Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
phish_alert_sp2_2.0.0.0 (4).eml

Overview

General Information

Sample name:phish_alert_sp2_2.0.0.0 (4).eml
Analysis ID:1532597
MD5:53fde2f9dd5d70ac9541b5a36796c650
SHA1:1bb4ba8b98a91c0f4288e6bfe059b3264ddb2dd5
SHA256:a5f702b11a6441c8251ac0a65d44c9e221d7605e88228ffe265f6bdc9cb03c5e
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:80%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 5284 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0 (4).eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 6600 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "0603E0F2-E27D-4380-B40F-7C0D8400D81C" "39916617-269A-4E2E-A890-A1742EEE255C" "5284" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 5284, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://api.aadrm.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://api.aadrm.com/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://api.cortana.ai
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://api.diagnostics.office.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://api.microsoftstream.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://api.office.net
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://api.onedrive.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://api.scheduler.
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://app.powerbi.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://augloop.office.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://augloop.office.com/v2
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://canary.designerapp.
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://cdn.designerapp.osi.office.net
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/fonts
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-assets
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-dynamic-strings
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designerapp/mobile-home-screen
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://cdn.entity.
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://clients.config.office.net
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://clients.config.office.net/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://cortana.ai
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://cortana.ai/api
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://cr.office.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://d.docs.live.net
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://designerapp.azurewebsites.net
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://designerappservice.officeapps.live.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://dev.cortana.ai
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://devnull.onenote.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://directory.services.
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://ecs.office.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://edge.skype.com/rps
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://graph.ppe.windows.net
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://graph.windows.net
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://graph.windows.net/
Source: phish_alert_sp2_2.0.0.0 (4).eml, ~WRS{B923014A-0E03-4A03-B0F1-5084B4CAE5E1}.tmp.1.drString found in binary or memory: https://hilcorp0-my.sharepoint.com/personal/jeffrey_turkington_hilcorp_com/_layouts/15/UserExpiratio
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://ic3.teams.office.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://invites.office.com/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://lifecycle.office.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://login.microsoftonline.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://login.microsoftonline.com/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://login.microsoftonline.com/organizations
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://login.windows.local
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://make.powerautomate.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://management.azure.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://management.azure.com/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://messaging.action.office.com/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://messaging.office.com/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://mss.office.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://ncus.contentsync.
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://officeapps.live.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://officepyservice.office.net/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://onedrive.live.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://otelrules.azureedge.net
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://outlook.office.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://outlook.office.com/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://outlook.office365.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://outlook.office365.com/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://outlook.office365.com/connectors
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://powerlift.acompli.net
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://pushchannel.1drv.ms
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://res.cdn.office.net
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.40
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://service.powerapps.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://settings.outlook.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: phish_alert_sp2_2.0.0.0 (4).emlString found in binary or memory: https://southcentralusr-notifyp.svc.ms:443/api/v2/tracking/method/View?mi=0pl39tpuu0uDOiKOKZ0lrQ
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://staging.cortana.ai
Source: phish_alert_sp2_2.0.0.0 (4).emlString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-light.tt
Source: phish_alert_sp2_2.0.0.0 (4).emlString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-light.wo
Source: phish_alert_sp2_2.0.0.0 (4).emlString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-regular.
Source: phish_alert_sp2_2.0.0.0 (4).emlString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-semibold
Source: phish_alert_sp2_2.0.0.0 (4).emlString found in binary or memory: https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-semiligh
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://substrate.office.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://tasks.office.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://templatesmetadata.office.net/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://webshell.suite.office.com
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://wus2.contentsync.
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://www.odwebp.svc.ms
Source: 2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: clean1.winEML@3/13@0/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241013T1209050973-5284.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0 (4).eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "0603E0F2-E27D-4380-B40F-7C0D8400D81C" "39916617-269A-4E2E-A890-A1742EEE255C" "5284" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "0603E0F2-E27D-4380-B40F-7C0D8400D81C" "39916617-269A-4E2E-A890-A1742EEE255C" "5284" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile Volume queried: C:\Windows\SysWOW64 FullSizeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory13
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1532597 Sample: phish_alert_sp2_2.0.0.0 (4).eml Startdate: 13/10/2024 Architecture: WINDOWS Score: 1 5 OUTLOOK.EXE 50 117 2->5         started        process3 7 ai.exe 5->7         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://api.diagnosticssdf.office.com0%URL Reputationsafe
https://login.microsoftonline.com/0%URL Reputationsafe
https://shell.suite.office.com:14430%URL Reputationsafe
https://designerapp.azurewebsites.net0%URL Reputationsafe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize0%URL Reputationsafe
https://autodiscover-s.outlook.com/0%URL Reputationsafe
https://useraudit.o365auditrealtimeingestion.manage.office.com0%URL Reputationsafe
https://outlook.office365.com/connectors0%URL Reputationsafe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://api.addins.omex.office.net/appinfo/query0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/tenantassociationkey0%URL Reputationsafe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://lookup.onenote.com/lookup/geolocation/v10%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/imports0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/imports0%URL Reputationsafe
https://cloudfiles.onenote.com/upload.aspx0%URL Reputationsafe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://entitlement.diagnosticssdf.office.com0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://canary.designerapp.0%URL Reputationsafe
https://ic3.teams.office.com0%URL Reputationsafe
https://www.yammer.com0%URL Reputationsafe
https://www.yammer.com0%URL Reputationsafe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies0%URL Reputationsafe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive0%URL Reputationsafe
https://cr.office.com0%URL Reputationsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%URL Reputationsafe
https://portal.office.com/account/?ref=ClientMeControl0%URL Reputationsafe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory0%URL Reputationsafe
https://edge.skype.com/registrar/prod0%URL Reputationsafe
https://graph.ppe.windows.net0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
https://tasks.office.com0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://edge.skype.com/rps0%URL Reputationsafe
https://globaldisco.crm.dynamics.com0%URL Reputationsafe
https://messaging.engagement.office.com/0%URL Reputationsafe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.diagnosticssdf.office.com/v2/feedback0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/groups0%URL Reputationsafe
https://web.microsoftstream.com/video/0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://graph.windows.net0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://analysis.windows.net/powerbi/api0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://substrate.office.com0%URL Reputationsafe
https://outlook.office365.com/autodiscover/autodiscover.json0%URL Reputationsafe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios0%URL Reputationsafe
https://consent.config.office.com/consentcheckin/v1.0/consents0%URL Reputationsafe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json0%URL Reputationsafe
https://safelinks.protection.outlook.com/api/GetPolicy0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/0%URL Reputationsafe
http://weather.service.msn.com/data.aspx0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://officepyservice.office.net/service.functionality0%URL Reputationsafe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks0%URL Reputationsafe
https://templatesmetadata.office.net/0%URL Reputationsafe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios0%URL Reputationsafe
https://messaging.lifecycle.office.com/0%URL Reputationsafe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml0%URL Reputationsafe
https://mss.office.com0%URL Reputationsafe
https://pushchannel.1drv.ms0%URL Reputationsafe
https://management.azure.com0%URL Reputationsafe
https://outlook.office365.com0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://incidents.diagnostics.office.com0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/ios0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://api.addins.omex.office.net/api/addins/search0%URL Reputationsafe
https://insertmedia.bing.office.net/odc/insertmedia0%URL Reputationsafe
https://outlook.office365.com/api/v1.0/me/Activities0%URL Reputationsafe
https://api.office.net0%URL Reputationsafe
https://incidents.diagnosticssdf.office.com0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
https://api.microsoftstream.com/api/0%VirustotalBrowse
https://otelrules.svc.static.microsoft0%VirustotalBrowse
https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-light.wo0%VirustotalBrowse
https://outlook.office.com/autosuggest/api/v1/init?cvid=0%VirustotalBrowse
https://my.microsoftpersonalcontent.com0%VirustotalBrowse

