Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
attachment - 2024-05-23T192100.081.eml

Overview

General Information

Sample name:attachment - 2024-05-23T192100.081.eml
Analysis ID:1446923
MD5:23c593763b0c9689e5d82b461f86e77c
SHA1:68769b41bb6683606a7eee5cd6450dcf710fc0e4
SHA256:e3be3345b9cae32ae0a068424fea9066e8b7f627746f3f86b96ea7f1bada2a8b
Infos:

Detection

Score:1
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Queries the volume information (name, serial number etc) of a device
Sigma detected: Office Autorun Keys Modification
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Classification

Process Tree

  • System is w10x64
  • OUTLOOK.EXE (PID: 7584 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\attachment - 2024-05-23T192100.081.eml" MD5: 91A5292942864110ED734005B7E005C0)
    • ai.exe (PID: 7748 cmdline: "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "121F6C91-3062-48E0-A8A4-015737DA868E" "A74F547C-6FDA-419B-8976-3420780C2651" "7584" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx" MD5: EC652BEDD90E089D9406AFED89A8A8BD)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Office Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE, ProcessId: 7584, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Addins\OneNote.OutlookAddin\1

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

There are no malicious signatures, click here to show all signatures.

Source: unknownDNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://api.aadrm.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://api.aadrm.com/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://api.addins.omex.office.net/api/addins/search
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://api.cortana.ai
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://api.diagnostics.office.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://api.microsoftstream.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://api.office.net
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://api.officescripts.microsoftusercontent.com/api
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://api.onedrive.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://api.scheduler.
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://apis.mobile.m365.svc.cloud.microsoft
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://augloop.office.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://augloop.office.com/v2
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://cdn.designerapp.osi.office.net/designer-mobile
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://cdn.entity.
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://cdn.hubblecontent.osi.office.net/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://cdn.int.designerapp.osi.office.net/fonts
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://clients.config.office.net
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://clients.config.office.net/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/DeltaAdvisory
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://config.edge.skype.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://consent.config.office.com/consentcheckin/v1.0/consents
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://consent.config.office.com/consentweb/v1.0/consents
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://cortana.ai
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://cortana.ai/api
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://cr.office.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://d.docs.live.net
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://designerapp.officeapps.live.com/designerapp
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://dev.cortana.ai
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://devnull.onenote.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://directory.services.
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://ecs.office.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://ecs.office.com/config/v1/Designer
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://edge.skype.com/registrar/prod
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://edge.skype.com/rps
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://enrichment.osi.office.net/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/v2.1601652342626
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://fpastorage.cdn.office.net/%s
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://fpastorage.cdn.office.net/firstpartyapp/addins.xml
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://graph.ppe.windows.net
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://graph.windows.net
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://graph.windows.net/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/pivots/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://ic3.teams.office.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://invites.office.com/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://lifecycle.office.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://login.microsoftonline.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://login.microsoftonline.com/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://login.windows.local
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://make.powerautomate.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://management.azure.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://management.azure.com/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://messagebroker.mobile.m365.svc.cloud.microsoft
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://messaging.action.office.com/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://messaging.engagement.office.com/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://messaging.office.com/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://ncus.contentsync.
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://ncus.pagecontentsync.
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://ods-diagnostics-ppe.trafficmanager.net
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://officeapps.live.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://officepyservice.office.net/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://officepyservice.office.net/service.functionality
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://onedrive.live.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://otelrules.azureedge.net
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://otelrules.svc.static.microsoft
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://outlook.office.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://outlook.office.com/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://outlook.office365.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://outlook.office365.com/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://outlook.office365.com/connectors
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://pages.store.office.com/review/query
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://powerlift-user.acompli.net
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://powerlift.acompli.net
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://pushchannel.1drv.ms
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://res.cdn.office.net
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://res.cdn.office.net/mro1cdnstorage/fonts/prod/4.39
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://res.cdn.office.net/polymer/models
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://safelinks.protection.outlook.com/api/GetPolicy
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://service.officepy.microsoftusercontent.com/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://settings.outlook.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://staging.cortana.ai
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://substrate.office.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://substrate.office.com/Notes-Internal.ReadWrite
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
Source: ~WRS{DA32F621-75A6-4130-8D27-B1929449B63D}.tmp.0.drString found in binary or memory: https://survey.vovici.com/och/2AD3ADAC691BBD2308DC7A75D80BDEE178
Source: attachment - 2024-05-23T192100.081.emlString found in binary or memory: https://survey.vovici.com/oh/2AD3ADAC691BBD2308DC7A75D80BDEE178
Source: ~WRS{DA32F621-75A6-4130-8D27-B1929449B63D}.tmp.0.drString found in binary or memory: https://survey.vovici.com/se/2AD3ADAC691BBD2308DC7A75D80BDEE178
Source: ~WRS{DA32F621-75A6-4130-8D27-B1929449B63D}.tmp.0.drString found in binary or memory: https://survey.vovici.com/surveys/718515628/691bbd23inv0MSC_logo_small.jpg
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://tasks.office.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://templatesmetadata.office.net/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://useraudit.o365auditrealtimeingestion.manage.office.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://webshell.suite.office.com
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://word-edit.officeapps.live.com/we/rrdiscovery.ashx
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://wus2.contentsync.
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://wus2.pagecontentsync.
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://www.odwebp.svc.ms
Source: 2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drString found in binary or memory: https://www.yammer.com
Source: classification engineClassification label: clean1.winEML@3/11@1/0
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmpJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEFile created: C:\Users\user~1\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240523T1924240968-7584.etlJump to behavior
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\attachment - 2024-05-23T192100.081.eml"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "121F6C91-3062-48E0-A8A4-015737DA868E" "A74F547C-6FDA-419B-8976-3420780C2651" "7584" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess created: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe "C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "121F6C91-3062-48E0-A8A4-015737DA868E" "A74F547C-6FDA-419B-8976-3420780C2651" "7584" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: c2r64.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: userenv.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{F959DBBB-3867-41F2-8E5F-3B8BEFAA81B3}\InprocServer32Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEWindow found: window name: SysTabControl32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\CommonJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXEProcess information queried: ProcessInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeQueries volume information: C:\Program Files (x86)\Microsoft Office\root\Office16\AI\WordCombinedFloatieLreOnline.onnx VolumeInformationJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		1
Process Injection		1
Masquerading		OS Credential Dumping1
Process Discovery		Remote ServicesData from Local System1
Non-Application Layer Protocol		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Process Injection		LSASS Memory12
System Information Discovery		Remote Desktop ProtocolData from Removable Media1
Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1446923 Sample: attachment - 2024-05-23T192... Startdate: 24/05/2024 Architecture: WINDOWS Score: 1 10 198.187.3.20.in-addr.arpa 2->10 6 OUTLOOK.EXE 51 109 2->6         started        process3 process4 8 ai.exe 6->8         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://api.diagnosticssdf.office.com0%URL Reputationsafe
https://login.microsoftonline.com/0%URL Reputationsafe
https://shell.suite.office.com:14430%URL Reputationsafe
https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize0%URL Reputationsafe
https://autodiscover-s.outlook.com/0%URL Reputationsafe
https://useraudit.o365auditrealtimeingestion.manage.office.com0%URL Reputationsafe
https://outlook.office365.com/connectors0%URL Reputationsafe
https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr0%URL Reputationsafe
https://cdn.entity.0%URL Reputationsafe
https://api.addins.omex.office.net/appinfo/query0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/tenantassociationkey0%URL Reputationsafe
https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/0%URL Reputationsafe
https://powerlift.acompli.net0%URL Reputationsafe
https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
https://lookup.onenote.com/lookup/geolocation/v10%URL Reputationsafe
https://cortana.ai0%URL Reputationsafe
https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/imports0%URL Reputationsafe
https://cloudfiles.onenote.com/upload.aspx0%URL Reputationsafe
https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile0%URL Reputationsafe
https://entitlement.diagnosticssdf.office.com0%URL Reputationsafe
https://api.aadrm.com/0%URL Reputationsafe
https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
https://ic3.teams.office.com0%URL Reputationsafe
https://www.yammer.com0%URL Reputationsafe
https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies0%URL Reputationsafe
https://api.microsoftstream.com/api/0%URL Reputationsafe
https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive0%URL Reputationsafe
https://cr.office.com0%URL Reputationsafe
https://messagebroker.mobile.m365.svc.cloud.microsoft0%URL Reputationsafe
https://otelrules.svc.static.microsoft0%URL Reputationsafe
https://portal.office.com/account/?ref=ClientMeControl0%URL Reputationsafe
https://clients.config.office.net/c2r/v1.0/DeltaAdvisory0%URL Reputationsafe
https://edge.skype.com/registrar/prod0%URL Reputationsafe
https://graph.ppe.windows.net0%URL Reputationsafe
https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
https://powerlift-user.acompli.net0%URL Reputationsafe
https://tasks.office.com0%URL Reputationsafe
https://officeci.azurewebsites.net/api/0%URL Reputationsafe
https://sr.outlook.office.net/ws/speech/recognize/assistant/work0%URL Reputationsafe
https://api.scheduler.0%URL Reputationsafe
https://my.microsoftpersonalcontent.com0%URL Reputationsafe
https://store.office.cn/addinstemplate0%URL Reputationsafe
https://api.aadrm.com0%URL Reputationsafe
https://edge.skype.com/rps0%URL Reputationsafe
https://outlook.office.com/autosuggest/api/v1/init?cvid=0%URL Reputationsafe
https://globaldisco.crm.dynamics.com0%URL Reputationsafe
https://messaging.engagement.office.com/0%URL Reputationsafe
https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
https://www.odwebp.svc.ms0%URL Reputationsafe
https://api.diagnosticssdf.office.com/v2/feedback0%URL Reputationsafe
https://api.powerbi.com/v1.0/myorg/groups0%URL Reputationsafe
https://web.microsoftstream.com/video/0%URL Reputationsafe
https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
https://graph.windows.net0%URL Reputationsafe
https://dataservice.o365filtering.com/0%URL Reputationsafe
https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
https://analysis.windows.net/powerbi/api0%URL Reputationsafe
https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
https://substrate.office.com0%URL Reputationsafe
https://outlook.office365.com/autodiscover/autodiscover.json0%URL Reputationsafe
https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios0%URL Reputationsafe
https://consent.config.office.com/consentcheckin/v1.0/consents0%URL Reputationsafe
https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech0%URL Reputationsafe
https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json0%URL Reputationsafe
https://safelinks.protection.outlook.com/api/GetPolicy0%URL Reputationsafe
https://ncus.contentsync.0%URL Reputationsafe
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/0%URL Reputationsafe
http://weather.service.msn.com/data.aspx0%URL Reputationsafe
https://apis.live.net/v5.0/0%URL Reputationsafe
https://officepyservice.office.net/service.functionality0%URL Reputationsafe
https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks0%URL Reputationsafe
https://templatesmetadata.office.net/0%URL Reputationsafe
https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios0%URL Reputationsafe
https://messaging.lifecycle.office.com/0%URL Reputationsafe
https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml0%URL Reputationsafe
https://pushchannel.1drv.ms0%URL Reputationsafe
https://management.azure.com0%URL Reputationsafe
https://outlook.office365.com0%URL Reputationsafe
https://wus2.contentsync.0%URL Reputationsafe
https://incidents.diagnostics.office.com0%URL Reputationsafe
https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
https://clients.config.office.net/user/v1.0/ios0%URL Reputationsafe
https://make.powerautomate.com0%URL Reputationsafe
https://api.addins.omex.office.net/api/addins/search0%URL Reputationsafe
https://insertmedia.bing.office.net/odc/insertmedia0%URL Reputationsafe
https://outlook.office365.com/api/v1.0/me/Activities0%URL Reputationsafe
https://api.office.net0%URL Reputationsafe
https://incidents.diagnosticssdf.office.com0%URL Reputationsafe
https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
https://clients.config.office.net/user/v1.0/android/policies0%URL Reputationsafe
https://entitlement.diagnostics.office.com0%URL Reputationsafe
https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json0%URL Reputationsafe
https://substrate.office.com/search/api/v2/init0%URL Reputationsafe
https://outlook.office.com/0%URL Reputationsafe
https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false0%Avira URL Cloudsafe
https://d.docs.live.net0%Avira URL Cloudsafe
https://survey.vovici.com/och/2AD3ADAC691BBD2308DC7A75D80BDEE1780%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
198.187.3.20.in-addr.arpa
unknown
unknownfalse
    		unknown

