobe.ne.jp designates 27.86.113.49 as permitted sender) smtp.mailfrom=k.sword.m5@kzh.biglobe.ne.jp
Authentication-Results	spf=pass (sender IP is 27.86.113.49) smtp.mailfrom=kzh.biglobe.ne.jp; dkim=fail (signature did not verify) header.d=kzh.biglobe.ne.jp;dmarc=pass action=none header.from=kzh.biglobe.ne.jp;compauth=pass reason=100
Received-Spf	Pass (protection.outlook.com: domain of kzh.biglobe.ne.jp designates 27.86.113.49 as permitted sender) receiver=protection.outlook.com; client-ip=27.86.113.49; helo=mta-sndfb-w01.biglobe.ne.jp; pr=C
Authentication-Results-Original	relay.mimecast.com; dkim=pass header.d=kzh.biglobe.ne.jp header.s=default-1th84yt82rvi header.b="R/B+/95I"; dmarc=pass (policy=none) header.from=biglobe.ne.jp; spf=pass (relay.mimecast.com: domain of k.sword.m5@kzh.biglobe.ne.jp designates 27.86.113.49 as permitted sender) smtp.mailfrom=k.sword.m5@kzh.biglobe.ne.jp
X-Mc-Unique	DN28E3gwPJiLTGB3EAXWaA-1
From	Skillsoft Coaching Business & Financial Services LLC <k.sword.m5@kzh.biglobe.ne.jp>
To	Penny Shoffner <pshoffner@bellpartnersinc.com>
Reply-To	myassistant@sales-selfservice.com
Subject	[EXTERNAL] Vendor Setup
Message-Id	<b4db8301-79be-11b2-601a-052c233e261c@kzh.biglobe.ne.jp>
Date	Thu, 10 Oct 2024 18:20:13 +0000
MIME-Version	1.0
X-Biglobe-Sender	k.sword.m5@kzh.biglobe.ne.jp
Dkim-Signature	v=1; a=rsa-sha256; c=relaxed/relaxed; d=kzh.biglobe.ne.jp; s=default-1th84yt82rvi; t=1728584421; bh=2YgX/cI2rf6tGF57D756Hac5bHpMYNzmS5qW5LJ0obQ=; h=From:To:Reply-To:Subject:Date; b=R/B+/95IayqhkHLIEoI+XffBcLAj3IBK2qPc//gc968NyLgHCNL1Kp0+NFn+UkaZZLYKNmtJ AKu4EfNxKKOfWOe7TmQZBPBdZIlJK5NTu45sOV7XKr31mpJctabT6ex8im83vRNb5bnoYevASl W1SgQ8tScJ1YSKAvWdd0qB7gOBiNKYbacY8f6G/lYkqPm7rmVCDgcbGLE53jqCq6hKi41kK2OA oUczWyS6jt/eaDl5i3lTk0DNO5tc1hV4PMPsB3VVCYI9xfMlQnKj2ULm8JBJXKS8tFk0j8iTJ6 XS0doP1p05Jm7faK0oqGSSYXw64ReiFanXov2bOQZCFquyqQ==
X-Mimecast-Spam-Score	3
X-Mimecast-Impersonation-Protect	Policy=Impersonation Protect;Similar Internal Domain=false;Similar Monitored External Domain=false;Custom External Domain=false;Mimecast External Domain=false;Newly Observed Domain=false;Internal User Name=false;Custom Display Name List=false;Reply-to Address Mismatch=false;Targeted Threat Dictionary=true;Mimecast Threat Dictionary=true;Custom Threat Dictionary=false
Return-Path	k.sword.m5@kzh.biglobe.ne.jp