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
https://api.diagnosticssdf.office.com2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://login.microsoftonline.com/2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://shell.suite.office.com:14432EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://designerapp.azurewebsites.net2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://autodiscover-s.outlook.com/2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://useraudit.o365auditrealtimeingestion.manage.office.com2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://outlook.office365.com/connectors2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://cdn.entity.2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://api.addins.omex.office.net/appinfo/query2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://clients.config.office.net/user/v1.0/tenantassociationkey2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://powerlift.acompli.net2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://rpsticket.partnerservices.getmicrosoftkey.com2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://lookup.onenote.com/lookup/geolocation/v12EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://cortana.ai2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://api.powerbi.com/v1.0/myorg/imports2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://cloudfiles.onenote.com/upload.aspx2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://entitlement.diagnosticssdf.office.com2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://api.aadrm.com/2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://ofcrecsvcapi-int.azurewebsites.net/2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://canary.designerapp.2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://ic3.teams.office.com2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://www.yammer.com2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
  • URL Reputation: safe
unknown
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://api.microsoftstream.com/api/2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalseunknown
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://cr.office.com2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
  • URL Reputation: safe
unknown
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
    		unknown
    https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-light.wophish_alert_sp2_2.0.0.0 (4).emlfalseunknown
    https://messagebroker.mobile.m365.svc.cloud.microsoft2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
    • URL Reputation: safe
    		unknown
    https://otelrules.svc.static.microsoft2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalseunknown
    https://portal.office.com/account/?ref=ClientMeControl2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
    • URL Reputation: safe
    		unknown
    https://southcentralusr-notifyp.svc.ms:443/api/v2/tracking/method/View?mi=0pl39tpuu0uDOiKOKZ0lrQphish_alert_sp2_2.0.0.0 (4).emlfalse
      		unknown
      https://clients.config.office.net/c2r/v1.0/DeltaAdvisory2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://edge.skype.com/registrar/prod2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://graph.ppe.windows.net2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://res.getmicrosoftkey.com/api/redemptionevents2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://powerlift-frontdesk.acompli.net2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://tasks.office.com2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://officeci.azurewebsites.net/api/2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://sr.outlook.office.net/ws/speech/recognize/assistant/work2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://api.scheduler.2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://my.microsoftpersonalcontent.com2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalseunknown
      https://store.office.cn/addinstemplate2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://api.aadrm.com2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://edge.skype.com/rps2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://outlook.office.com/autosuggest/api/v1/init?cvid=2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalseunknown
      https://globaldisco.crm.dynamics.com2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://messaging.engagement.office.com/2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://dev0-api.acompli.net/autodetect2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://www.odwebp.svc.ms2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://api.diagnosticssdf.office.com/v2/feedback2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://api.powerbi.com/v1.0/myorg/groups2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://web.microsoftstream.com/video/2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://api.addins.store.officeppe.com/addinstemplate2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://graph.windows.net2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://dataservice.o365filtering.com/2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://officesetup.getmicrosoftkey.com2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://analysis.windows.net/powerbi/api2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://prod-global-autodetect.acompli.net/autodetect2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://substrate.office.com2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
      • URL Reputation: safe
      		unknown
      https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-semiboldphish_alert_sp2_2.0.0.0 (4).emlfalse
        		unknown
        https://outlook.office365.com/autodiscover/autodiscover.json2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
        • URL Reputation: safe
        		unknown
        https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
        • URL Reputation: safe
        		unknown
        https://consent.config.office.com/consentcheckin/v1.0/consents2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
        • URL Reputation: safe
        		unknown
        https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
        • URL Reputation: safe
        		unknown
        https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
        • URL Reputation: safe
        		unknown
        https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
        • URL Reputation: safe
        		unknown
        https://d.docs.live.net2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
          		unknown
          https://safelinks.protection.outlook.com/api/GetPolicy2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
          • URL Reputation: safe
          		unknown
          https://ncus.contentsync.2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
          • URL Reputation: safe
          		unknown
          https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            		unknown
            https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown
            http://weather.service.msn.com/data.aspx2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown
            https://apis.live.net/v5.0/2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown
            https://officepyservice.office.net/service.functionality2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown
            https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown
            https://templatesmetadata.office.net/2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown
            https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown
            https://messaging.lifecycle.office.com/2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown
            https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown
            https://mss.office.com2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown
            https://pushchannel.1drv.ms2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown
            https://management.azure.com2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown
            https://outlook.office365.com2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown
            https://wus2.contentsync.2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown
            https://incidents.diagnostics.office.com2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown
            https://clients.config.office.net/user/v1.0/ios2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown
            https://make.powerautomate.com2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown
            https://api.addins.omex.office.net/api/addins/search2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown
            https://insertmedia.bing.office.net/odc/insertmedia2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown
            https://outlook.office365.com/api/v1.0/me/Activities2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown
            https://api.office.net2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown
            https://incidents.diagnosticssdf.office.com2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown
            https://asgsmsproxyapi.azurewebsites.net/2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B.1.drfalse
            • URL Reputation: safe
            		unknown