    URLs from Memory and Binaries

    NameSourceMaliciousAntivirus DetectionReputation
    https://api.diagnosticssdf.office.com2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://login.microsoftonline.com/2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://shell.suite.office.com:14432682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://autodiscover-s.outlook.com/2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://useraudit.o365auditrealtimeingestion.manage.office.com2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://outlook.office365.com/connectors2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://cdn.entity.2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.addins.omex.office.net/appinfo/query2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://clients.config.office.net/user/v1.0/tenantassociationkey2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://powerlift.acompli.net2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://rpsticket.partnerservices.getmicrosoftkey.com2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://lookup.onenote.com/lookup/geolocation/v12682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://cortana.ai2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.powerbi.com/v1.0/myorg/imports2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://cloudfiles.onenote.com/upload.aspx2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://entitlement.diagnosticssdf.office.com2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.aadrm.com/2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://ofcrecsvcapi-int.azurewebsites.net/2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://ic3.teams.office.com2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://www.yammer.com2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.microsoftstream.com/api/2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://cr.office.com2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://messagebroker.mobile.m365.svc.cloud.microsoft2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://otelrules.svc.static.microsoft2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://portal.office.com/account/?ref=ClientMeControl2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://clients.config.office.net/c2r/v1.0/DeltaAdvisory2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://edge.skype.com/registrar/prod2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://graph.ppe.windows.net2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://res.getmicrosoftkey.com/api/redemptionevents2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://powerlift-user.acompli.net2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://tasks.office.com2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://officeci.azurewebsites.net/api/2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://sr.outlook.office.net/ws/speech/recognize/assistant/work2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.scheduler.2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://my.microsoftpersonalcontent.com2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://store.office.cn/addinstemplate2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.aadrm.com2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://edge.skype.com/rps2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://outlook.office.com/autosuggest/api/v1/init?cvid=2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://globaldisco.crm.dynamics.com2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://messaging.engagement.office.com/2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://dev0-api.acompli.net/autodetect2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://www.odwebp.svc.ms2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.diagnosticssdf.office.com/v2/feedback2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.powerbi.com/v1.0/myorg/groups2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://web.microsoftstream.com/video/2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.addins.store.officeppe.com/addinstemplate2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://graph.windows.net2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://dataservice.o365filtering.com/2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://officesetup.getmicrosoftkey.com2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://analysis.windows.net/powerbi/api2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://prod-global-autodetect.acompli.net/autodetect2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://substrate.office.com2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://outlook.office365.com/autodiscover/autodiscover.json2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://consent.config.office.com/consentcheckin/v1.0/consents2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://d.docs.live.net2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://safelinks.protection.outlook.com/api/GetPolicy2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://ncus.contentsync.2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    http://weather.service.msn.com/data.aspx2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://apis.live.net/v5.0/2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://officepyservice.office.net/service.functionality2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://templatesmetadata.office.net/2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://messaging.lifecycle.office.com/2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://pushchannel.1drv.ms2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://management.azure.com2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://outlook.office365.com2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://wus2.contentsync.2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://incidents.diagnostics.office.com2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://clients.config.office.net/user/v1.0/ios2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://make.powerautomate.com2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.addins.omex.office.net/api/addins/search2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://survey.vovici.com/och/2AD3ADAC691BBD2308DC7A75D80BDEE178~WRS{DA32F621-75A6-4130-8D27-B1929449B63D}.tmp.0.drfalse
    • Avira URL Cloud: safe
    		unknown
    https://insertmedia.bing.office.net/odc/insertmedia2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://outlook.office365.com/api/v1.0/me/Activities2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://api.office.net2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://incidents.diagnosticssdf.office.com2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://asgsmsproxyapi.azurewebsites.net/2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://clients.config.office.net/user/v1.0/android/policies2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://entitlement.diagnostics.office.com2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://substrate.office.com/search/api/v2/init2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown
    https://outlook.office.com/2682219F-AF00-4CA1-9FDA-AF827D96F1D4.0.drfalse
    • URL Reputation: safe
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox version:40.0.0 Tourmaline
    Analysis ID:1446923
    Start date and time:2024-05-24 01:23:14 +02:00
    Joe Sandbox product:CloudBasic
    Overall analysis duration:0h 4m 29s
    Hypervisor based Inspection enabled:false
    Report type:full
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
    Number of analysed new started processes analysed:7
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • EGA enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Sample name:attachment - 2024-05-23T192100.081.eml
    Detection:CLEAN
    Classification:clean1.winEML@3/11@1/0
    Cookbook Comments:
    • Found application associated with file extension: .eml

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
    • Excluded IPs from analysis (whitelisted): 40.126.31.73, 20.190.159.4, 20.190.159.73, 20.190.159.2, 40.126.31.71, 20.190.159.68, 20.190.159.64, 40.126.31.67, 52.109.89.18, 52.113.194.132, 20.189.173.24, 104.208.16.91
    • Excluded domains from analysis (whitelisted): ecs.office.com, prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, prod.configsvc1.live.com.akadns.net, weu-azsc-config.officeapps.live.com, s-0005-office.config.skype.com, login.msa.msidentity.com, mobile.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, onedscolprdcus17.centralus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, s-0005.s-msedge.net, config.officeapps.live.com, officeclient.microsoft.com, onedscolprdwus23.westus.cloudapp.azure.com, ecs.office.trafficmanager.net, europe.configsvc1.live.com.akadns.net, mobile.events.data.trafficmanager.net, www.tm.lg.prod.aadmsa.trafficmanager.net
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtQueryAttributesFile calls found.
    • Report size getting too big, too many NtQueryValueKey calls found.
    • VT rate limit hit for: attachment - 2024-05-23T192100.081.eml

    Simulations

    Behavior and APIs

    No simulations

    LLM Input / Output

    InputOutput
    URL: e-Mail Model: gpt-4o
    ```json
{
  "riskscore": 3,
  "reasons": "The email appears to be a legitimate customer feedback request from MSC Industrial Direct Co., Inc. It includes specific details such as a customer care reference number and date, which adds to its credibility. However, there are some potential red flags: the email asks the recipient to click on a link to provide feedback, which could be a phishing attempt if the link is malicious. Additionally, the email comes from a 'noreply' address, which is common in phishing emails. It's advisable to verify the link's authenticity before clicking."
}

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\Users\user\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):231348
    Entropy (8bit):4.374472739194041
    Encrypted:false
    SSDEEP:1536:veYLKngsgC1d3Y8uOgscrNcAz79ysQqt2TvzCqoQvFrcm0Fvt+QyXA4peU9pHgbq:VOg0IwgBmiGu2yqoQ9rt0FvIb9nql9R8
    MD5:35AB52F7FC672D81079E59317D53999D
    SHA1:546C02F2A37CC57FFB15B58B58862E1C9449E12F
    SHA-256:C53D19396F466880EE1274094C2C6AEDC4CD9DEA092F081C8E9BF5C5F8562B74
    SHA-512:BA95732694C90E177E6338BBC1B0F03AE4D75086EE3FA01DCCE288E857B7CFB1BB164BFF3B199373BC7B2ED083B5E9421210925C959ECDF4618C2CBAED59962E
    Malicious:false
    Reputation:low
    Preview:TH02...... ..d.Oh.......SM01X...,...0..Oh...........IPM.Activity...........h...............h............H..h.........c.a...h........H..H..h\FRO ...1\Ap...h.[..0.........h:e(............h........_`.j...h.g(.@...I.tw...h....H...8..j...0....T...............d.........2h...............k..............!h.............. h..0...........#h....8.........$hH......8....."h.............'h..V...........1h:e(.<.........0h....4....j../h....h......jH..hx..p.........-h .......,.....+hBe(......................... ..............F7..............FIPM.Activity....Form....Standard....Journal Entry...IPM.Microsoft.FolderDesign.FormsDescription................F.k..........1122110020000000.GwwMicrosoft...This form is used to create journal entries.........kf...... ..........&...........(.......(... ...@.....................................................................................................................fffffffff........wwwwwwww.p....pp..............p...............pw..............pw..DDDDO..