X-Ms-Exchange-Organization-Expirationstarttime	10 Oct 2024 18:24:25.1259 (UTC)
X-Ms-Exchange-Organization-Expirationstarttimereason	OriginalSubmit
X-Ms-Exchange-Organization-Expirationinterval	1:00:00:00.0000000
X-Ms-Exchange-Organization-Expirationintervalreason	OriginalSubmit
X-Ms-Exchange-Organization-Network-Message-Id	753eb0c7-a351-4b80-cbc3-08dce958c4ff
X-Eopattributedmessage	0
X-Eoptenantattributedmessage	7ba566b9-eb1e-462c-b923-57bac7bc136e:0
X-Ms-Exchange-Organization-Messagedirectionality	Incoming
X-Ms-Exchange-Skiplistedinternetsender	ip=[27.86.113.49];domain=mta-sndfb-w01.biglobe.ne.jp
X-Ms-Exchange-Externaloriginalinternetsender	ip=[27.86.113.49];domain=mta-sndfb-w01.biglobe.ne.jp
X-Ms-Publictraffictype	Email
X-Ms-Traffictypediagnostic	CY4PEPF0000EE33:EE_\|CH2PR08MB10633:EE_\|PH0PR08MB6488:EE_
X-Ms-Exchange-Organization-Authsource	CY4PEPF0000EE33.namprd05.prod.outlook.com
X-Ms-Exchange-Organization-Authas	Anonymous
X-Ms-Office365-Filtering-Correlation-Id	753eb0c7-a351-4b80-cbc3-08dce958c4ff
X-Ms-Exchange-Atpmessageproperties	SA\|SL
X-Ms-Exchange-Organization-Scl	-1
X-Microsoft-Antispam	BCL:0;ARA:13230040\|7093399012\|2092899012\|3072899012\|12012899012\|82310400026\|2722699018\|43540500003
X-Forefront-Antispam-Report	CIP:205.139.110.120;CTRY:JP;LANG:en;SCL:-1;SRV:;IPV:NLI;SFV:NSPM;H:mta-sndfb-w01.biglobe.ne.jp;PTR:mta-sndfb-w01.biglobe.ne.jp;CAT:NONE;SFS:(13230040)(7093399012)(2092899012)(3072899012)(12012899012)(82310400026)(2722699018)(43540500003);DIR:INB
X-Ms-Exchange-Crosstenant-Originalarrivaltime	10 Oct 2024 18:24:24.8916 (UTC)
X-Ms-Exchange-Crosstenant-Network-Message-Id	753eb0c7-a351-4b80-cbc3-08dce958c4ff
X-Ms-Exchange-Crosstenant-Id	7ba566b9-eb1e-462c-b923-57bac7bc136e
X-Ms-Exchange-Crosstenant-Authsource	CY4PEPF0000EE33.namprd05.prod.outlook.com
X-Ms-Exchange-Crosstenant-Authas	Anonymous
X-Ms-Exchange-Crosstenant-Fromentityheader	Internet
X-Ms-Exchange-Transport-Crosstenantheadersstamped	CH2PR08MB10633
X-Ms-Exchange-Transport-Endtoendlatency	00:00:07.9795943
X-Ms-Exchange-Processed-By-Bccfoldering	15.20.8048.010
X-Microsoft-Antispam-Mailbox-Delivery	ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003)