            World Map of Contacted IPs

            No contacted IP infos

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1532597
            Start date and time:2024-10-13 18:07:50 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 4m 44s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:7
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:phish_alert_sp2_2.0.0.0 (4).eml
            Detection:CLEAN
            Classification:clean1.winEML@3/13@0/0
            EGA Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 0
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .eml

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
            • Excluded IPs from analysis (whitelisted): 52.109.76.240, 52.113.194.132, 52.182.141.63
            • Excluded domains from analysis (whitelisted): ecs.office.com, slscr.update.microsoft.com, prod.configsvc1.live.com.akadns.net, s-0005-office.config.skype.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, neu-azsc-config.officeapps.live.com, s-0005.s-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, onedscolprdcus01.centralus.cloudapp.azure.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtQueryAttributesFile calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtReadVirtualMemory calls found.

            Simulations

            Behavior and APIs

            No simulations

            LLM Input / Output

            InputOutput
            URL: Email Model: jbxai
            {
"brands":["Hilcorp"],
"text":"These people will lose access soon",
"contains_trigger_text":true,
"trigger_text":"These people will lose access soon",
"prominent_button_name":"Manage access",
"text_input_field_labels":["Name",
"Expires"],
"pdf_icon_visible":false,
"has_visible_captcha":false,
"has_urgent_text":true,
"has_visible_qrcode":false}

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

            Download File
            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
            File Type:data
            Category:dropped
            Size (bytes):231348
            Entropy (8bit):4.395481414354548
            Encrypted:false
            SSDEEP:3072:K1ggyfgQmiGu2t4qoQqrt0FvWH+fLcAEuI:KAFmi2tl2+fLcARI
            MD5:DEAD4F92BE23CD9958344DF14057AFC7
            SHA1:B30266E8C3C958D69D8DC8586DCC8B9B7C743EA8
            SHA-256:54BD8DA9DD38CAC6A83223CDC1BF2DB0CC0AE2FF3697056B1F41D47C53D783C3
            SHA-512:3DB9A952B134685D4603FC92AB2622938AACFBAEB3E9C7F57D65AB647026C89C60D0D5186D29930AFBF2859EA840AC640A865F7B5B0EA7F0923B625CC70AF770
            Malicious:false
            Reputation:low
            Preview:TH02...... .p..+........SM01X...,......+............IPM.Activity...........h...............h............H..h............h.........P..H..h\tin ...pDat...h.+..0... ......hP..............h........_`1k...h....@...I.Rw...h....H...8.6k...0....T...............d.........2h...............k1.1...........!h.............. h......8.....#h....8.........$h.P......8....."h.G.......G....'h..............1hP...<.........0h....4....6k../h....h.....6kH..h....p........-h .......d.....+h.......................... ..............F7..............FIPM.Activity.st.Form.e..Standard.tanJournal Entry.pdIPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.000Microsoft.ofThis form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

            C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2EFC83C3-C4CC-47B3-8696-C0572C2A9A4B

            Download File
            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):178099
            Entropy (8bit):5.29051989505366
            Encrypted:false
            SSDEEP:1536:3i2XfRAqcbH41gwEwLe7HW8bM/o/NMdcAZl1p5ihs7EXXDEAD2Odago:CCe7HW8bM/o/TXgk9o
            MD5:18AAD10BC96CD0D0D52926F90125F763
            SHA1:269464019F5E945CD35FE7EE1BDB187F2DB54206
            SHA-256:EC1975251BD10F329D803F71DE29F5F498748001ACA9D60A5449DC65371E95BA
            SHA-512:D3EC7B312A63E25818A0CCE9EC391F6722551D083871C35FDC088D1C87D4C8A18B6991E7C41D0B06F6E07F766C3B84B48C80BC6B7C46952948309E58A43EB675
            Malicious:false
            Reputation:low
            Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-10-13T16:09:08">.. Build: 16.0.18204.40137-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[

            C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

            Download File
            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
            File Type:data
            Category:dropped
            Size (bytes):32768
            Entropy (8bit):0.045583106806383875
            Encrypted:false
            SSDEEP:3:GtlxtjlhNHznYlxtjlhNHzNlR9//8l1lvlll1lllwlvlllglbelDbllAlldl+l:GtPTnYPTN/9X01PH4l942wU
            MD5:4D5D8366B1036E03FDD83AF2B43C6038
            SHA1:7451CE5A9869A55534CAC964323E954969E9D2D3
            SHA-256:4BC7FA13026CE4386522CB1BFCE99DFB9065FD45686FB7C2E975714DB6721CFD
            SHA-512:080154C0882314851B71F16AB1182FA4AAD7C2009FECF638415B9A81F915BC64911611E967630DAC8AF3F2492217B95E64AEC9600255280219A3239D8739FDBF
            Malicious:false
            Reputation:low
            Preview:..-.....................im.5.G..)D.[b...mLI.....-.....................im.5.G..)D.[b...mLI...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

            Download File
            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
            File Type:SQLite Write-Ahead Log, version 3007000
            Category:modified
            Size (bytes):49472
            Entropy (8bit):0.48379001595628884
            Encrypted:false
            SSDEEP:48:8jhQ1Sl23Ull7DYMLzO8VFDYM+NXBO8VFDYML:Zspll4cjVGLjVGC
            MD5:E4151474CD420BC2BA254CF162B8AA4D
            SHA1:AA045E70C33272692BB1FA8AB2EEC254C67CFDF1
            SHA-256:0FCA1496E4372E0F8FC9862415B5AF432A715066B7416AAEE5F7649CB507D56E
            SHA-512:71AFB29FD653C40FB0FF9F20596CEC89EA1A055E56F1DC38A24277B181EEC81F2994C983408C2F69D51F6776614D9F9FA6DB4B8FE69C554EE129917B16812756
            Malicious:false
            Reputation:low
            Preview:7....-..........)D.[b.../.G<.5C........)D.[b...4.:.:_.SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\1D2A5BB2.dat