    C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\2682219F-AF00-4CA1-9FDA-AF827D96F1D4

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):167135
    Entropy (8bit):5.34050605209768
    Encrypted:false
    SSDEEP:1536:I+C7FPgOsB3U9guwwJQ9DQA+zqzhQok4F77nXmvYd8XRPEwreOR6Y:dIQ9DQA+zqzYXuMT
    MD5:FFC5F11240DAC51B32B5BEF3947FD3CE
    SHA1:137CCDDEE0A572E9D2371F903199FAE141FA3948
    SHA-256:32384796C479102AEE99A4F47024542B031B96D5A7A9FAF042203D6B9FFBB715
    SHA-512:0B503C974858B28DE20A1C6057B1ABDE40F9DFE5645785269619411AF1FAC1757707627C8FE272113544F132D312E7B24FFA86DA8D03205FE2F1D93681A08D21
    Malicious:false
    Reputation:low
    Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2024-05-23T23:24:27">.. Build: 16.0.17707.40127-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://word-edit.officeapps.live.com/we/rrdiscovery.ashx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId" o:authentication="1">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. <o:ticket o:policy="MBI_SSL_SHORT" o:idprovider="1" o:target="[MAX.AuthHost]" o:headerValue="Passport1.4 from-PP='{}&amp;p='" />.. <o:ticket o:idprovider="3" o:headerValue="Bearer {}" o:resourceId="[MAX.ResourceId]" o:authorityUrl="[ADALAuth

    C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-shm

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):32768
    Entropy (8bit):0.04591939678467531
    Encrypted:false
    SSDEEP:3:GtlxtjlES/PnL7Uol1lxtjlES/PnL7M/t1R9//8l1lvlll1lllwlvlllglbelDbj:GtkS7711kS77sF9X01PH4l942wU
    MD5:57FDA5598909F10D63F63678B5A793A2
    SHA1:DCFFB399B0DDFE93EF5F149C97D27069126842C1
    SHA-256:135D5C73E8A4975D8334FF08547F1DA96D6B2502B2E5A9E0CE67C6B6DDA53F49
    SHA-512:8476BDD04CA3ABE80C068E6CA9B18E2A4A217318DFE29E379FFB9DC253F2D5224A6D79D76EAD83D62771ACD6E085F733243C51462C1A5B72B32EBCDCE3FA7CCF
    Malicious:false
    Reputation:low
    Preview:..-....................... N."q9.2q.s-....;.......-....................... N."q9.2q.s-....;.............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Microsoft\Office\OTele\outlook.exe.db-wal

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:SQLite Write-Ahead Log, version 3007000
    Category:modified
    Size (bytes):49472
    Entropy (8bit):0.4833659583682629
    Encrypted:false
    SSDEEP:48:mTnvQ1KvUll7DYMXtzO8VFDYMnBO8VFDYML:mklll4SjVG6jVGC
    MD5:BC7E1A43B39164F81F39E53A82D2EF72
    SHA1:E3BE9F1F68554B2E6179E10624C25FB37EA643B5
    SHA-256:E81FD20C3AAFE277D6D310E83F4248846EEE05F181F50E03FE99FD4D6F8AA8DE
    SHA-512:3BB222127BEEB4EACFC2999973287D07D7DBC541CF9755E8987B27CFC7E3469EF1FC0CABBC9E2F69365C3CF7B472F502F1E48BD09FE303E356C1FB2BB8B89441
    Malicious:false
    Reputation:low
    Preview:7....-...........2q.s-...X6...;(.........2q.s-..k......6SQLite format 3......@ .......................................................................... .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{DA32F621-75A6-4130-8D27-B1929449B63D}.tmp

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):4676
    Entropy (8bit):3.45283743609935
    Encrypted:false
    SSDEEP:48:Nfhq7wNpXilE2ASR14bWqHQHQHQHQHgHUYVIcZLAl3sc0LqLKfcHVcD1mcSzIcub:m7YpXi2uR14FYVLTYHHWD1TSzDm
    MD5:52789F306324E46779BC0FC44B627EC9
    SHA1:7ABC83492B9011A7C57C01D1613A2CC32FD83D67
    SHA-256:518CB7A6441ABA3E40628377C08F6EE506B1056BE19E9CD746D2222FC6713961
    SHA-512:8FB5AA9A5D9B1F9FD6A2752261FAC6833FC9B777459F1C018E1CFA0DB3A2DA6CD3B81120008B3A2D9C8469FC3BCFDC8E8E38041EC4F77111C911264DEFAEC98C
    Malicious:false
    Reputation:low
    Preview:....I.N.C.L.U.D.E.P.I.C.T.U.R.E. . .\.d. .".h.t.t.p.s.:././.s.u.r.v.e.y...v.o.v.i.c.i...c.o.m./.s.u.r.v.e.y.s./.7.1.8.5.1.5.6.2.8./.6.9.1.b.b.d.2.3.i.n.v.0.M.S.C._.l.o.g.o._.s.m.a.l.l...j.p.g.". .\.x. .\.y. .\.*. .M.E.R.G.E.F.O.R.M.A.T.I.N.E.T... . ...................................................................................................................................................................................................................................................................................x...z...~.......v...x.................................................................................................................................................................................................................................................................................................................................................$..$.If....:V.......t.....6......4........4........a....*...$..$.If........!v..h.#v....:V.......t.....6......5.......4

    C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1716506665207891300_BE64130B-C30A-4C72-AD76-2EAA29376FD6.log