X-Microsoft-Antispam-Message-Info	sOMJ8lC3HQoYdHfo13uGMlNrmMTPVd8E7w1YS5zq1QorEM5bVK/Y8E2OVLGI4TLQ0gY7zT3d1Bivpw/zb+/q0nh5pqJkz90G/K7oMNQ4dX4In9OY4RkS6yVxzkcujuVvl2cQg8c72iRl9r7sSLGx78moY0HXEn7ZGEHWDqOH9C4VrCaCmN1mNwKfU3+TosXpU1bHeGi7DiqoRPQNiTOBT7Kjm6n0wovIx+dNYbJxs3BivnX3BaMZJFeNGcqh8Vsni1H03ABKUoQaekrp7PgaDkLMBpdGmG3Yfgjd7jZCdZNfT6zF0wf9iKfrt90q6L1+c/7sZFmzoPTgXrtRc7/tM0fp1wrQAA+EKkJLIcEwuuJx6uJ5qyt1xq8h55/UQSmeGayA2esGSOS5Q2rcsdsrTSLMjNiLA4bqmWZegJRO0ALOU+KxbvsWdRRB6cz6aZqJ+xsm2dc6OKVGlw2zWf9nSPhAkv97BWwmiEDgtQRXbbS8nM0gNnnLkEDX7476GDhLjQhnL3P69s/dmIMmQ1IhUlM7E4Hc3HS6EgTH63IyaUJeKDXjJ36Yuc1cd/pZpxS+jgsHg9UnjlhegtOEPh//Mh3WDrJXcZDkJCwxj2vYtE9jGcxQ5gzvcsBzbKQN6h/rvFbXYtlHbj8Zq0zAMlNYtszICakJAV0AAiL8LMrhD+LpY6um+zfQI0UgWVXg+XK1xPnyBUdrcLg/7UPXVOuCTprlMAoPlPLKHXliUxgyfMHOX0iM/jSGUKUBz5ar30LSVKyOPFxMTFQDcDK8Iuta/SrUM+DnA6tGcS44r/7wlXQXVAlDMbd6uaHK2l9fvMNF8c6a6g30rjEtAf4jsmryfuEQQJci4xdoJWCK+OM0lLuybOD7HtSkp3gpcX27A7k58sEaPjTzj+1ma6hUBAPPl21oOYnMR0oLeKgbKCOXtYtiMMWfGd0GLpPziO0JO1a3/92 RGfKkYp47MjPsjYUCb8GCgn/F0EjjhpQCJaa2pSCBEGyQK6lRn5mCtdSpOJk2S8kNv9Jm8HdmIrZk4vEhT1wqFGCBa6Ss/KCHJMv3B3119Li+bgVM6uqPJnM6rWYcPKJxIiAUuQfCUMVukpbinn/+1UfpQw7nvnE3am56wxSvP0yZm43unqJnY1G4fYgGZYmFQAiY0yXh+Vsp0H7LBZy72u1JYEsm/rMrM6hSqBtWLYB5/OGbnv/QL1GeYvQ2BbLSbQ+xEJ3TqfwxR/K3QsM+i8Wpq1uwV55iuLk+ui1EK3al7m9AxpzGF7b4xd1n/2uEhCPbOmTExyd9aRJHru2PqwV/I4gKfjqcfInaS8QFteL3PTyyzFtxzHWCsO6yal4jO8FLYo9l7iNnMI6XYQgihA38pADBZvUIa/TC/7AzBqBLcKpz4R0alJMp7G2F0nZOZpC0V5fkjSi2fGM2IC2kdEd5aFHuOYRG15s5kzCV0O92r8Tfysyh/iXNBYdO4IZKf/HzaOGmjUlk6DpaMOIM2+6WG5YMEo1kVv3iUUvt0LohXU6txR9hgmLd/EpWTWDWtgixip1aUMnkv5whGePwXPs+BOkkB0ikkB/SpjRdaaJaPTMMjkeiyK8bGk27YpBGw1w4qVzCunRGIdotBiG7WHf238032OtdAGlTV46HBqwHWH7f86s3AvXGs2CtGIkNMYuj8C3ZJWU9Qtjqztla7QL7jBYeNwUCUD6zTj29d7avJPvO5bXzit7dxdib4qWF9nTdrHqD+JTjpgcX/dgHtWbrhxeBPmWrNEtFlHmOVTNnlwI8zdmNUk/bkP29JdssPmdRedREWoSXPGSnKxM6xY9MrOlKFg4AP61ANoLHjdLQa3YsSux+nv4xn+zHJvui3I+PjS0fDp3WAyky3RMr06JWGHLF7d0lEnVtOxAWyFT2aVtcIouXZHUBRZ0F3H+ibXZ5GOkvrpsoSTyYOy0xtgkQnZyKgfuxq72M sFLTJmG1sSOiKR3GEjYcsTDArSGOJ2loCrhaD2MnFPia0vO4PyuXaP14gDtMfFHwJyQ9/xqPrcfFYD6gEdyAJHPBqQuo+Bhx0RVOqNrtNbxVEPIG7TwS2KHqN3xCZKUSp4z3+4UL9hayzqVAtKwJAKF6WMe9HJ4Enii791B0ErLsnm1yjPY4pZ+vpGpmdZAt5lHVrwtTuD2kNCyjvP6BUF4QLRO57nT9eMQowbE3O5h6ZRHWJyRLUrdhDBC+luPxETUF/krqMeiYH7rsXkxEumrl/j3n1Ec5ugqMR+Fz5qW9EqDPq+ofD+0C/x4mkKl3jBxnZyOy/WYzebaTH61evAru2iraicO0nQgfAaULovQ3mHOSa7rMqmctXRQTlZN6IFuO2SLP2MD7vaCaUmDSLRYq
Content-Type	multipart/mixed; boundary="----sinikael-?=_1-17285875823870.6693688166369929"