            Download File
            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
            File Type:PNG image data, 280 x 60, 8-bit/color RGBA, non-interlaced
            Category:dropped
            Size (bytes):4929
            Entropy (8bit):7.784746408373799
            Encrypted:false
            SSDEEP:96:fv6knZl+b+49eeT1x9z/E0LyjrU2a61Dl+8aKVU0dGNi+au+XHt8EbGwEOxbz:fCknZl+b+o7zs0so2LDU8TVq/lKN8Ebn
            MD5:1A5375D43A6F15FE83F723051CF37B16
            SHA1:2956DD49752BE1B0E2BE9E399436543A5AD8B4F6
            SHA-256:CFFE7A6B0FF892FF7BF29D8F84760DF0A4AA82A00E4F5F5BE84CA45705316D4E
            SHA-512:B84869A1AA58DAD866B6B1DEDAB16B726AA4A26EF66225C59074EEE38C700CFCBF71EBB63B02E897022C002E732CC8F6D26B327DCCA1F72E20B3B04479DB2F9A
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview:.PNG........IHDR.......<............sRGB.........gAMA......a.....pHYs...........k....6iTXtXML:com.adobe.xmp.....<?xpacket begin="." id="W5M0MpCehiHzreSzNTczkc9d"?>..<x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c060 61.134777, 2010/02/12-17:32:00 ">.. <rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#">.. <rdf:Description rdf:about="" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmpMM:OriginalDocumentID="uuid:B90B6AF5DD4ADF11BBCBDC4E6658DE60" xmpMM:DocumentID="xmp.did:D2BD5014CAA311E285C48A67A85A2C04" xmpMM:InstanceID="xmp.iid:D2BD5013CAA311E285C48A67A85A2C04" xmp:CreatorTool="Adobe Illustrator CS5">.. <xmpMM:DerivedFrom stRef:instanceID="uuid:7516ecc7-a81a-3646-bec7-a5e8df6fb931" stRef:documentID="xmp.did:C3B5D0D30E2068118C14EA316DAFE45E" />.. <dc:title>.. <rdf:Alt>.. <r

            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\D9FD6735.dat

            Download File
            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
            File Type:PNG image data, 97 x 97, 8-bit colormap, non-interlaced
            Category:dropped
            Size (bytes):629
            Entropy (8bit):7.117879959817906
            Encrypted:false
            SSDEEP:12:6v/7UofybZj0Cni4OAKPisdZtD/CW1wvCcmh:4fkjB+A3kD6ecs
            MD5:EBFAECCA0CF4A67F4E7CF2705D44CA5A
            SHA1:515A7C07887272F537EAB3B58536F2C514470C88
            SHA-256:68CE6C006D85B12F22FE2B4E768653439A7D44E0FB6CD63E52CB489BB9BD4C99
            SHA-512:6C6A34D9B0CFA6C6B7A6D5D8BE31262865E23B050AEBEE49263F2478206FF98C44CF90BAB577568AEB9E208275299DF4BD259517FB2419A1434BB3CBA5ACC66C
            Malicious:false
            Reputation:low
            Preview:.PNG........IHDR...a...a.......?....'PLTELiq..@..@..@..@..@..@..@..@..@..@..@..@.:.....tRNS.@`.... .0.P.Kp5....pHYs...%...%.IR$.....IDATh...r.0..a.h)m..y....Zm....q.....|6.\.+.@.....A?.B....+...D.^ 4....@h..A......N.../..B....B.....B...B....q"`.g........@..z.H.G0B5.......!.j."..!.*........*..............F......}!.......C..Y..!..$B..c!....XH!........Y!..O$^XG.'./,#.CU(.".CU(,".{A*.!.{A*,!.M,. .M,, ..Y..#..Y.L#...R.E....0...HZa.a......".....S....`....`....`....`....`.b..`.B..`O......9B..$..,.G..."O......".;.C..n.@.V./..*...............Q..lD.^.....QJ.....QL....K.|...........;.Ix".Z 4..q.`.....\...b.....IEND.B`.

            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{B923014A-0E03-4A03-B0F1-5084B4CAE5E1}.tmp

            Download File
            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
            File Type:data
            Category:dropped
            Size (bytes):3396
            Entropy (8bit):2.6500646388662443
            Encrypted:false
            SSDEEP:48:V068N89eXoAkh/VW+GHiUUUUBDl4regQqALr+:i785AkBVW+GCUUUUvbgQq4
            MD5:5912AAE41FD1F6760B04CF5C09BB299B
            SHA1:F1928147C4F01A680D2DDA5604EE1851A9105F01
            SHA-256:6E08CD9649581AB72504A412B38A26C04AE11F77992C57DD664C72D6AE35B8AE
            SHA-512:609660B85C644CCBC8E7DFDD1B6620B9514AFD9CD760953BB1E47125AFEFF3EA4188115527D0905914959939DD54447EF17DF29D35E81B54C8D68A684F868F72
            Malicious:false
            Reputation:low
            Preview:........I.N.C.L.U.D.E.P.I.C.T.U.R.E. .".c.i.d.:.c.2.b.b.a.f.e.7.-.7.5.0.d.-.4.8.a.c.-.b.c.b.f.-.5.3.7.9.f.6.1.1.8.8.0.f.". .\.*. .M.E.R.G.E.F.O.R.M.A.T.I.N.E.T... . .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................u............u...................................-...$..$.If....!v..h.#v....:V...t........&.6......,.....5.......3........4........B......4......$..d............[$.\$.a$.....$..$.If....:V.......t.....6......4........4........a.........$.a$.*...$..$.If........!v..h.#v....:V.......t.....6......5.......4

            C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1728835746332176400_8085402F-7B58-4F94-AE95-12802655BA08.log