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:ASCII text, with very long lines (28759), with CRLF line terminators
    Category:dropped
    Size (bytes):20971520
    Entropy (8bit):0.1587449247996971
    Encrypted:false
    SSDEEP:1536:TV98xb75TI1UIiZiX2leCmYnZqQwzj4zZJkCzfrZ9MmYE7WwJxTWkBpqVBh:IbFMUIgTPk
    MD5:538F8939C9E8DEF9890B3C626016199C
    SHA1:ED8345F472686C2E7261145B4754F21D6564BB7F
    SHA-256:3A0FEA5487E668EAF744AFC53AD541BE4E7A9467CEF7C67D3ECFF69E53404F16
    SHA-512:3644211D62B1E28E1B66587BA94E64371A6AF8C5CAA82CA7A5B9360D90088C13C5530D210EA309C68B7C1EEFA547DE8F14934108E98931C748C7F0DAB219968F
    Malicious:false
    Reputation:low
    Preview:Timestamp.Process.TID.Area.Category.EventID.Level.Message.Correlation..05/23/2024 23:24:25.281.OUTLOOK (0x1DA0).0x1DA4.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.GDIAssistant.HandleCallback","Flags":30962256044949761,"InternalSequenceNumber":22,"Time":"2024-05-23T23:24:25.281Z","Contract":"Office.System.Activity","Activity.CV":"CxNkvgrDckytdi6qKTdv1g.4.9","Activity.Duration":11,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.GdiFamilyName":"","Data.CloudFontStatus":6,"Data.CloudFontTypes":256}...05/23/2024 23:24:25.281.OUTLOOK (0x1DA0).0x1DA4.Microsoft Outlook.Telemetry Event.b7vzq.Medium.SendEvent {"EventName":"Office.Text.ResourceClient.Deserialize","Flags":30962256044949761,"InternalSequenceNumber":24,"Time":"2024-05-23T23:24:25.281Z","Contract":"Office.System.Activity","Activity.CV":"CxNkvgrDckytdi6qKTdv1g.4.10","Activity.Duration":8848,"Activity.Count":1,"Activity.AggMode":0,"Activity.Success":true,"Data.JsonFileMajorVe

    C:\Users\user\AppData\Local\Temp\Diagnostics\OUTLOOK\App1716506665210038800_BE64130B-C30A-4C72-AD76-2EAA29376FD6.log

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):20971520
    Entropy (8bit):0.0
    Encrypted:false
    SSDEEP:3::
    MD5:8F4E33F3DC3E414FF94E5FB6905CBA8C
    SHA1:9674344C90C2F0646F0B78026E127C9B86E3AD77
    SHA-256:CD52D81E25F372E6FA4DB2C0DFCEB59862C1969CAB17096DA352B34950C973CC
    SHA-512:7FB91E868F3923BBD043725818EF3A5D8D08EBF1059A18AC0FE07040D32EEBA517DA11515E6A4AFAEB29BCC5E0F1543BA2C595B0FE8E6167DDC5E6793EDEF5BB
    Malicious:false
    Reputation:high, very likely benign file
    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Local\Temp\Outlook Logging\OUTLOOK_16_0_16827_20130-20240523T1924240968-7584.etl

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):110592
    Entropy (8bit):4.503294333306155
    Encrypted:false
    SSDEEP:768:E+XkeVPvw+3MPhQFAhM4C+9ZdgcdLWwX/O4cO0kWGWgWAWyIBKWRE:Lniw4C+9ZdgcdywXMiH
    MD5:386E6C53AC3395CE4B9A27332F956FF5
    SHA1:E3AFBC69E0DA304FDB695FD484A9934903DBBF16
    SHA-256:67822CB04CDFB1B1A9FB3020FAA054946F1688DF88E6E6322291664E9AC48278
    SHA-512:AF0C320521D24746AC6076864E56B57C5504854338D9BF77D0050B8F110870B333BDC3B2461ED4C94F384DF5F2ED42C68AA4C43FDDF13A9577772085251420FB
    Malicious:false
    Reputation:low
    Preview:............................................................................h.............qYh...................eJ..............Zb..2...................................,...@.t.z.r.e.s...d.l.l.,.-.1.1.2.......................................................@.t.z.r.e.s...d.l.l.,.-.1.1.1.............................................................;LT.............qYh...........v.2._.O.U.T.L.O.O.K.:.1.d.a.0.:.3.2.b.1.e.e.d.9.f.f.0.0.4.5.2.0.9.d.8.f.e.a.6.4.b.e.6.a.3.0.f.0...C.:.\.U.s.e.r.s.\.F.R.O.N.T.D.~.1.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.O.u.t.l.o.o.k. .L.o.g.g.i.n.g.\.O.U.T.L.O.O.K._.1.6._.0._.1.6.8.2.7._.2.0.1.3.0.-.2.0.2.4.0.5.2.3.T.1.9.2.4.2.4.0.9.6.8.-.7.5.8.4...e.t.l.......P.P...........qYh...................................................................................................................................................................................................................................................................................................

    C:\Users\user\AppData\Roaming\Microsoft\Office\MSO3072.acl

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):30
    Entropy (8bit):1.2389205950315936
    Encrypted:false
    SSDEEP:3:H/nzlX:
    MD5:416C183A03938EF3D536792784B6C1E7
    SHA1:344655027526B47D70643BD4EEF435A221959DD7
    SHA-256:B5F8F89D230692ED8B55DB6DC67D5C13B6D6C2EA0B96EEF21096B40420D9C2D7
    SHA-512:ACD8020DF1C9174A9BD08D9AC1C31F12398456C073F53255F79832695B365DB5E64A8E8E2C1C2138015CBE721B5570C0A95094EE64FABA0F1376344F2BFC3297
    Malicious:false
    Reputation:low
    Preview:..............................

    C:\Users\user\Documents\Outlook Files\Outlook Data File - NoEmail.pst

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:Microsoft Outlook email folder (>=2003)
    Category:dropped
    Size (bytes):271360
    Entropy (8bit):2.446963466187925
    Encrypted:false
    SSDEEP:1536:uKBjUWotGxusbBfbjSWj7Jc5MvZRhW53jEpEHP4qQ10PAwrbVX/rW53jEpEHP4qD:fUWvBzS56p9Clp9
    MD5:5D1286814EDB71E1BFB255C3BD316955
    SHA1:5BC0F3EF45F8A2FB1B30FDD942479C09C4D9A056
    SHA-256:D80DA770144D7BBC13B29154C9F1FBDAE155AA2A50E179F09BD14E5E62C07E4E
    SHA-512:CC5C0AF165D031106CB4AE3F1FCA7AC6DD1AA2311FF491929A90F0640928F240BDA4DBFA0DA967F276AF6BDEAF85A39BB3405A6B60B1BCF902350A4992186B71
    Malicious:false
    Reputation:low
    Preview:!BDN$.m.SM......\.......................Y................@...........@...@...................................@...........................................................................$.......D..................................................................................................................................................................................................................................................................................................................................P...........b.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