Target ID:	0
Start time:	15:30:09
Start date:	10/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0 (13).eml"
Imagebase:	0x720000
File size:	34'446'744 bytes
MD5 hash:	91A5292942864110ED734005B7E005C0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	2
Start time:	15:30:14
Start date:	10/10/2024
Path:	C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "275573E4-4E3A-44CF-9503-868017FC0EFD" "DC9DDA95-057A-40A5-91CF-1110D1B5CBAE" "4132" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Imagebase:	0x7ff7a0250000
File size:	710'048 bytes
MD5 hash:	EC652BEDD90E089D9406AFED89A8A8BD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	5
Start time:	15:30:39
Start date:	10/10/2024
Path:	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxOutlook.exe" -ServerName:microsoft.windowslive.mail.AppXfbjsbkxvprcgqg6q4c9jfr0pn3kv9x5s.mca
Imagebase:	0x7ff7f6fc0000
File size:	2'486'784 bytes
MD5 hash:	6F8EAC2C377C8F16D91CB5AC8B8DBF5F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Target ID:	11
Start time:	15:30:43
Start date:	10/10/2024
Path:	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe" -ServerName:microsoft.windowslive.manageaccounts.AppXdbf3yp5apt3t7q877db3gnz5zqpf71zj.mca
Imagebase:	0x7ff6fc210000
File size:	274'432 bytes
MD5 hash:	6FEB00C9A2C3FF66230658B3012BAB6A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report phish_alert_sp2_2.0.0.0 (13).eml

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Networking

System Summary

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin

C:\Users\user\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bin

C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\0C854535-0377-48C9-AB5E-1A7356CF1588

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-journal

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\AppData\Local\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\5F09DA67-81DC-49E0-8AB9-284A0013D796

C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxAccountsAlwaysOnLog.etl

C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\LocalState\HxmAlwaysOnLog.etl

C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat

C:\Users\user\AppData\Local\Packages\microsoft.windowscommunicationsapps_8wekyb3d8bbwe\Settings\settings.dat.LOG1

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1728588612068758900_867B4047-AB37-4B0B-A391-40CA9AEDCC2D.log

C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1728588612069420000_867B4047-AB37-4B0B-A391-40CA9AEDCC2D.log

C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241010T1530110586-4132.etl

C:\Users\user\AppData\Local\Temp\olk6BDA.tmp

C:\Users\user\AppData\Local\Temp\olk6C0A.tmp

C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

C:\Users\user\AppData\Roaming\Microsoft\Outlook\NoEmail.srs

C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

Static File Info

General

Static Mail

General

Headers

File Icon

Network Behavior

Windows Analysis Report
phish_alert_sp2_2.0.0.0 (13).eml