            Download File
            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
            File Type:ASCII text, with very long lines (28769), with CRLF line terminators
            Category:dropped
            Size (bytes):20971520
            Entropy (8bit):0.1762624307913258
            Encrypted:false
            SSDEEP:1536:94Jj+H+iTW4Bt0dnoQ66qKppZlTCQNjQygSxG2YRmu/g6B+QixDkDHbp:hH9jBtE6kjSJ
            MD5:283A847B1ED05954A09D31B1B3C62E23
            SHA1:ED441D0E65A5D9FEDAEA909F8DBC895AE097DAE3
            SHA-256:4A610E55DAC22A66DFB3ACF8543DDD5DD42F3C95373AF174C39008A523F9CEA9
            SHA-512:FED0005645D7F6FBC74DF732E3F82A7B00B5C4257FFAA4BB96D977ECA6C132FC87E7AF30D47E1AC3799D84D20237620C25653756D6963CB9601701138389AC66
            Malicious:false
            Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..10/13/2024 16:09:06.379.OUTLOOK (0x14A4).0x11A4.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-10-13T16:09:06.379Z","Contract":"Office.System.Activity","Activity.CV":"L0CFgFh7lE+ulRKAJlW6CA.4.9","Activity.Duration":13,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...10/13/2024 16:09:06.395.OUTLOOK (0x14A4).0x11A4.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-10-13T16:09:06.395Z","Contract":"Office.System.Activity","Activity.CV":"L0CFgFh7lE+ulRKAJlW6CA.4.10","Activity.Duration":12737,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorV

            C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1728835746332884500_8085402F-7B58-4F94-AE95-12802655BA08.log

            Download File
            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
            File Type:data
            Category:dropped
            Size (bytes):20971520
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3::
            MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
            SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
            SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
            SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
            Malicious:false
            Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20241013T1209050973-5284.etl

            Download File
            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
            File Type:data
            Category:dropped
            Size (bytes):106496
            Entropy (8bit):4.5127160308309415
            Encrypted:false
            SSDEEP:768:vwfzemKSwAWlL4GoPK9hYrk2fnlO/khlQkW2bX80oo4WOfWqcSv:b4GoC9hYI2N0KlzXgv
            MD5:5D9913EECA98A769A4DE425918FB0016
            SHA1:71806E1DBB78425263F6C3297F40E1326DFA7D55
            SHA-256:00C46C25521176E0EDB3357C6AB3FD5F372F5873976E9BE135EBD62EC329268B
            SHA-512:699DE5D11C37248243204B38ECCE1D2B3AC932ED1EF8AC7659D938DA95039A68A6A23E27F5D41161A9E17A788E0E21BB685A4FF8684E168905014ABC5642DEAF
            Malicious:false
            Preview:............................................................................`.............a:....................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1........................................................... ..`.............a:............v.2._.O.U.T.L.O.O.K.:.1.4.a.4.:.6.5.c.2.2.2.2.4.e.e.4.c.4.3.3.c.8.1.8.f.0.c.1.6.7.1.3.5.b.0.9.c...C.:.\.U.s.e.r.s.\.t.i.n.a.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.1.0.1.3.T.1.2.0.9.0.5.0.9.7.3.-.5.2.8.4...e.t.l.......P.P...........a:............................................................................................................................................................................................................................................................................................................

            C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

            Download File
            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
            File Type:data
            Category:dropped
            Size (bytes):30
            Entropy (8bit):1.2389205950315936
            Encrypted:false
            SSDEEP:3:Guv:Gu
            MD5:4F73B4703E6A0CB22A5108154237107B
            SHA1:EB5BC4C6D821364B8A02A2B49872589D3FD33AD3
            SHA-256:67836EA8D96F86B7B23CDFB66EC0BFDFB4007B7BC5BCCBD1FAC33161EE1DDE9E
            SHA-512:D38B070CD158CF4132BA49EAA201982E9A8ADE7F73D3F5B9494AB94B273F8AA6D2026E72674C228AB24C7AA4EDF023002443B71D666EA1BA0569C7B2EDAC7679
            Malicious:false
            Preview:.....c........................

            C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

            Download File
            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
            File Type:Microsoft Outlook email folder (>=2003)
            Category:dropped
            Size (bytes):271360
            Entropy (8bit):2.4344364085539993
            Encrypted:false
            SSDEEP:1536:lfJeOQ/fpkVL7ojeFHyW53jEpEHP4qQ10PAwrEUG+:lx57kp9XUG
            MD5:CDA70A52A37C597510F5EB2500799978
            SHA1:7C9A9BECB8FD7B139AE84789064838CE450D8EED
            SHA-256:02D411CD4FB84C203375FBF0F0027463B8933B8E6C6858F6E044E942AC81E222
            SHA-512:C2590DBBE82E0A1B7F636D35021845FB9545C832767D0250326EEFA7883EFDD090F51B64D0536C178EF6F6CD64FC17E8F5A6B2E10305567B44DC67B9F80B3AC3
            Malicious:false
            Preview:!BDN...SM......\....]..........:.......]................@...........@...@...................................@...........................................................................$.......D......................8........z......5........p..........................................................................................................................................................................................................................................................................................;...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

            Download File
            Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
            File Type:data
            Category:dropped
            Size (bytes):131072
            Entropy (8bit):3.687462608915011
            Encrypted:false
            SSDEEP:1536:s6leVLLjUW53jEpEHP4qQ10PAwrr1duHCCOmw:l05mp9MT
            MD5:053BA011F9CBE12457264198D9B47EC6
            SHA1:E6CA44430F57F35BA82AD634A7F30A17957BA60F
            SHA-256:94274F78C0AE9404443557375D80ED74F98438B078A1343A010BE6414D75953D
            SHA-512:A31CAF0CCE78F380646B391A71D785466F771BFC7FFDFC1A94CB1A12A853956C8C15C006E6A028EDC234BD38E96F2695A8BADC1594BB78848A9E23C9352AA795
            Malicious:false
            Preview:....0...e...........].'7.........D............#...~......................................................~............................................................................................................?............................................................................................................................................................................................................................................................................................................................................R Y..D.......wC.0...f...........].'7.........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