    C:\Users\user\Documents\Outlook Files\~Outlook Data File - NoEmail.pst.tmp

    Download File
    Process:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
    File Type:data
    Category:dropped
    Size (bytes):131072
    Entropy (8bit):3.098696106094325
    Encrypted:false
    SSDEEP:1536:Uq+8Mw/07YcUF2W53jEpEHP4qQ10PAwrwzwh5R0d:76vUFEp9p
    MD5:C9B5CD1383AFF7A03561D9094A1A84F2
    SHA1:3DD548A1DEB3B89C6F9C2D2197DC7BEB3349936B
    SHA-256:2C590EF11F5A8B2969651FE9C6D60B1A271208FDBA6058DE3D6DA5F8DBF02B81
    SHA-512:03D10047CB7363331923301D28680EF69085ED12BA1E8D9376F7BAD151B14AC2DF65AD7E39724CD7739180224A2FD1D0854411D435939686A439060BD1072A11
    Malicious:false
    Reputation:low
    Preview:.Va.0...q.............GYh........D............#...........................................................|.......................................................................................................................................?..................................................................................................................................................................................................................................................................................................................}.T.D......~I.0...r.............GYh........B............#.........................................................................................................................................................................................................................................................................................................................................................................................................

    Static File Info

    General

    File type:text/html; charset="utf-8", ASCII text, with very long lines (998), with CRLF line terminators
    Entropy (8bit):6.090189664046095
    TrID:
      File name:attachment - 2024-05-23T192100.081.eml
      File size:11'900 bytes
      MD5:23c593763b0c9689e5d82b461f86e77c
      SHA1:68769b41bb6683606a7eee5cd6450dcf710fc0e4
      SHA256:e3be3345b9cae32ae0a068424fea9066e8b7f627746f3f86b96ea7f1bada2a8b
      SHA512:980ab348530079daa546b836d2c81366901d9a666d16355f4edb992f67e3cd1219af71dc5b316a2064f26a56618d898dcf6847d0b3f0a06617c482c1a0167414
      SSDEEP:192:/mXJkP/zBsver3Imebs79SzjHtqHLLIEzqN5minl4Kdkb/t2iFOPm82NOUx4ioW9:q8/zBs4YmCnqnIEA1yKwtpFEqEUWoyZi
      TLSH:7F325D518105A0347FE45FE23580BA0271F2B98FD6F2E8C28FE9897911D949D0BDE29F
      File Content Preview:Content-Type: text/html; charset="utf-8"..Date: Wed, 22 May 2024 15:48:12 +0000..From: "noreply@verintvoc.com" <noreply@verintvoc.com>..Subject: [External]We're listening! How was your recent Customer Care experience with MSC?..To: Melinda Thimlar <mthiml

      Static Mail

      General

      Subject:[External]We're listening! How was your recent Customer Care experience with MSC?
      From:"noreply@verintvoc.com" <noreply@verintvoc.com>
      To:Melinda Thimlar <mthimlar@autokiniton.com>
      Cc:
      BCC:
      Date:Wed, 22 May 2024 15:48:12 +0000
      Communications:
        Attachments:

          Headers

          Key Value
          Content-Typetext/html; charset="utf-8"
          DateWed, 22 May 2024 15:48:12 +0000
          From"noreply@verintvoc.com" <noreply@verintvoc.com>
          Subject[External]We're listening! How was your recent Customer Care experience with MSC?
          ToMelinda Thimlar <mthimlar@autokiniton.com>
          Message-Id<086bf86529a94106ac153bcf90bf8a87@verintvoc.com>
          Receivedfrom smtp18.verintefm.com (smtp18.verintefm.com [35.160.180.46]) by mx0b-005c3601.pphosted.com (PPS) with ESMTPS id 3y6q9m3md1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for <mthimlar@autokiniton.com>; Wed, 22 May 2024 11:48:13 -0400 (EDT)
          Authentication-Resultsspf=softfail (sender IP is 205.220.165.246) smtp.mailfrom=efmwestemail.verintefm.com; dkim=fail (body hash did not verify) header.d=verintvoc.com;dmarc=fail action=quarantine header.from=verintvoc.com;compauth=none reason=451
          Received-SPFSoftFail (protection.outlook.com: domain of transitioning efmwestemail.verintefm.com discourages use of 205.220.165.246 as permitted sender)
          Authentication-Results-Originalagglp.com; spf=pass smtp.mailfrom=3e9.c.4UN4ETOQ86W1-0.efmadvantage-BVSA7G-T5WBVN-0-1@efmwestemail.verintefm.com; dkim=pass header.d=verintvoc.com header.s=verintefmvoc; dmarc=pass header.from=verintvoc.com
          DKIM-Signaturev=1; a=rsa-sha256; d=verintvoc.com;s=verintefmvoc; c=relaxed/relaxed; q=dns/txt; t=1716392893; h=list-unsubscribe:list-unsubscribe-post:from:to:message-id:date:subject:mime-version:content-type; bh=faNj1rn7PbgjrLpKEK3zG9oW2KGPhDQI0C+2Pjgl6IM=; b=AsxymCiNwjt7DuLACjY5Y5mwStoeTdU8+LckgKKwRpajeW4tI3DPrutoPyFZxMxxYTYYB3uXHujgIgPmNMfl+XVq+5YcpdPfLS3/T43UJyTS1AwHadv9W9/SAjZZfB1wjV63qWel1k8Yp+y20qBG5R4muR+DFRsm7XiYgdfZ9yOQJGgBktqj3/OKkI5gAfDptFbpLwzLPzBx/N9Os00HHJq47g2doOlWpbUd+IsiZVBNgctQRJsLVIp9zL4/c7kQ4D+WISKFRyyjQG2UHnGrJJw1jKKaU8Ia6FdpDbgsFfhFyMTRpU/lbyu1sTBqi4rX/fF4BhlopaDu/FMLfYTKbw==
          List-Unsubscribe<https://survey.vovici.com/oh/2AD3ADAC691BBD2308DC7A75D80BDEE178>
          List-Unsubscribe-PostList-Unsubscribe=One-Click
          X-CLX-Response1TFkXGBwdEQpMehcSHxEKWUQXbRtvG2seaAEYQ1gRClhYF2dFZUBrZktpXm1 tEQp4Thd6YVBHaE5YGXBOZBEKeUwXYHxjc0BvT3J+QhgRCkNIFwcYGh8RCkNZFwcfGhwRCkNJFx oEGhoaEQpZTRdnZnIRCllJFxpxGhAadwYYHh1xGx0dGRAfdwYYGgYaEQpZXhdsbHkRCklGF0tNT UZadUJFWV5PThEKSUcXeE9NEQpDThdIUEFIGV5IXH5fbUhuQ0lcGnthWV9yS2RIZmtLE2YcTxEK WFwXHwQaBBkcHAUbGgQbGhoEGxkeBBkfEBseGh8aEQpeWRdOTR1CcxEKTVwXHhkTEQpMWhdpa21 NTV0RCkVZF29raxEKTEYXb2tra2trEQpCTxduf2FLR0BgYh8YaREKQ1oXGR8EGxwaBBsSGgQeHB EKQl4XGxEKQkYXaXh6ZWB/T1NuWBgRCkJHF25Ib0NuUn5PbWBoEQpCXBcbEQpeThcbEQpCSxd6Y VBHaE5YGXBOZBEKQkkXemFQR2hOWBlwTmQRCkJFF2dFZUBrZktpXm1tEQpCThd6YVBHaE5YGXBO ZBEKQkwXZ0VlQGtmS2lebW0RCkJsF2dFZUBrZktpXm1tEQpCQBdiEhlcZF1hTU4BQREKQlgXbW5 gYE8fZAV+SWMRClpYFx8RCnlDF2gbaBt7E25ZfH9SEQpZSxcbHR8RCnBoF25oHktbYV17fkIFEB oRCnBoF2cTbBx9WXxNUGlBEBoRCnBoF2RdaGhgR11lWRIbEBoRCnBoF2hSWEIaZxoBAVNBEBoRC nBoF3pDT2UBAXlHWWhvEBoRCnBoF2JleU5ZbEgBbXxYEBoRCnBoF2lMeV9pa0NyZ2dyEBoRCnBo F2RdS29HR2x4eEZhEBoRCnB9F2tnWWV5bVxpGX9wEBoRCnB9F2RvBV9aUh5AEkdEEBoRCnB9F2A fR1kec2hA E2RzEBoRCnB9F2J4HU5/WxN/XW0cEBoRCnB/F2dBQFAbTE97TH9LEBsaEhEKcF8XZV 1CT0FIBWBPGBIQGhEKcF8XZXBvRUtjYGxDf2UQGhEKcF8XaWNMbn9kbwVCU0AQGhEKcF8XYUJDX gFEWBJtfXMQGhEKbX4XGhEKWE0XSxEg
          X-Proofpoint-GUIDbzkb3tbvTuGbDicv0QKsuXaNbLAa9L6e
          X-Proofpoint-ORIG-GUIDbzkb3tbvTuGbDicv0QKsuXaNbLAa9L6e
          X-CLX-ShadesMLX
          X-Proofpoint-Virus-Versionvendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.1039,Hydra:6.0.650,FMLib:17.12.28.16 definitions=2024-05-22_08,2024-05-22_01,2024-05-17_01
          X-Proofpoint-Spam-Detailsrule=outbound_notspam policy=outbound score=0 phishscore=0 adultscore=0 lowpriorityscore=0 bulkscore=0 mlxscore=0 malwarescore=0 mlxlogscore=725 spamscore=0 impostorscore=0 suspectscore=0 priorityscore=85 clxscore=267 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2405010000 definitions=main-2405220107 domainage_hfrom=175
          Return-Path3e9.c.4UN4ETOQ86W1-0.efmadvantage-BVSA7G-T5WBVN-0-1@efmwestemail.verintefm.com
          X-MS-Exchange-Organization-ExpirationStartTime22 May 2024 15:48:14.8526 (UTC)