            Static File Info

            General

            File type:RFC 822 mail, ASCII text, with very long lines (921), with CRLF line terminators
            Entropy (8bit):5.9686858455988805
            TrID:
            • E-Mail message (Var. 5) (54515/1) 100.00%
            File name:phish_alert_sp2_2.0.0.0 (4).eml
            File size:26'346 bytes
            MD5:53fde2f9dd5d70ac9541b5a36796c650
            SHA1:1bb4ba8b98a91c0f4288e6bfe059b3264ddb2dd5
            SHA256:a5f702b11a6441c8251ac0a65d44c9e221d7605e88228ffe265f6bdc9cb03c5e
            SHA512:5e20f081d2a269c7b12a406f37d34a00a7c3c38a91aa828f827413d2e4a76a0503d0afa156ca3f4fe6417f09792f1b03a8849490ee3f1e539893ec8e3c157aea
            SSDEEP:384:yR/kYiqMPPcutGIjkWjV7awbrlGNR3utPA91Cx/00laKPLT7P8:4/i1HcutGIjkWjV7aJug1Cmuh38
            TLSH:B5C28D72E780300BF639A1A8F0223EA4FFA401534B965455FA5E77B65BB1061093BBDF
            File Content Preview:Received: from SN7PR16MB5225.namprd16.prod.outlook.com.. (2603:10b6:806:350::19) by PH0PR16MB5131.namprd16.prod.outlook.com with.. HTTPS; Sun, 13 Oct 2024 00:37:38 +0000..Received: from BN9PR03CA0421.namprd03.prod.outlook.com.. (2603:10b6:408:113::6) by S

            Static Mail

            General

            Subject:Review users who will lose access to Jeffrey Turkington soon.
            From:SharePoint Online <MicrosoftNotifications@hilcorp.com>
            To:Jeffrey Turkington <Jeffrey.Turkington@hilcorp.com>
            Cc:
            BCC:
            Date:Sun, 13 Oct 2024 00:37:35 +0000
            Communications:
            • These people will lose access soon The following 1 people will lose access to Jeffrey Turkington in the next 21 days: NameExpiresconner_kyle@hotmail.com11/2/2024 Manage access This email was sent from an unmonitored mailbox.You are receiving this email because you have subscribed to Microsoft Office 365. This email is generated through Hilcorp's use of Microsoft 365 and may contain content that is controlled by Hilcorp. .headerBackgroundMsoTable { border-spacing: 0px; width: 100%; } @font-face { font-family: "Segoe UI"; src: local("Segoe UI Light"), url("https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-light.woff2") format("woff2"), url("https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-light.woff") format("woff"), url("https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-light.ttf") format("truetype"); font-weight: 100; font-style: normal; } @font-face { font-family: "Segoe UI"; src: local("Segoe UI Semilight"), url("https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-semilight.woff2") format("woff2"), url("https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-semilight.woff") format("woff"), url("https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-semilight.ttf") format("truetype"); font-weight: 300; font-style: normal; } @font-face { font-family: "Segoe UI"; src: local("Segoe UI"), url("https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-regular.woff2") format("woff2"), url("https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-regular.woff") format("woff"), url("https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-regular.ttf") format("truetype"); font-weight: 400; font-style: normal; } @font-face { font-family: "Segoe UI"; src: local("Segoe UI Semibold"), url("https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-semibold.woff2") format("woff2"), url("https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-semibold.woff") format("woff"), url("https://static2.sharepointonline.com/files/fabric/assets/fonts/segoeui-westeuropean/segoeui-semibold.ttf") format("truetype"); font-weight: 600; font-style: normal; } @media only screen and (max-width: 640px) { body { background-color: #ffffff; } div.grey-bg-container { background-color: #ffffff; } } @media only screen and (min-width: 640px) { .CommentMention-TextRow-rightColumn { width: 52px !important; } } /* Responsive visibility clases. */ .u-largeOnly { display: none !important; } @media only screen and (min-width: 640px) { .u-smallOnly { display: none !important; } .u-largeOnly { display: block !important; } } /* Adjustments to the Sharing template. */ @media only screen and (min-width: 640px) { .Sharing-main { padding: 40px !important; } } @media only screen and (max-width: 640px) { .NotificationHeader-icon { width: 36px !important; } .NotificationHeader-title { padding-left: 28px !important; padding-right: 28px !important; } .NotificationHeader-title-text { font-size: 20px !important; line-height: 28px !important; } } .word-button:hover { background-color: #124078 !important; border-color: #124078 !important; } .word-button:active { background-color: #002050 !important; border-color: #002050 !important; } .powerpoint-button:hover { background-color: #a92b1a !important; border-color: #a92b1a !important; } .powerpoint-button:active { background-color: #740912 !important; border-color: #740912 !important; } .excel-button:hover { background-color: #217346 !important; border-color: #217346 !important; } .excel-button:active { background-color: #004b1c !important; border-color: #004b1c !important; } These people will lose access soon The following 1 people will lose access to Jeffrey Turkington in the next 21 days: NameExpiresconner_kyle@hotmail.com11/2/2024 Manage access This email was sent from an unmonitored mailbox.You are receiving this email because you have subscribed to Microsoft Office 365. This email is generated through Hilcorp's use of Microsoft 365 and may contain content that is controlled by Hilcorp. These people will lose access soon The following 1 people will lose access to Jeffrey Turkington in the next 21 days: NameExpiresconner_kyle@hotmail.com11/2/2024 Manage access This email was sent from an unmonitored mailbox.You are receiving this email because you have subscribed to Microsoft Office 365. This email is generated through Hilcorp's use of Microsoft 365 and may contain content that is controlled by Hilcorp. These people will lose access soon The following 1 people will lose access to Jeffrey Turkington in the next 21 days: NameExpiresconner_kyle@hotmail.com11/2/2024 Manage access This email was sent from an unmonitored mailbox.You are receiving this email because you have subscribed to Microsoft Office 365. This email is generated through Hilcorp's use of Microsoft 365 and may