          X-MS-Exchange-Organization-ExpirationStartTimeReasonOriginalSubmit
          X-MS-Exchange-Organization-ExpirationInterval1:00:00:00.0000000
          X-MS-Exchange-Organization-ExpirationIntervalReasonOriginalSubmit
          X-MS-Exchange-Organization-Network-Message-Id82701d51-e3c7-499c-cd6f-08dc7a7697a2
          X-EOPAttributedMessage0
          X-EOPTenantAttributedMessage802071d4-0038-4716-bcd4-0dee3e5b7ed8:0
          X-MS-Exchange-Organization-MessageDirectionalityIncoming
          X-MS-PublicTrafficTypeEmail
          X-MS-TrafficTypeDiagnosticBN1PEPF0000467F:EE_|LV3PR16MB6647:EE_|SA1PR16MB4705:EE_
          X-MS-Exchange-Organization-AuthSourceBN1PEPF0000467F.namprd03.prod.outlook.com
          X-MS-Exchange-Organization-AuthAsAnonymous
          X-MS-Office365-Filtering-Correlation-Id82701d51-e3c7-499c-cd6f-08dc7a7697a2
          X-MS-Exchange-Organization-SCL-1
          X-Microsoft-AntispamBCL:0;ARA:13230031|5073199003|82310400017|69100299006;
          X-Forefront-Antispam-ReportCIP:205.220.165.246;CTRY:US;LANG:en;SCL:-1;SRV:;IPV:CAL;SFV:SKN;H:mx0a-005c3601.pphosted.com;PTR:mx0a-005c3601.pphosted.com;CAT:NONE;SFS:(13230031)(5073199003)(82310400017)(69100299006);DIR:INB;
          X-MS-Exchange-CrossTenant-OriginalArrivalTime22 May 2024 15:48:14.4464 (UTC)
          X-MS-Exchange-CrossTenant-Network-Message-Id82701d51-e3c7-499c-cd6f-08dc7a7697a2
          X-MS-Exchange-CrossTenant-Id802071d4-0038-4716-bcd4-0dee3e5b7ed8
          X-MS-Exchange-CrossTenant-AuthSourceBN1PEPF0000467F.namprd03.prod.outlook.com
          X-MS-Exchange-CrossTenant-AuthAsAnonymous
          X-MS-Exchange-CrossTenant-FromEntityHeaderInternet
          X-MS-Exchange-Transport-CrossTenantHeadersStampedLV3PR16MB6647
          X-MS-Exchange-Transport-EndToEndLatency00:00:04.7030630
          X-MS-Exchange-Processed-By-BccFoldering15.20.7587.028
          X-Microsoft-Antispam-Mailbox-Deliveryucf:0;jmr:0;auth:0;dest:I;ENG:(910001)(944506478)(944626604)(920097)(930097)(140003);
          X-Microsoft-Antispam-Message-InfoAwQgxIBGSP9bh/X7QoK7W55dUgj3nyOyrIlj8SvUPK6vxd2lPUAb14WqJk+JpqssT9pAzC6E18TrG4bevSfdcQY9uGd5gQkW7Re6iXrCFVUjPaPGYe3KTnvSPSn9tZ6DV+hsPSOBYOofPlu1IcXa7VRD6Qf98WzMBf9kBiHjHM4W2j2e+jqMVWhGuNzsieppZZL1AXcNn8V0Ag+NQ14a68qnXm0+unN3JRaIJqdrkr5apzMzw/vwmhXMlg7iTB1HrYdJWtVV3q2wBKCLjTiXkXLeBRk6ZjXs62hP6EvRnQ6N61RMvnb88gyLHQln/TcfZNKy0Pm4LJgDoancJEcjbxzeXuahUFSfl5EaLAZ5z7Yoq6RMUdR4pUM1F+zVOrBMuuPS1d6gST2dBfT5FT+9kgGKKO5VI8pO8x3HYOamHhg+qjX2MUu+7mqMwL8zMQyTAQvozVo1RTAj5XFucTAT356eSBBZCOobK4Kz+VeeD/i50uEI2fYAQO5Hg8CCIRjrmyMndFrD3+pXEounVQpDqVRBlzXa/YHszzxrd6J5HE50VBCs/SP3ekaFeWm5iyjCxGLONfP/5f8J30zx6a6j/4JiwtDctmraDwtStZzdQC6GCBLf9EswiC2A0nSLurB4dwbpjEl4gal+X2pM4XXq5PIeVhGklo99/iDQ+tsKCAmJ5DiTTnk2YjGJ/kGsEeoyFo+690Y52OdDGbPtZkntDYMWSarZ0JaEFzym/ADOvfHNPzam7LtjFDLRe71szqtLHZewIxcrq5kjt3wiSHpCzQL0fYUcBZf3pHizLYXsOS0EtjcGMbEnmRBqF0oT1+90NJYsFzNaDxwwfmg18uNlYgtFWFBCZLxCaoWsL56PzwpF26NAhI4MqOvJ38b7P54NIn6mdo4xZEdqbx0HVIcBP4SVZZTD/zUQz9jj5/ry0qP+qscJzr7jMf7XklJf+M7oK3R gwsptmqB2iqQwpE4gpTGOUH8zbjx5kgKLUXVvXeHH5g4x8WFjN9z8sBzxDeB+fUfDMX1F205RWHAmpiMaASXt9yc35BzTP7MZuynhIIK+U+ehlQy4+U0sms5adswpANBe+HUQJsCaiFSX9GFRQ7JKnpYvn+rtubkw4eObckrepw8rORp9Da40qn1SFz7gyZMrb3SXL6lQp3MQo07Ah07X+QK4o7mz6Lj48/plseGVuwIj//gfan+dDbG/UZRutib86tWbfOMqDyF9BO2L4OCPjOTr27ndIfR0cPE19R5zQ+fJx83+UZ5f25FTD3o+hNZ7rAWyTTtHXXUbVeZLfZk423tf0KhGN4aOZW4lbgtvn6jXL4XNqqTN7mpUS71sXWyh9oxAnGuqhZg8u3oScz3/WDWCo8qxk/xoCdhppdBmiIxDdq9IOfw7tmN2YnxzGIVlMEFHH2T/neePfB+Xb+F+nzeVm0aU38fXS+cw+z25GUHosbC6lNamAN/x/g+xMO9FQxvTX3YttphpOuo3AlaPuNjN8Cl4N6vRZT1bxg5s8UAZdu8SmGzkbvCME3nav+WKh1WUjHMIZKN0FKEa+Mf6dranlKdOgEifYtCZcqhYKxsmJ1CRfKBImp3fD73W2C5l02MFwNMcxTSXH7SanGuFCe7s1HhN/9r33KqMt2MOUU0nATR86WcOCyW+0ydmZKPXrn9mwVxH1cU4em/OxH2f2HNmJVzqhbCl2oExZraMc96xTecfl2KEtyRQCfnfc9lINbMkP3GOkXIkDalQ03IC/eNYBgwi7G6Kbx4E7XUVkoXYRH7GtRjNwY4EQS7bMb6PiQq/M0s+fg8WTUWnQFhhIxjQjmscMYFHXpwnhaCqKyKepoMcKu+O0X7bhCGSON6iADNtYeT7jbcN8Hvnx7ygnltgTj+D/1kgD7/o8HAubsx0oBYudy5BDwAWGOPNPpAo7cKwTdkHN8iWcy//Q0kvqM+16SFmA6yQyU+f WX1OhkcIL6GACmfxQI7aSU/GJQgQn+bNGN5uoUGO7Y7XZ3BGh2qou0rNKGBuZjYTdsM=
          X-PhishAlarm-FormatPhishAlarm O365 Add-In/3.7.122
          Content-Transfer-Encodingbase64
          MIME-Version1.0

          File Icon

          Icon Hash:46070c0a8e0c67d6

          Network Behavior

          Network Port Distribution

          UDP Packets

          TimestampSource PortDest PortSource IPDest IP
          May 24, 2024 01:24:49.665355921 CEST5356512162.159.36.2192.168.2.7
          May 24, 2024 01:24:50.204801083 CEST5613153192.168.2.71.1.1.1
          May 24, 2024 01:24:50.260157108 CEST53561311.1.1.1192.168.2.7

          DNS Queries

          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
          May 24, 2024 01:24:50.204801083 CEST192.168.2.71.1.1.10x47d0Standard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

          DNS Answers

          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
          May 24, 2024 01:24:50.260157108 CEST1.1.1.1192.168.2.70x47d0Name error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:19:24:24
          Start date:23/05/2024
          Path:C:\Program Files (x86)\Microsoft Office\root\Office16\OUTLOOK.EXE
          Wow64 process (32bit):true
          Commandline:"C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\user\Desktop\attachment - 2024-05-23T192100.081.eml"
          Imagebase:0xf50000
          File size:34'446'744 bytes
          MD5 hash:91A5292942864110ED734005B7E005C0
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate
          Has exited:false

          General

          Target ID:2
          Start time:19:24:26
          Start date:23/05/2024
          Path:C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe
          Wow64 process (32bit):false
          Commandline:"C:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Office16\ai.exe" "121F6C91-3062-48E0-A8A4-015737DA868E" "A74F547C-6FDA-419B-8976-3420780C2651" "7584" "C:\Program Files (x86)\Microsoft Office\Root\Office16\OUTLOOK.EXE" "WordCombinedFloatieLreOnline.onnx"
          Imagebase:0x7ff685b50000
          File size:710'048 bytes
          MD5 hash:EC652BEDD90E089D9406AFED89A8A8BD
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:moderate
          Has exited:false

          Disassembly

          No disassembly