contain content that is controlled by Hilcorp. These people will lose access soon The following 1 people will lose access to Jeffrey Turkington in the next 21 days: NameExpiresconner_kyle@hotmail.com11/2/2024 Manage access This email was sent from an unmonitored mailbox.You are receiving this email because you have subscribed to Microsoft Office 365. This email is generated through Hilcorp's use of Microsoft 365 and may contain content that is controlled by Hilcorp. These people will lose access soon These people will lose access soon These people will lose access soon These people will lose access soon These people will lose access soon These people will lose access soon These people will lose access soon These people will lose access soon These people will lose access soon These people will lose access soon These people will lose access soon These people will lose access soon These people will lose access soon These people will lose access soon These people will lose access soon These people will lose access soon The following 1 people will lose access to Jeffrey Turkington in the next 21 days: NameExpiresconner_kyle@hotmail.com11/2/2024 Manage access The following 1 people will lose access to Jeffrey Turkington in the next 21 days: NameExpiresconner_kyle@hotmail.com11/2/2024 Manage access The following 1 people will lose access to Jeffrey Turkington in the next 21 days: NameExpiresconner_kyle@hotmail.com11/2/2024 Manage access The following 1 people will lose access to Jeffrey Turkington in the next 21 days: NameExpiresconner_kyle@hotmail.com11/2/2024 Manage access The following 1 people will lose access to Jeffrey Turkington in the next 21 days: The following 1 people will lose access to Jeffrey Turkington in the next 21 days: The following 1 people will lose access to Jeffrey Turkington in the next 21 days: Jeffrey Turkington https://hilcorp0-my.sharepoint.com/personal/jeffrey_turkington_hilcorp_com/_layouts/15/UserExpiration.aspx?uee=1 next 21 days: NameExpires Name Name Expires Expires conner_kyle@hotmail.com11/2/2024 conner_kyle@hotmail.com conner_kyle@hotmail.com 11/2/2024 11/2/2024 Manage access Manage access Manage access https://hilcorp0-my.sharepoint.com/personal/jeffrey_turkington_hilcorp_com/_layouts/15/UserExpiration.aspx?uee=1 This email was sent from an unmonitored mailbox.You are receiving this email because you have subscribed to Microsoft Office 365. This email is generated through Hilcorp's use of Microsoft 365 and may contain content that is controlled by Hilcorp. This email was sent from an unmonitored mailbox.You are receiving this email because you have subscribed to Microsoft Office 365. This email is generated through Hilcorp's use of Microsoft 365 and may contain content that is controlled by Hilcorp. This email was sent from an unmonitored mailbox.You are receiving this email because you have subscribed to Microsoft Office 365. This email is generated through Hilcorp's use of Microsoft 365 and may contain content that is controlled by Hilcorp. This email was sent from an unmonitored mailbox.You are receiving this email because you have subscribed to Microsoft Office 365. This email is generated through Hilcorp's use of Microsoft 365 and may contain content that is controlled by Hilcorp. This email was sent from an unmonitored mailbox.You are receiving this email because you have subscribed to Microsoft Office 365. This email is generated through Hilcorp's use of Microsoft 365 and may contain content that is controlled by Hilcorp. This email was sent from an unmonitored mailbox.You are receiving this email because you have subscribed to Microsoft Office 365. This email is generated through Hilcorp's use of Microsoft 365 and may contain content that is controlled by Hilcorp. This email was sent from an unmonitored mailbox.You are receiving this email because you have subscribed to Microsoft Office 365. This email is generated through Hilcorp's use of Microsoft 365 and may contain content that is controlled by Hilcorp. This email was sent from an unmonitored mailbox.You are receiving this email because you have subscribed to Microsoft Office 365. This email is generated through Hilcorp's use of Microsoft 365 and may contain content that is controlled by Hilcorp. This email was sent from an unmonitored mailbox.You are receiving this email because you have subscribed to Microsoft Office 365. This email is generated through Hilcorp's use of Microsoft 365 and may contain content that is controlled by Hilcorp. This email was sent from an unmonitored mailbox.You are receiving this email because you have subscribed to Microsoft Office 365. This email was sent from an unmonitored mailbox.You are receiving this email because you have subscribed to Microsoft Office 365. This email was sent from an unmonitored mailbox.You are receiving this email because you have subscribed to Microsoft Office 365. This email was sent from an unmonitored mailbox.You are receiving this email because you have subscribed to Microsoft Office 365. This email was sent from an unmonitored mailbox. This email was sent from an unmonitored mailbox. This email was sent from an unmonitored mailbox. You are receiving this email because you have subscribed to Microsoft Office 365. You are receiving this email because you have subscribed to Microsoft Office 365. You are receiving this email because you have subscribed to Microsoft Office 365. This email is generated through Hilcorp's use of Microsoft 365 and may contain content that is controlled by Hilcorp. This email is generated through Hilcorp's use of Microsoft 365 and may contain content that is controlled by Hilcorp. This email is generated through Hilcorp's use of Microsoft 365 and may contain content that is controlled by Hilcorp. This email is generated through Hilcorp's use of Microsoft 365 and may contain content that is controlled by Hilcorp. This email is generated through Hilcorp's use of Microsoft 365 and may contain content that is controlled by Hilcorp. This email is generated through Hilcorp's use of Microsoft 365 and may contain content that is controlled by Hilcorp. This email is generated through Hilcorp's use of Microsoft 365 and may contain content that is controlled by Hilcorp.
            Attachments:
            • c2bbafe7-750d-48ac-bcbf-5379f611880f
            • 10b01976-ff6b-456d-abe3-ba5574082586

            Headers

            Key Value
            Receivedfrom northcentralus0.notifyp.svc.ms (23.96.181.185) by BN2PEPF000044AA.mail.protection.outlook.com (10.167.243.105) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8048.13 via Frontend Transport; Sun, 13 Oct 2024 00:37:35 +0000
            X-Ms-Exchange-Authentication-Resultsspf=none (sender IP is 23.96.181.185) smtp.mailfrom=hilcorp.com; dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=hilcorp.com;
            DateSun, 13 Oct 2024 00:37:35 +0000
            SubjectReview users who will lose access to Jeffrey Turkington soon.
            Message-Id <ExpiringAccess-bc5759a1-103d-6000-bb49-f78ab634cd5f
            SenderSharePoint Online <MicrosoftNotifications@hilcorp.com>
            ToJeffrey Turkington <Jeffrey.Turkington@hilcorp.com>
            X-Crid bc5759a1-103d-6000-bb49-f78ab634cd5f,bc5759a1-103d-6000-bb49-f78ab634cd5f-a4ac36be-aeec-4cf5-98fc-042a60047fa2-8937d868-f1fb-44d2-aff5-25628cc5d0b6-r0-SendEmail
            X-Tnid257ad91e-ce4b-4e01-8232-f79537810d30
            Return-PathMicrosoftNotifications@hilcorp.com
            FromSharePoint Online <MicrosoftNotifications@hilcorp.com>
            MIME-Version1.0
            Content-Typemultipart/mixed; boundary="----sinikael-?=_1-17287997403580.12576315396969018"
            X-Ms-Exchange-Organization-Expirationstarttime13 Oct 2024 00:37:35.7112 (UTC)
            X-Ms-Exchange-Organization-ExpirationstarttimereasonOriginalSubmit
            X-Ms-Exchange-Organization-Expirationinterval1:00:00:00.0000000
            X-Ms-Exchange-Organization-ExpirationintervalreasonOriginalSubmit
            X-Ms-Exchange-Organization-Network-Message-Id cb69f535-2d2d-4f1a-7a29-08dceb1f3ba7
            X-Ms-Exchange-Organization-MessagedirectionalityOriginating
            X-Ms-Exchange-Organization-AuthasInternal
            X-Ms-Exchange-Organization-Authsource TreatMessagesAsInternal-BN2PEPF000044AA.namprd04.prod.outlook.com
            X-Ms-Traffictypediagnostic BN2PEPF000044AA:EE_FirstParty-SPO-V3|SN7PR16MB5225:EE_FirstParty-SPO-V3|PH0PR16MB5131:EE_FirstParty-SPO-V3
            X-Ms-PublictraffictypeEmail
            X-Ms-Office365-Filtering-Correlation-Id cb69f535-2d2d-4f1a-7a29-08dceb1f3ba7
            X-Ms-Exchange-Organization-Scl1
            X-Microsoft-Antispam BCL:0;ARA:13230040|69100299015|7062799012|41050700001;
            X-Forefront-Antispam-Report CIP:23.96.181.185;CTRY:US;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:northcentralus0.notifyp.svc.ms;PTR:InfoDomainNonexistent;CAT:NONE;SFS:(13230040)(69100299015)(7062799012)(41050700001);DIR:INT;
            X-Ms-Exchange-Crosstenant-Originalarrivaltime13 Oct 2024 00:37:35.5862 (UTC)
            X-Ms-Exchange-Crosstenant-Network-Message-Id cb69f535-2d2d-4f1a-7a29-08dceb1f3ba7
            X-Ms-Exchange-Crosstenant-Id257ad91e-ce4b-4e01-8232-f79537810d30
            X-Ms-Exchange-Crosstenant-Originalattributedtenantconnectingip TenantId=257ad91e-ce4b-4e01-8232-f79537810d30;Ip=[23.96.181.185];Helo=[northcentralus0.notifyp.svc.ms]
            X-Ms-Exchange-Crosstenant-AuthasInternal
            X-Ms-Exchange-Crosstenant-Authsource TreatMessagesAsInternal-BN2PEPF000044AA.namprd04.prod.outlook.com
            X-Ms-Exchange-Crosstenant-FromentityheaderInternet
            X-Ms-Exchange-Transport-CrosstenantheadersstampedSN7PR16MB5225
            X-Ms-Exchange-Transport-Endtoendlatency00:00:02.9501344
            X-Ms-Exchange-Processed-By-Bccfoldering15.20.8048.017
            X-Microsoft-Antispam-Mailbox-Delivery ucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(425001)(930097)(140003);
            X-Microsoft-Antispam-Message-Info 5ruOkNt/ax5KBXiLwHaCkwC1Qwi0RireSWyR1BysddRlaZRuNjld76IGYBQeFBaczeoH75adrYxb30uuC4bWCMSMWb+2mYx5GtW7ce626p/W4tG5ztwkhu4TIkwGj3pkQ+/xJQQMw44hdOk51BSQpz8x2eqBLnu662WTuGuVWiZllGltIDcppeUsgDUsHJJn32suevgLjO3KekNFvoCmzINCvChxMD2JCvJlD9o17sxbm1l0rjp4vrv/+bDeZJOTGt7kLQHpmshxC9gXxJZVy+LGYdeytB19I6RX7ZEwJSUaKssLxtua9FddxM9AS2BLa2Q/oqky7znnlN9AnpJGyzSDe4K3y2do6EUo/w2da1pGwGu8U/jyw0VWD4ND23yuxvbeOhqUUyzHy87IF0wPDzET/hj65Ce4pK+TrvBLQhX3aJnwTFMBcG9ca/KciOSEoIc7If+zVozS3tvmTtPehPxuqUmGGqMH5j1ZlvGEPCfhkp19lIWR0KVmMDEV2eOHUWj0xoutL8MMB5eAyWvIJ1WLT4sNYBMq9ag+E9YZ6tti/yxSxQoulH9OnHJNw7o3TBjc5Idt4dhyayL198zwoIQ14gs2Qno5lfEKVD3/rFd4IIPv9LsrAs9M0AjmZmtTBp5qqphzTmXjnftU7A8/MBKrp62RvVC/VXR3IWrzQLYqjMyQGwdZkVqk/EbYHnuyqzstBEkFf8uUnLFlgHjKd7ukhoj6RGMMk4XpJ/NEgTie+Im4ExOTB0B5bUYmlM8DEsP0CVxdBT/G8BrlcaRX6Msk1N1cn7tVV6UsORppoTFA2btVLIXpmOxXzYKQd/1FCXpUafpxfz9s+9BSOhY9y/nfaDmWf5Y9T0s9YtNm8ooLHwB3khlRDQFKgfYpyXnrBgZAla863ijJRpfiJ77YGA==
            Content-Transfer-Encoding7bit

            File Icon

            Icon Hash:46070c0a8e0c67d6

            Network Behavior

            No network behavior found

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:1
            Start time:12:09:02
            Start date:13/10/2024
            Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
            Wow64 process (32bit):true
            Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\phish_alert_sp2_2.0.0.0 (4).eml"
            Imagebase:0x710000
            File size:34'446'744 bytes
            MD5 hash:91A5292942864110ED734005B7E005C0
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            General

            Target ID:3
            Start time:12:09:08
            Start date:13/10/2024
            Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
            Wow64 process (32bit):false
            Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "0603E0F2-E27D-4380-B40F-7C0D8400D81C" "39916617-269A-4E2E-A890-A1742EEE255C" "5284" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
            Imagebase:0x7ff6486d0000
            File size:710'048 bytes
            MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:false

            Disassembly

            No disassembly